Safer Internet Day: Managing Data in a Digital Healthcare Ecosystem

Safer Internet Day occurs every February to mark the importance of being responsible and safe online, in an increasingly digital world. It aims to reinforce the importance of online safety and responsibility among children and youth — the dominant consumers of digital media today. What originated as a 2004 initiative under the first Safer Internet Action Plan of the EU funded SafeBorders project and then taken up by Insafe (the network of Safer Internet Centers) has now spread its wings beyond its initial geographic boundaries.

Digital Technology in Healthcare

There has been an expedited adoption of digital technology and transformation in the healthcare industry to manage the silos of sensitive data that it deals with; which when exposed can leak classified information of respective individuals. Thus, it becomes essential to hack-proof this data; precisely why data security is a critical component of the Health Insurance Portability and Accountability Act Rules.

Compliance in the healthcare industry is a set of crystal clear requirements — it’s the process of following HIPAA, HITECH and other legal and regulatory requirements relevant to the respective states. It’s about ensuring quality in the services provided to patients, thus making it imperative for the organizations to protect the PHI (Protected Health Information) and PII (Personally Identified Information) from unauthorized use, access or disclosure. The concerned organization must implement the controls based on the standards, legal and regulatory requirements to meet the compliance requirements.

Data security constitutes the technology and processes used to safeguard the Confidentiality, Integrity and Availability (the CIA triad) of information from unauthorized use, access or disclosure. The organization or individual can enable the controls based on the CIA value of Information — the value depends on the sensitivity of the data and its possible impact on the CIA triad. For example, data such as financial information, payment card details, and sensitive personal information about the individual will have high CIA value, and should be protected with maximum security controls.

Data Security and Compliance in a Pandemic World

All protocols are rigidly followed at Omega Healthcare by operating in well-defined physical security perimeters. All information processing zones are protected by dual authentication, including Biometric devices. Visitors, mobile phones and other media devices are prohibited in these zones. Security guards are placed at all entry and exit points of these information processing facilities, at any given point in time.

But then came 2020: the year of the pandemic, the year that disrupted all norms. As the virus crept into our lives, the bustling traffic and long work commutes faded into the blurring physical boundaries between work and home. Thus was born a new norm – Work from Home, with temporary work stations set up in our homes, often in the vicinity of our families.

While the pandemic and the new norm had various repercussions, its impact on data security and compliance processes in healthcare was metamorphic. According to HIPAA, in the year 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. There was also 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020.

Nitin Gaur (Senior Director, Information Security and Risk & Compliance, Omega Healthcare) comments in retrospect that while remote working has enabled organizations to keep the figurative 'lights on,' it has on the other hand opened up a box of emergent threat sources, and expanded the attack surfaces that have traditionally been quite weak. Personal devices and Wi-Fi networks have brought to the fore an increase in the volume and nature of attacks. The risk of losing data due to attacks is quite high.

Initiatives at Omega

For Omega, data security and compliance has always been of paramount importance. A situation where WFH would be the new mandate was once unfathomable for a huge organization like Omega, considering the compliance requirements. However, the safety of our employees were equally important, and hence the Omega IT, and Compliance teams tackled the herculean task of implementing the compliance and data security controls for all remote users in a limited span of time.

Omega promptly developed a Remote access/Work from Home policy, and obtained approval from clients to execute this business continuity management plan across the organization. The Omega Admin team delivered endpoints to various parts of the country while Omega’s Compliance team provided training to the remote users. All of Omega’s remote work users are required to sign WFH-NDA documents to assure adherence to the compliance requirements. Omega implemented various technology controls to monitor all WFH-endpoints and the WFH user’s activities on a real time basis. Hardening controls were placed at the endpoints to prevent possibilities of data movement/transfer by the employees. Omega also underwent 3rd party VAPT (Vulnerability Assessment and Penetration Testing) assessments to ensure every risk is identified and mitigated, in spite of WFH.

Even in a pandemic world, Omega has successfully fulfilled the client’s standards, HIPAA, HITECH and other legal and regulatory requirements in a systemic manner. In a post- pandemic world, the industry is likely to continue a permanent remote work policy, for at least a fraction of its employees. Working remotely denies access to direct physical supervision, which is why it is important to reinforce a culture of adherence (to these protocols) in each employee.

Here’s how Omega educates its employees on internet safety:

  • • Weekly awareness mailers on information security
  • • Fortnightly communications about Omega’s IS policy requirements
  • • A defined frequency in conducting Phishing simulations to ensure the employees are aware of cyber threats in the industry
  • • Various awareness training program launched on the following
  • > Legal Compliance awareness training
  • > Remote access policy requirements
  • > Compliance awareness training and assessments
  • • Audits to ensure all ITGCs (Information Technology General Controls) in place and promote information security requirements

On this Safer Internet Day, let’s pledge to be responsible digital citizens, and create a better, safer space online for the generations to come.

Copyright © 2019 | Omega Healthcare All rights reserved. | Privacy Policy