Privacy on the internet is important in all industries, but none more so than the healthcare sector, which handles mass amounts of online health data daily. While any data loss (financial, identification, passwords, etc.) is significant, it can be particularly wrenching to think of one’s personal medical details floating in the cloud, accessible to anyone with the right capabilities.
Whether in adherence to regulations or corporate ethics, healthcare companies have a duty to remain vigilant when it comes to safekeeping personal health records, a task that requires an ongoing commitment.
The issues with the healthcare industry and their data security recently came into sharp focus when flagged by the Internet Society’s Online Trust Alliance (OTA), a non-profit organization that identifies and promotes security and privacy best practices on the web. Annually, the OTA conducts its Online Trust Audit, which analyzes the security and privacy practices of more than 1,200 organizations in a variety of verticals.
The healthcare vertical, a new sector added this year, included pharmacies, testing labs, insurance companies and hospital chains. And surprisingly, the group had the lowest overall data protection rankings, with only 57% of the sites receiving a high grade.
The low ranking of healthcare paints a concerning image for customers who are used to transmitting health information online. While the sector did rank high in the privacy category, it showed sparse adoption of email authentication, had the second lowest site security score and came in last in use of always-encrypted sessions. These basic protections are crucial to ensure that consumers are less likely to receive phishing messages purported to be from healthcare providers and that data is safeguarded.
In addition to lower rankings overall, the healthcare industry experienced the second-highest level of data breaches, just behind the consumer sector. The number of records lost ranged from a handful to more than 150 million. OTA’s analysis also revealed that 15% of the audited organizations across all verticals experienced one or more incidents, up from 13% in 2017 and 5% in 2016. The threat of breaches is clearly on the rise.
In light of these shortcomings, here are some steps the healthcare industry can take to provide the best possible data protection.
1. Employ email authentication on all communications
This is the area where healthcare organizations had the biggest shortfall. By utilizing email authentication (SPF and DKIM), organizations can help protect their brands and prevent consumers from receiving spoofed and forged email.
Email authentication allows senders to specify who is authorized to send email on their behalf. Building on email authentication protocols, DMARC adds a policy assertion providing receivers direction on how to handle messages that fail authentication. Healthcare websites should utilize all available email authentication tools to ensure safe correspondence.
2. Improve site security
Organizations should implement “Always on SSL” (AOSSL) also known as “HTTPS everywhere”, on all web pages to maximize data security and online privacy. One way to do this is via HTTP Strict Transport Security (HSTS), which helps ensure that all data exchanged between the site and device is encrypted.
Organizations should also implement a Web Application Firewall to monitor HTTP conversations and block common attacks such as cross-site scripting (XSS) and SQL injections (only 30% of healthcare sites do this, which is well under the overall average of 71%).
3. Implement a vulnerability disclosure mechanism
This is also known as “responsible disclosure” or “coordinated disclosure,” and allows security researchers to report discovered vulnerabilities in a responsible manner. Only 3% of healthcare sites use such a mechanism, either via a form or email address on the website, or through third-party bug bounty programs. By providing this mechanism (and the back-end process to respond to it), companies can address vulnerabilities before they are public.
Healthcare websites need to stay up-to-date on the latest security protocols available to them when safeguarding customer’s medical data, and the protection of this information needs to be an ongoing area of focus for companies that seek to transmit personal information online.