SECURITY INSIGHTS | 25 May 2021
In the healthcare sector, digital solutions are increasingly being used in administration, diagnostics, and treatment. Security and data protection are given top priority in order to promote social acceptance of e-health.
Digitization in the healthcare sector is advancing inexorably. New digital solutions, such as the electronic patient record (ePA), the e-prescription, electronic certificates documenting incapacity to work (eAU), and the digital vaccination certificate, are increasingly replacing their analog equivalents. The smartphone is developing into a centralized health hub providing an interface to doctors, health insurance companies, and hospitals. This far-reaching transformation is enabling immense increases in efficiency: critical health data is available at all times, allowing unnecessary multiple diagnoses and examinations to be avoided when changing doctors or hospitals.
In addition to concrete added value, the basic prerequisite for user acceptance and thus the success of the new e-health solutions is above all trust in the technology. The German Federal Ministry of Health (BMG) wants to strengthen this by imposing strict data protection requirements. The protection of critical patient data is one of the guiding principles of all digital medical solutions and requires IT security at the highest level. For this reason, the German Hospital Future Act (KHZG) ties funding for hospitals to investments in IT security.
Online services form part of the everyday life of a large part of the population. If digital health portals do not exhibit the performance and stability that are familiar from other services, this casts a bad light on the providers and the underlying technology. Even if sensitive data is not endangered per se, a stuttering web presence is enough to significantly weaken trust in an e-health solution. That is why the performance and stability of web portals play a crucial role.
Delayed transfer of critical emergency data
Difficulty prescribing medication in emergency situations
Superfluous multiple examinations
Patients do not have access to their own health data
Fines for data breaches & data leaks
E-health solutions, such as the ePA and the digital vaccination certificate, are designed to be used by millions of citizens. The associated online portals and interfaces have to work flawlessly, even under heavy use and with unpredictable peaks in traffic. Without flexible scalability and overload protection, there is a risk of critical services failing, as was observed with some vaccination portals, which temporarily were unable to cope with the immense rush of users.
IT infrastructure is also increasingly at risk of external attacks. Since the beginning of the corona pandemic, the healthcare system and other critical sectors have increasingly come under attack. This is shown by both mitigation data from Myra Security and studies by Interpol, the German Federal Criminal Police Office (BKA), and the German Federal Office for Information Security (BSI). In fact, in its latest Risk Barometer, Allianz ranks cyber incidents as the biggest risk to healthcare, along with pandemic outbreaks.
The requirements for data protection and IT security are particularly high for health data and thus also for e-health solutions. This is reflected in Article 9 of the General Data Protection Regulation (GDPR) and the increasingly demanding regulatory requirements of the German Federal Ministry of Health (BMG) and gematik, the Society for Telematics Applications. E-health operators, hospitals, and physicians must therefore address internal data architecture and compliance issues more intensively.
Outsourcing IT security is an efficient alternative to managing costly in-house operations. If desired, Managed Service Providers can handle the implementation, maintenance, and operation of all necessary security solutions. This eliminates the need for additional expenditures on software, hardware, and personnel. Of course, it is important to carefully select a service provider. Partnerships with U.S. providers have been on shaky ground since the suspension of the Privacy Shield agreement for transatlantic data transfers, as the legal basis is lacking and data protection provisions are difficult to implement due to the conflicting positioning of EU and U.S. law. These hurdles can be overcome by choosing local providers who are subject to local jurisdiction and meet the highest data protection requirements.More information about Myra’s custom solutions for the healthcare sector is available here