Sachin Nayyar, CEO of Securonix: 5 Critical Considerations for Patient Privacy in Telehealth
Sachin Nayyar, CEO of Securonix, recently penned a byline in HIT Consultant about the 5 critical considerations for patient privacy in telehealth.
Read the excerpt below:
The COVID-19 pandemic has had a tremendous ripple effect across all industries, with one of the most impacted being healthcare. Providers have had to quickly adapt to supporting patients ‘virtually’ in a secure manner, while simultaneously developing procedures to support accurate reporting to government organizations. These changes have placed added pressure on security and privacy professionals, as they struggle to keep up with urgent demand.
Mature healthcare organizations already have stringent policies and procedures in place to remain compliant with government regulatory requirements (i.e., HIPAA, HITECH Act, etc.) and protect patients’ privacy. However, with the new focus on telehealth, unprecedented patient growth, and strict regulations on reporting, the key threats healthcare security and privacy teams need to be able to detect are also evolving:
- Unauthorized access to patient data by employees
- Patient data snooping (by employees, family members, co-workers, etc.)
- Compromised records (unusual access patters – new locations, multi-location access, etc.)
- Failed logins and download spikes
- Terminated or dormant user accounts being used to gain access
- Accessing discharged patient records or deceased patient records
Identifying these threats and uncovering suspicious patterns or activities, however, is no easy feat. Most security monitoring solutions cannot integrate with and consume electronic medical records (EMR) in a usable format. As a result, these solutions have limited out of the box content, leaving a majority of threat detection engineering to the security operations teams, which are already overwhelmed. Legacy security tools are no longer cutting it, as they use rule-based security event monitoring methods that do not account for the need to protect patient data privacy required by regulations such as HIPAA, HITRUST, and GDPR. They also lack the ability to protect patient data from insider threats, advanced persistent threats, or targeted cyberattacks.