Navigating healthcare data has always been complex as it requires a high degree of trust between data managers and data controllers. The uniqueness and relative importance of information, determines how cautious we must be in trusting someone with it. Personal Health Information (PHI) or Electronic Health Records (EHR) are at the top of this list, necessitating utmost trust between the data controller and data before any work can commence.
The compliance with international standards like HIPAA, HITRUST, and ISO/IEC 27001 has ensured for a while now that diagnostic, healthcare, pharmaceutical companies and medical researchers, in principle, secure health records and maintain their integrity effectively. However, adhering to these standards in practice is not as simple as it sounds. While these frameworks offer comprehensive guidelines which would successfully address concerns of patients and data controllers, its complete conformity without deviation is contingent on a complex and multi-dimensional ecosystem. This ecosystem involves varied types of data, technology, market conditions and commercial factors, making it complex to navigate.
Ensuring robust data security measures isn't just a technical challenge but a strategic imperative. According to IBM Security, data breaches in healthcare are among the most expensive, with an average cost of $10.93 million per incident, far exceeding the $4.45 million average across other industries. However, the financial impact is only a part of the equation. Security breaches often lead to significant consequences, such as loss of patient trust, delays in clinical trials, and interruptions in patient care. These issues have long-term repercussions. Notably, healthcare breaches often remain undetected for around 213 days, exacerbating the disruption to essential research and services. Additionally, the aftermath of a breach often includes reputational harm and heightened regulatory scrutiny, which further strains the affected healthcare organizations and impedes their operations and research efforts.
This article addresses the common concerns regarding data security and privacy. Our goal is to demystify the allied concepts by explaining what needs to be done and why, and to showcase how the security and privacy measures are implemented at Elucidata. This approach ensures development of a reliable and secure infrastructure for storing sensitive healthcare data, as well as making the abstract principles more tangible and actionable.
The principle of Security by Design, as highlighted in the National Institutes of Health’s security best practices, is of utmost significance. This proactive approach in software and system development ensures that security is considered and integrated from the earliest stages of the design process rather than being added as an afterthought. This methodology emphasizes building secure systems from the ground up, and warrants that security is a foundational element rather than just a secondary feature. Frameworks like HIPAA, ISO 27001, and GDPR operate on the principle of Security by Design, as they advocate security perspective in all designing aspects and manage products like PHI/EHR, instrumental in managing and storing healthcare data. Elucidata adheres to these standards to ensure that the security measures are deeply ingrained in our everyday working.It elicits trust in products and platforms utilized to manage and store healthcare data.
The following pillars broadly cover a range of security controls laid out by these frameworks:
Think of your workspace as a high-security zone. You wouldn't let just anyone access your research data, right? Similarly, access control measures ensure that only authorized individuals can access sensitive data like PHI/EHR. Each user should have a unique identifier, like a personalized keycard that tracks their activities. It ensures a sense of accountability. Further, this traceability is like having a unique passport that records their journey through different secure areas. It also secures prompt incident response and assures adherence to IT and security policies.
It is also important to have procedures in place that allow access to vital information without compromising security. Additionally, systems should automatically log off users after a period of inactivity. At Elucidata, we use Role-Based Access Control (RBAC) for Polly, which assures that users can only access what they need. Parts of Polly on AWS utilize AWS IAM to create policies, roles, and user groups, which provides access as needed.
Think of your healthcare data as a pristine, high-security warehouse. Inside, every item is carefully cataloged and monitored to make sure that nothing is tampered with or goes missing. Data protection and integrity measures work like the security systems of this warehouse.Data masking acts like concealing certain sensitive items with opaque covers,and reveals only what’s necessary for analysis. Meanwhile, checksums or hashing are akin to security tags that alert you if anything has been altered. Digital signatures, much like official stamps of approval, confirm that no unauthorized changes have been made.
At Elucidata, we use AES 256 encryption to secure data at rest. Data in transit is protected with TLS/SSL encryption, which safeguards it against interception and ensures data protection. We leverage AWS CloudWatch for data integrity, which provides resource monitoring and event logging capabilities.It also generates real-time alerts to detect potential security threats. Resource usage and account status within the environment are also monitored, assuring data integrity.
Authentication and authorization controls make sure that users are who they claim to be and have the necessary permissions to access sensitive data like PHI/EHR. Multi-factor authentication (MFA) and single sign-on (SSO) are two of the most efficient solutions for organizations to authenticate users within their work environment. MFA requires users to verify their identity using two or more forms, and this adds multiple layers of defense against unauthorized access. On the other hand, SSO allows someone to log in once with a single set of login credentials and access multiple applications or services without needing to re-enter their username and password for each one.
At Elucidata, our application offers both MFA and SSO options for user authentication. Our clients and collaborators can choose their preferred method to ensure employees access Polly securely. Polly’s CLI connection users to use a unique key-value pair as an authenticator for each session. Within our organization, access is restricted to business applications like AWS and Jira through Google SSO, which provides seamless and secure access to multiple applications.
Monitoring and auditing controls track access and activity related to sensitive data like PHI/EHR. This enables detection and investigation of suspicious behavior. Audit logs record access and activities within information systems, and provide a trail similar to surveillance footage available to be reviewed, as and when needed. Further, Intrusion detection systems (IDS) act like security alarms, which alert administrators to potential unauthorized access attempts. The continuous monitoring of systems and networks helps detect unusual activities or breaches in real-time. Moreover,automated alerts can notify administrators of potential security incidents or policy violations.
We utilize AWS Security, Detection, and Analytical services to create our own Security Stack for the parts of Polly that uses AWS. For example, Security Hub focuses on compliance and snapshotting the overall security posture of the organization. AWS Inspector is used to automate vulnerability management by continually scanning AWS workloads for software vulnerabilities. GuardDuty acts as our primary Intrusion Detection System, and CloudTrail and CloudWatch logs provide us with auditable logs, which are then fed into our analytical tool to create insights and alerts.
Secure data management involves controlling the process of storing, transmitting and processing sensitive healthcare data like PHI/EHR in order to protect it from unauthorized access and breaches. Secure protocols like SFTP or HTTPS are used to transfer this data. Database security measures, such as encryption and access controls, guarantee that stored sensitive healthcare data is protected properly. Data segregation separates this data from other types of data, and this limits access and reduces risk.Techniques like data anonymization and pseudonymization reduce the risk of identifying individuals while maintaining data utility.
Our databases are shielded by firewalls, accessible only within the VPC or by system administrators through a secure bastion host, with stringent controls on inbound traffic and SSH access. Since, all traffic is routed with SSL/TLS protocol, all interactions with Polly use HTTPS. All our microservices are in separate VPCs (Virtual Private Cloud), which are logically isolated sections of the AWS cloud which can be defined as per our requirements of a virtual cloud.
System and network security controls protect the systems and networks that store and transmit sensitive healthcare data like PHI/EHR, from unauthorized access and cyber threats. Firewalls act like the fortress walls, controlling and filtering the movement of data based on security policies. Anti-malware and anti-virus software serve as guards, detecting and disabling the malicious software that could compromise such sensitive data.
Secure configuration sets up systems and software securely, disables unnecessary services and applies required security patches. Virtual private networks (VPNs) securely transmit sensitive healthcare data like PHI/EHR over public networks, and also encrypt the data to protect it from eavesdropping and breach.
At Elucidata, integrating GuardDuty findings as feed, AWS WAF is programed, in order to block any potential threats. All our workstations are managed by advanced anti-virus applications, and this entire approach is centralized for endpoints using our IT Management tool and AWS Security Hub.
In a collaborative research environment, one often needs to share data securely across multiple labs and organizations. Federated data access and management involve managing access to sensitive healthcare data like PHI/EHR across different systems and organizations. This needs to be done while ensuring data security.Federated data access controls allow secure and controlled access to sensitive data across different systems. Data federation services integrate and secure sensitive data from multiple sources, and provide a unified view without duplicating data, much like consolidating research findings from various teams into a cohesive report. Interoperability standards like HL7 or FHIR assure secure and seamless data exchange between different healthcare systems. So, the access control policies in federated environments ensure that only authorized users have access to significant data.
Elucidata’s rigorous adherence and compliance with these essential technical and developmental controls, warrants that its platform Polly, is built on a robust foundation of security and privacy. These essential measures not only ensure compliance with key regulations such as HIPAA, ISO 27001, and GDPR but also provide a proactive defense against unauthorized access and data breaches. This in turn, safeguards sensitive healthcare information.
Our approach, steeped in the industry's best practices, positions us as a reliable partner for organizations seeking to manage and protect healthcare data. With our security-focused engineering services, we help clients confidently navigate the complexities of securing health data, ranging from access control to advanced encryption and monitoring.
Resources like the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institutes of Health (NIH) offer valuable insights on securing healthcare systems for professionals in need of improved data security strategies. Additionally, organizations such as the International Association for Privacy Professionals (IAPP) provide guidance on navigating data protection regulations. Engaging with these resources not only deepens understanding but also empowers organizations like ours to uphold the highest standards of secure, and patient-centric healthcare. In this way, Elucidata’s consistent endeavors are directed at creating and sustaining the ecosystem of data privacy, safety and security at every step of research and discovery.
Connect with us to understand how we can support your research and work in these areas.