With Healthcare Hacks on the Rise, Do You Know Who Can See Your PHI?

adam-driver-undercover-ren-saturday-night-live-nbcDo you know this man? More importantly, did you know that he might be able to view and even sell your patient’s health data? He works as a system administrator in your new cloud-based health IT solution. The database is encrypted, but he has access to the server and therefore the database encryption key.

What could motivate such cybercrime? That’s easy. Personal health records can sell for as much as $300 each, more than 10 times what credit card numbers sell for. Angry or fired employees go rogue sometimes (see Ashley Madison hack), and there are plenty of curious employees in every company.

This week, it became clear just how the stakes can be when someone accesses private healthcare systems and data. With the news of cyberhackers taking over the computer networks of a California hospital and demanding $5 million (CAD) in Bitcoin to restore the systems, experts are now predicting a rise in cybercrime targeting healthcare.

With Healthcare hacks on the rise, are you sure you know who can see your PHI? Click To Tweet

The world is on the cusp of a new wave of healthcare technology innovation fueled by mobile technology and the Internet. Hundreds of startups are offering software to make medical clinics vastly more efficient and improve quality of care. This is great, but there is a badly needed conversation to be had first. What happens in the worst-case cybertheft scenario, the “inside job”? How do we protect patient data in this era of cloud software with millions of patients in a single database run by private startup? Database encryption and access controls are useless if the culprit has a password and access to the encryption key.

There are ways around this risk; inspiration can be found in the banking industry. When you put your valuables in a safety deposit box, you get your own key so that you, and you alone, can open the box. Having access to the vault as a bank employee isn’t enough.

That’s the underlying secure infrastructure in Ocean. Every clinic creates its own encryption key and never shares it with us, so your patients’ data is unreadable by everybody else, including CognisantMD system administrators. We keep everything securely stored – you keep the key.

We think it’s the only truly secure approach to personal health data in the cloud.

If you are a healthcare professional looking at cloud-based patient solutions, you should be asking the hard questions….Can this guy see your patients’ data?