How health-tech start-ups should protect against misuse of patient data

Today more than half the world’s population lives in Asia and the region is undergoing tremendous demographic changes. People are better educated, have more disposable income, and are making lifestyle changes. They are also living longer and suffering more from chronic conditions such as obesity, heart disease, and diabetes. These better informed populations are also becoming more concerned with their health and seeking treatment more frequently, which is putting a strain on suppliers of health services. Healthcare demand has already surpassed supply in Asia, and the pressure on healthcare service providers will only continue to increase.

In response, the region’s healthcare industry is becoming a focus for technological innovation, and health tech start-ups are burgeoning. This development is not only due to the digital transformation impacting our daily lives. Governments are also seeking to provide healthcare for each of its citizens. These and other factors are creating a well-established, nurturing environment for start-ups to create innovations that bridge the medical service gaps.

With tech-savvy patients enthusiastically embracing new medical technologies such as telehealth and telemedicine, remote patient monitoring devices, and wearables, the imperative to protect patient information becomes greater.

Safeguarding data in the digital age

Singapore, for example, is the gateway to Asia's technology and healthcare scene, and home to a diverse entrepreneurial community. With its Smart Nation vision, the country aspires to digitally integrate every aspect of business and individual activity to create greater efficiencies. The downside (particularly in healthcare) is that this hyperconnected environment can make valuable patient data vulnerable to security threats - a high prize for hackers who may use this data for malicious purposes. This was underscored last year, when Singapore experienced its largest data breach. In the wake of this, the government halted its Smart Nation projects to review its security. Data breaches can take place at every stop on a patent’s healthcare journey, which is why it is important for all service providers handling patient information to protect their data. For start-ups in the health tech space, it’s important to balance the growth opportunities with data protection.

What can health-tech start-ups do to protect their data?

The worst plan is not to plan at all – and no business wants to be the victim of a breach and face its repercussions. Here are seven essential steps e-health start-ups need to take to improve their security posture.

  1. Defend data through DevOps

Start with the DevOps to ensure that the business processes associated with the technology are secure, that the organization is aware of any security vulnerabilities and is audited. It is imperative to have provisions to guard against network intrusions that lead to unauthorised access attempts in systems, hardware and software. These provisions can be security automation tools and applications that have the potential to greatly improve the efficacy of security systems through machine learned intelligence. Ultimately, it is critical for employees to be aware of security and proactively practise secure procedures.

  1. Ensure ongoing protection

Take steps to monitor and stop data exfiltration – known as the uploading of data to an FTP server or copying into removable disks from a system that has sensitive information. It is also important to monitor and prevent database back ups through a VPN connection, with known malicious sources, and large volume file or folder modifications that could be initiated by bots. Start-ups should also monitor for and thwart sophisticated zero-day attacks exploiting vulnerabilities in enterprise applications by updating security patches, protocols and applications.

  1. Identity management

Teams need access to data from various parts of the organization in order to do their jobs. The approach to protecting that data may vary and needs to be controlled. It is a foundational security component to help ensure users have the access they need, and that systems, data, and applications are inaccessible to unauthorised users. Companies should have two goals in this area:

  • Prevent lateral movements, which are when users have access to specific resources they normally cannot access, as well as unauthorized processes or services in systems that have critical data such as unusual password changes for privileged user accounts.

  • Guard against insider threats from employees that may lead to stolen, lost or modified data.

  1. Automation and Artificial Intelligence (AI)

Start-ups can also leverage the power of AI and machine learning techniques. A Security Information and Event Management (SIEM) tool for efficient incident detection and behaviour profiling incorporates AI and machine learning to enable insights from monitoring and capturing data across routine transactional processes and traffic. The ability to identify anomalies and discrepancies can be significantly enhanced through the use of these tools and capabilities.

  1. Control the privileged identity sprawl

The technology infrastructure has expanded from physical locations to cloud environments clouds, Software as a Service (SaaS) applications and users. As such, the identities and user accounts required to safeguard access to these systems are growing as well. Organisations will need significant, effective programs and the requisite tools to proactively manage privileged access to these systems.

  1. Securing remote access governance

Organisations need to have remote access governance. As the technology infrastructure grows beyond set boundaries, enabling secure access for administrators to the various components is critical for productivity and business continuity. Infrastructure in this sense comprises components and resources like servers, network devices, databases, and applications that are part of the data center. Thus the need is for secure access and governance of the entire remote access process including defining policies, establishing controls, creating approval workflows for access, enforcing a list of allowed actions, monitoring all actions performed, and keeping video records of sessions for forensics.

  1. Cybersecurity needs to be a priority

According to various reports, over 4.5 billion records have been stolen as a result of security breaches. Additionally global estimates suggest healthcare breaches have been responsible for more than 80 million records being compromised. The number of incidents continue to accelerate, growing over 33 percent a year on average, with the Asia-Pacific region suffering about 30 percent of attacks globally.

As digital transformation brings advanced technology and complexity to the world’s most heavily regulated industry, there will be a need for even greater oversight and risk management.

While no one wants to believe a data breach will happen in their organisation, the old adage, “better safe than sorry,” still rings true. The consequences of a data breach can create devastating, long-term consequences for the organisation – namely reputational and financial. Health tech organisations can detect and mitigate many threats by planning and investing more in cyber security; because, reputation matters.