3 critical steps to protecting patient data

In a world where everything is online, from patient information to medical history, there is a greater need for organisations to carefully consider who can access their systems.

In the past, sensitive patient data has been kept under lock and key – on paper in a filing cabinet. But healthcare data today is becoming digitised, and with the move toward integrated care, organisations across the healthcare continuum are actively encouraged to share it.

However, the risk associated with easy-to-share data and remote use thereof means that a single hack is now possible from unprivileged access, with extremely damaging consequences.

>See also: Why the healthcare industry badly needs a cyber security health check

The storm of data breaches making the headlines over the past two years has shown that firewalls have proven to be largely ineffective at stopping the hacking methods now favoured by cybercriminals, due, in most part, to the evolved nature of enterprise applications themselves.

Putting the right security measures in place is the only way to prevent a breach from occurring. Here are three steps healthcare organisations can take to ensure patient data is kept truly secure.

1. Create a single point of control

Modern methods for protecting networked applications are highly fragmented. In healthcare environments where multiple systems are accessed on a daily basis, it’s often found that each system and network will use different protection methods and access policies to protect a given application end-to-end.

A key requirement for software-defined security is to consolidate these methods and control into a single platform, to allow the security manager to have control over all the shared applications across all domains. With this in place, it becomes easier to view and configure policies to ensure gaps are not left open for hackers to exploit. 

2. Make security application and user specific

Traditional security approaches focus on infrastructure, which can create segregation and boundaries between different physical domains. Instead, modern software-defined security positions the security policies and protection functions around applications and users.

In a hospital environment, this means security policies should be driven by the need for a given user, such as a consultant, junior doctor or nurse, to access a given application, such as patient records or results, based on their role in the enterprise.

Modern cyber security assumes that all networks are essentially untrusted and that no user, device or application can ever be fully trusted, meaning that consistent access policies can be created across users regardless of which network or device is being used.

By adding crypto-segmentation to build secure walls between the identified groups of users and the applications they access, healthcare organisations can ensure that any breach is limited in scope.

3. Construct secure systems from end-to-end

With such sensitive and critical data at stake, it is vital to make sure that sensitive applications are isolated and controlled from end-to-end, no matter where the user is, from the application server to the user’s end-point devices.

To adopt this approach, applications must be segmented, which simply means that an isolation method such as encryption is used to isolate the application flow. However, the essential requirement is to ensure that this cryptographic segmentation stays with the flow along its journey, from the server in the data centre or the Cloud to the user on the Internet or a wireless device.

>See also: 87% of UK healthcare organisations are putting patient data at risk

Healthcare organisations need to make some changes to their security architecture, and they need to do it now. Many organisations assume the firewall is enough and that once a ‘trusted’ device is granted access to a ‘trusted’ network, security is assured.

However, dozens of high-profile breaches across several industries has proven that theory wrong. Once past the firewall, hackers can move laterally to the most sensitive applications. Acting now is vital to prevent breaches.


Sourced from Paul German, VP EMEA, Certes Networks

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Patient records