Adobe said by expanding its cloud offerings for health care, payors, providers, life sciences and pharma companies can create and deliver personalized digital experiences that safely use personal data for “real-time, omnichannel experiences” that comply with HIPAA and leverage many of Adobe’s existing applications, such as Adobe Connect and Adobe Workfront.
Security pros saw these recent moves as positive, and some thought it was more focused on patient experience and bringing in more customers as opposed to any real back-end security initiatives. However, security researchers agreed that none or these cloud efforts can succeed unless the tech companies can deliver secure and reliable access to patient data.
These efforts are about delivering better operations and making the hospital more competitive by providing a better experience for the patient, said Howard Ting, CEO at Cyberhaven. Ting said health care organizations are more focused on bringing in more customers, as opposed to managing risk.
“But ease-of-use and efficiency are not always the bedfellows of good security, so these efforts will need to be well-planned and scrutinized,” Ting said. “The more data moves, the more chance there is to potentially expose protected health information and that's why you see vendors such as Adobe and Salesforce focusing on security. And while these efforts are not being driven by ransomware, ransomware is always a concern. Any system that’s critical for delivering customer experience would certainly be damaging if it were compromised.”
HIPAA was written in a time when email and webpages were the vanguard of technology, said Mike Murray, co-founder and CEO of Scope Security.
“The authors simply couldn't have anticipated how patient data would be used in a ‘digital omnichannel front door strategy for hospitals,’” he said. “And there are consequences. While a credit card can be reissued, a patients' health information is permanent and relevant for life. The solution isn't as simple as reissuing a number and buying identity theft insurance, and these tech companies will have to do the work to ensure that they have the appropriate safeguards.”
"Health-care providers have gone through massive digital transformation in a very short amount of time, which has driven digital transformation and forced them to embrace mobile and cloud-based technologies,” said Hank Schless, senior manager, security solutions at Lookout. Schless added that this was embodied in the mass adoption of telehealth, which became the most viable way for health-care providers to connect with patients during the pandemic. This then presented the challenge of ensuring secure communication and data sharing across managed and unmanaged devices and networks.
“Attackers are leveraging the fact that health-care organizations are under immense pressure and targeting them with customized ransomware campaigns,” Schless said. “Ransomware groups know that health-care systems can’t afford to be offline, so they may have greater success in getting a ransom. Ransomware attacks almost always start by phishing employee log-in credentials that give the attackers better odds of entering the infrastructure unnoticed. Once they compromise the credentials, the attackers will move laterally through the infrastructure, exfiltrate massive amounts of data, and lock the administrators out as they demand their ransom.”
Mohit Tiwari, co-founder and CEO at Symmetry Systems, said health care increasingly happens outside the hospital. Even basic technologies — such as cloud services accessible anywhere via mobile/web — have been held back by EMR/EHR tools that do not make it easy for new services to work with their data.
“But it’s likely that the pandemic has finally pushed the health-care providers to demand new solutions that expand care to their customers — and existing heavyweights, including Salesforce and Adobe, are racing to fill this need,” Tiwari said. “The big opportunity here is not to provide a few 'HIPAA compliant' applications written by Salesforce [and Adobe] but to provide a secure platform — one where security and privacy are built around patients' data and applications are services that by construction are confined to specific purposes on specific data objects.”