Author: Alejandra Korovaichuk
Date: 10th Mar 2023
Keeping personal information safe has turned critical, especially in the healthcare industry, where sensitive data is obtained, processed, analyzed, and stored.
Hospitals worldwide rely on the internet for numerous services that require privacy and safety, such as exchanging patient health information or accessing electronic health records. Although it is an extraordinary way to administer information, relying on the web increases the risk of cybersecurity threats. Therefore, it is crucial to have a comprehensive security plan for the entire IT infrastructure to ensure the safety of sensitive data.
In Quibim, we work with extremely sensitive information from human patients, making it necessary to comply with data protection regulations and implement all the appropriate security measures to safeguard their privacy. Firstly, best practices such as strong passwords, regular data backups, employee training, access control, regular risk assessments, and updating security policies and procedures are needed to maintain the effectiveness of the first line of data protection measures. But these procedures alone may not be sufficient to prevent unauthorized access and data breaches. Therefore, Quibim ensures strict access control and protects sensitive information through Multi-Factor Authentication (MFA) and SAML2 integration, significantly reducing the risk of unauthorized access and data infringements.
All data transmitted through our network is protected by secure communication protocols, specifically HTTPS/TLS 1.2. HTTPS (Hypertext Transport Protocol Secure), a combination of HTTP and TLS (Transport Layer Security), encrypts and safeguards all traffic and communication between users and our website. Besides encryption, HTTPS provides additional benefits, such as verifying the website’s identity and ensuring users can trust the entire website.
Besides following this primary set of guidelines and best practices, it is also necessary to have a security framework that helps us to define security requirements and risk management processes.
HIPAA and ISO/IEC 27001 have emerged as two critical frameworks that organizations can leverage to ensure the security and privacy of sensitive information, mainly personal health information, and mitigate the risk of cybersecurity threats.
One of the key differences between the two frameworks is that HIPAA is a US legislation, and thus mandatory, specific to the healthcare industry, requiring covered entities and their business associates. At the same time, ISO 27001 is a standard for information security management applicable to any sector globally.
HIPAA, also known as the Health Insurance Portability and Accountability Act, was implemented in the United States in 1996 to improve health insurance coverage and provide privacy and security protections for patient health information. HIPAA created national standards and mandated safeguards to protect electronic Protected Health Information (ePHI) through administrative, physical, and technical safeguards. ePHI refers to any information that can be used to identify a patient.
On the other hand, ISO 27001 provides a comprehensive set of guidelines for information security management that includes confidentiality, integrity, and availability of information. It offers a framework for organizations to manage information security risks and secure their data from unauthorized access.
ISO/IEC 27001 is an internationally recognized standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The core philosophy centers around a risk management process: Identify potential risk areas, then apply security controls (or safeguards) systematically to address them. Compliance with ISO 27001 can yield significant benefits, including reputational, motivational, and financial advantages. Users will have increased confidence in protecting their information at the agreed-upon security levels, and supply chain security will improve as well.
HIPPA vs ISO27001
Both frameworks cover different jurisdictions and scopes. Organizations must comply with both standards to maintain the trust of their customers, patients, and stakeholders and avoid costly data breaches and legal liabilities. Quibim has been granted ISO27001 certification, guaranteeing information encryption during storage and transfer and at the file level. The company also adheres to HIPAA and GDPR for data processing and storage.
Cloud computing is one technology that can help organizations comply with these frameworks. In our case, we adopted a Cloud-Smart approach. This allows us to balance cloud adoption with Quibim’s objectives and circumstances, offering a fully automated infrastructure ready to tackle any challenge. Working with a secure, private, and traceable tool is one of the biggest challenges in the healthcare sector, and consequently, we choose Microsoft Azure cloud services. The service improved platform access security through the Application Gateway; Azure Kubernetes Services are used to orchestrate and manage algorithms responsible for the analyses; Azure storage offers labeling, secure and unlimited clinical data storage (over 100M), and easy management, providing flexible and cost-effective solution.
All communication inside Azure between the container registry, database, storage, and other components is done through a private network. HTTPS (Hypertext Transport Protocol Secure) combines HTTP with TLS (Transport Layer Security) to encrypt and protect all traffic and communication between a user and a website. It can have other benefits, such as verifying the website’s identity and ensuring that a user can trust the whole website. In short, Azure provides advanced security features such as encryption, threat detection, and access controls to protect data from unauthorized access and data breaches, helping us to preserve confidence in our platform and ensuring long-term protection viability.
Automated workflow: Quibim’s all-in-one solution provides a secure and accessible platform for healthcare institutions. QP-Link® serves as a connection between local PACS and Quibim cloud, enabling the de-identification of medical images for further analysis. The results are sent back to the hospital information system without human intervention guaranteeing data privacy and secure communication.
Medical imaging is a remarkable technological advancement that has transformed the diagnosis and treatment of diverse medical conditions. Regardless, it is also a component of a highly vulnerable system since the healthcare sector is a prime target for cyber-attacks. Hence, ensuring robust data protection measures is vital to protecting patient information and should be a top priority for all stakeholders working in the field.
“Data is a precious thing and will last longer than the systems themselves.” This quote by Tim Berners-Lee, the inventor of the World Wide Web, highlights the value of data in today’s world. Safeguarding sensitive information has never been more critical, especially in the healthcare industry, where personal information is obtained, processed, analyzed, and stored. Protecting patient data is no longer just an option – it’s an essential condition.