How DaaS is Addressing Cybersecurity Woes of Healthcare
DaaS architectures can provide added protections against cybersecurity threats, writes, Sivakumar Ramamurthy, Deputy MD and COO Anunta Tech.
In the new normal, India is set to witness a paradigm shift in its healthcare system, this development will be driven by health-tech start-ups, telemedicine, biotech, and digitized pharma industry. According to the National Promotion and Investment facilitation agency, by 2022, the healthcare market might have a worth of $ 370 billion, promising yields up to 35-40%. This dynamic and drastic rise in digitized care solutions is also a cause of worry because of data breach and security issues.
Cybersecurity is a concern for every business, but it is particularly problematic in the healthcare industry, as healthcare providers must collect and store patient data – referred to as Protected Health Information (PHI). Several countries have strict government regulations like America’s Health Insurance Portability and Accountability Act (HIPAA), Europe’s General Data Protection Regulation and India’s Personal Data Protection Bill which is still on its way to becoming a bill.
Despite the desire and best effort attempts to protect patient information, it’s still common for data security breaches to occur. According to Greenbone Networks, a German cybersecurity firm, there has been a massive data breach reported in 2020 which had leaked 121 MN medical images and over a million medical records, online and they were freely accessible to anyone.
The leak also included the personal details of the patients, medical history, physician names and other details that were meant to remain classified. These leaked data records were from one of the Mumbai’s well-known hospitals as well as a relatively well-known medical imaging provider in India.
Why healthcare providers are a target
Unlike other businesses that can limit the type and amount of sensitive data they are required to collect and store, healthcare providers are forced to manage patient data that contains information that cyber criminals can use in several ways including identity theft. The type of PHI data that healthcare IT departments must protect includes names, date of births, telephone numbers, social security numbers, email addresses, photos and biometrics, and so on.
The safekeeping of this type of patient data is precisely why cybersecurity is such a major concern. It is also why healthcare security administrators are constantly on the lookout for technologies that can help mitigate the risk of lost or stolen data. Let’s understand why virtualized desktop architectures like Desktop as a Service (DaaS) are being increasingly relied on to help protect electronic PHI.
Data loss prevention benefits of DaaS
While DaaS provides several management, performance and scalability benefits, the architecture can be deployed to provide an extra layer of security when it comes to the prevention of data loss. This data loss can include theft or destruction by cyber criminals as well as inadvertent loss due to employee negligence.
The protection of sensitive data requires security administrators know exactly:
- Where the data is at rest
- Which path(s) data takes while in motion
- Who requires access to the data?
While PHI data is commonly stored in secure data centers or clouds, healthcare employees can often access PHI data from traditional PC’s – with the potential to download data off the servers and onto their local desktop hard drives. Data stored locally is likely far less secure, thus more prone to being stolen by criminals using common desktop malware exploits.
A major benefit of DaaS lies in the fact that the healthcare professional’s desktop experience becomes fully virtualized – and therefore contained within a data center or cloud. No data can ever be processed or downloaded to the local device. The attack surface decreases as the physical desktop will possess no sensitive data. Instead, the data remains in the cloud or data center where it can be better monitored and tracked. Along those same lines, the threat of lost or stolen laptops is no longer a concern from a PHI perspective. If an employee loses a PC, phone or tablet, no sensitive data resides on it, thus it’s not a major concern.
Another benefit of DaaS is the fact that IT administrators have far more control over the applications and services that can be used on the virtualized desktop. As stated previously, data loss can not only be caused by criminals – it can also be the result of carelessness by employees handling the sensitive data. Shadow IT is a great example of negligent behavior that can cause a loss of PHI in the healthcare field. Shadow IT occurs when employees install and use applications that are not authorized, managed, or secured by the IT department.
With traditional desktops, employees can often install and run applications that are inherently unsafe from a data loss perspective. This is especially concerning when these applications are used to share or store sensitive data. Common examples of shadow IT tools employees use that contribute to data loss or leaks include file transfer tools, team collaboration apps and cloud storage.
Shadow IT is far easier to control in the DaaS architecture. Because of the more granular control of a virtualized desktop operating system and installed apps, the ability for users to gain access to unauthorized applications is reduced. Again, this means that the chance of data leaking out into less secure areas is greatly minimized. This is a major benefit to healthcare institutions that must prove precisely where sensitive data is stored – and where it can be transported. Thus, DaaS significantly helps with HIPAA compliance in this regard.
Make sure your DaaS provider is regulation compliant
While DaaS architectures can provide added protections against cybersecurity threats, it’s important to remind healthcare organizations that they must search out a DaaS partner that sells virtual desktop services that are compliant with regulatory standards.
The cybersecurity concern in India is at its nascent stage. Therefore, it needs a robust framework, policy intervention and innovative security products that can help prevent these medical data breaches and Desktop as a Service offers a possible solution to the cybersecurity woes.
(The author is Deputy Managing Director and COO Anunta Tech and the views expressed in this article are his own)