Q&A: Healthcare Cybersecurity Expert Christian Espinosa Weighs In on Data Privacy
by: Juliet Van Wagenen, senior web editor for BizTech and HealthTech magazines
Big Data is set to explode in coming years, and healthcare in particular is set to see huge expansion. As connected devices and the Internet of Medical Things continue to permeate the medical realm, healthcare is likely to grow fastest. According to a recent study by IDC, the healthcare sector will see a compound annual growth rate in data by 36 percent through 2025, surpassing the media, entertainment and financial sectors.
As real-time data use grows in healthcare, spurred by advancements in analytics and imaging tech, what will it mean for provider organizations seeking to ensure that data privacy is upheld? And what will it mean for data security?
Data Privacy Day is the perfect time to raise these questions. The day offers opportunities to expand education and awareness around data, as well as to encourage users and businesses to protect their information online.
In honor of Data Privacy Day, HealthTech spoke with professor Christian Espinosa, an instructor of cybersecurity at St. Louis-based Maryville University with 25 years of experience in the cyber-security industry, who has also served as a network and systems engineer, a white hat hacker and security consultant. Here, Espinosa lays out the data privacy environment for healthcare organizations, evolving vulnerabilities and what can be done to advance protections for personal health information.
HEALTHTECH: What does the data privacy landscape look like in the U.S. right now?
ESPINOSA: The U.S. is slightly behind Europe when it comes to data privacy regulation, as the General Data Protection Regulation has set the standard there. But we are moving more toward the protection of consumer personal health information and personally identifiable information with regulations like the California Consumer Privacy Act.
HEALTHTECH: What do you think are the greatest threats to personal data at the moment?
ESPINOSA: Most consumers don’t understand what can be done with someone’s personal data, which means that the greatest threat is simply the vulnerabilities we haven’t thought of yet.
For example, wearable devices now can measure everything from heart rate to body temperature. That data, which is associated with your identity, is sent to your smartphone, which could be compromised, and from there it’s sent to the cloud, which could also be prone to hacking.
Moreover, that data could be used for various things that might make the consumer feel uncomfortable. Sleep data could be associated with stress levels, which could then be used by insurance companies to adjust rates based on those sleep patterns.
Ultimately, there are use cases for all this personal data that people simply can’t comprehend.
HEALTHTECH: What might the near future bring as IoMT, analytics and other initiatives, like wearables, prompt healthcare orgs to collect more data?
ESPINOSA: The reality is that a large hospital system may have a million medical devices, and of those, 300,000 are networked or connected to the internet in some capacity. Of those, there’s probably 100,000 that have a piece of PHI — name, blood type, insurance carrier, etc. Most of these healthcare organizations do not have a good idea of all the devices they currently have deployed, much less the devices that currently have data that should be protected. Combine that with the fact that most don’t know which have vulnerabilities and have been exploited.
We’re just at the tip of the iceberg with unprotected medical devices in particular. Likely, the problem will get much worse before it gets better. Particularly as we move toward the IoMT, there are a lot of vulnerabilities in those devices that can allow someone to potentially access PHI.
HEALTHTECH: What can healthcare organizations do to improve data transparency and security for consumers as expectations change?
ESPINOSA: For healthcare specifically, there needs to be an evolution in awareness for clinicians about how a device collects data, how it’s used and how it’s transmitted. The truth is that when you speak about cyber-security issues around implanted devices, most patients will get scared. You can be transparent with some things, but the bottom line is some consumers won’t understand it.
HEALTHTECH: Is there one thing you want organizations to understand about data privacy and security?
ESPINOSA: Once you get data into your environment, it’s extremely difficult to even know where it exists. Data often lives on a mobile app, desktop app and in the cloud simultaneously. Even if it’s removed from one area, there’s a high probability it still exists in other locations.
HEALTHTECH: If you could wave a magic wand and change one thing about data privacy and security, what would it be?
ESPINOSA: If I could change one thing it would be that organizations actually understand the data flow of consumer data and data they are trying to protect. Most organizations don’t even understand how the data is stored, removed, or who has access to it.
Organizations should seek to build out a data flow diagram and clearly outline the life cycle of consumer data, PHI and PII, which would make everything a lot easier.