{"id":8485,"date":"2020-12-03T14:52:57","date_gmt":"2020-12-03T12:52:57","guid":{"rendered":"https:\/\/atostek.com\/?p=8485"},"modified":"2021-02-26T09:55:36","modified_gmt":"2021-02-26T07:55:36","slug":"3-tips-on-how-to-avoid-healthcare-hacking-in-the-future","status":"publish","type":"post","link":"https:\/\/atostek.com\/en\/3-tips-on-how-to-avoid-healthcare-hacking-in-the-future\/","title":{"rendered":"3 tips on how to avoid healthcare hacking in the future"},"content":{"rendered":"<p><strong>A cyber security specialist lists three ways to avoid a disaster like the Vastaamo hacking incident: \u201cUnder no circumstances, should information systems show any patient information to end users without strong authentication\u201d.<\/strong><\/p>\n<p>The hacking of the Psychotherapy Center Vastamo, reported at the end of October, prompted organizations to assess the level of their own data security. <strong>Jaakko Perki\u00f6<\/strong>, IT Manager at Atostek, has a solution to avoiding similar situations in the future.<\/p>\n<h2 id='1-increasing-strong-authentication'  id=\"boomdevs_1\" >1. Increasing strong authentication<\/h2>\n<p>Strong authentication refers to user identification with methods that are more reliable than a plain password. Strong authentication is used in Kela&#8217;s Kanta service, where patient data is stored, but it is not necessarily required when logging in to a healthcare unit&#8217;s own information systems, which in turn can be connected to the Kanta via an interface.<\/p>\n<p>Thus, some healthcare professionals have access to patient data in their own systems without strong authentication. That\u2019s why Perki\u00f6 thinks all healthcare systems should use strong authentication.<\/p>\n<p>\u201cThe security requirements for healthcare information systems should be tightened. Under no circumstances should information systems show any patient information to end users without strong authentication,\u201d emphasizes Perki\u00f6.<\/p>\n<p>Social and healthcare data is transferred from one system to another via direct interfaces in healthcare providers\u2019 own systems. According to Perki\u00f6, there also lies a serious security risk if data is transmitted without strong authentication required during the process.<\/p>\n<p>\u201cA log entry identifying the professional who processed the data should be made whenever patient data is processed\u201d, suggests Perki\u00f6. \u201cThat way, the system could indicate who has done what.<\/p>\n<h2 id='2-security-audits-should-concern-all-systems-recording-patient-data'  id=\"boomdevs_2\" >2. Security audits should concern all systems recording patient data<\/h2>\n<p>In Finland, social and healthcare information systems are divided into two classes, A and B. Roughly speaking, Class A includes all systems connected to the Kanta service and the rest fall into Class B.<\/p>\n<p>An external security audit, i.e., a security assessment, is required for Class A systems. An audit is currently not required for Class B systems. However, according to Perki\u00f6, the risk of data breaches would be reduced if Class B systems were also subject to security audits.<\/p>\n<p>\u201cIt would be justified to require security auditing for all systems in which social and healthcare data is stored\u201d, comments Perki\u00f6.<\/p>\n<p>In addition to security audits, Class A information systems must undergo so-called joint testing to ensure their compatibility with the Kanta service. The aim of joint testing is to ensure the compatibility of Class A information system interfaces and the data transmitted via them with the Kanta services and the other Class A systems connected to Kanta. According to Perki\u00f6, this does not, however, improve data security, so there is no need to subject more systems to joint testing.<\/p>\n<h2 id='3-establishing-a-class-c'  id=\"boomdevs_3\" >3. Establishing a Class C<\/h2>\n<p>In Finland, the Government recently submitted a proposal to the Parliament on the processing of social and health service client data. It has been wrongly claimed in public that the new act would completely remove Class B and only leave Class A. This is not the case, since Classes A and B would also be included in the new Act on the Electronic Processing of Client Data in Social and Health Care Services.<\/p>\n<p>Perki\u00f6 proposes a third class, Class C, in addition to these two. Class C would include systems that do not store the sensitive social and healthcare data they process. In Perki\u00f6\u2019s opinion, such data could, in many cases, only be stored in the Kanta service instead of local systems.<\/p>\n<p>\u201cIt would be easier for such systems to implement security features and thus pass auditing, as they contain less sensitive information,\u201d says Perki\u00f6.<\/p>\n<p>Perki\u00f6 points out that even though the Kanta service does not support the storage of all data, essential patient data could often be exclusively stored in Kanta. This way, only appointments and other less sensitive data would be stored in local systems.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A cyber security specialist lists three ways to avoid a disaster like the Vastaamo hacking incident: \u201cUnder no circumstances, should information systems show any patient information to end users without strong authentication\u201d. The hacking of the Psychotherapy Center Vastamo, reported at the end of October, prompted organizations to assess the level of their own data&hellip;<\/p>\n","protected":false},"author":4,"featured_media":8292,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[31,27],"tags":[93,250,251],"_links":{"self":[{"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/posts\/8485"}],"collection":[{"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/comments?post=8485"}],"version-history":[{"count":0,"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/posts\/8485\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/media\/8292"}],"wp:attachment":[{"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/media?parent=8485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/categories?post=8485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/atostek.com\/en\/wp-json\/wp\/v2\/tags?post=8485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}