In an era where digital innovation is rapidly transforming the healthcare industry, the importance of robust data security measures has never been more critical. To delve deeper into this pressing issue, we conducted an exclusive interview with Rich Vibert, CEO of Metomic, a leading figure in the field of data security. In this insightful interview, Vibert sheds light on the challenges and strategies for protecting sensitive health information in the digital age. From discussing the impact of digital communication on data security landscapes to exploring the role of real-time notification systems in mitigating risks, Vibert provides a comprehensive overview of the current state and future directions in healthcare data security. His expert insights offer valuable guidance for healthcare organizations navigating the complex terrain of data protection, compliance, and cybersecurity. Join us as we explore these critical themes with Rich Vibert, a visionary in the field of data security.
1. How has the increasing reliance on digital communication affected the data security landscape in healthcare?
It really starts with the expanded attack surface afforded by the increase in digital communication. Digital applications in healthcare create more potential entry points for cyberattacks and more potential leak points for accidental employee data sharing activities, necessitating enhanced security measures. Plus, the sensitive nature of medical data in digital platforms makes them attractive targets for cyberattacks.
Compliance requirements also play a significant role. Healthcare companies need to comply with strict data protection regulations like HIPAA and CCPA, adding another important layer of complexity to data security management.
The combination of the growing risk of attack with increasingly stringent compliance requirements, is putting IT and Security teams under tremendous pressure. That’s why we see a need for businesses to rethink their approach to employee training and awareness, so they can implement the so-called “human firewall.” Technology can help businesses identify the risks that matter and either automatically mitigate the risk or flag it to employees so they can decide if it’s a risk worth taking in real-time. Training healthcare staff in cybersecurity best practices for using digital applications, which are constantly evolving, is vital to minimize risks associated with human error.
2. What specific technologies or practices should healthcare organizations implement to protect health data in cloud-based tools?
There’s a full gamut of tools businesses can implement to help them identify the risks that matter and mitigate them. But these tools only go so far in identifying the nuanced risks that can appear in digital environments. By implementing tools to identify risks and flag them to employees, businesses can also educate their workforce on what counts as sensitive data and how to work with it.
3. Can you explain how automatic data retention periods for protected health information in SaaS tools help minimize cybersecurity risks?
Automatic data retention periods for protected health information (PHI) in SaaS tools play a critical role in minimizing cybersecurity risks in several ways. The first is reduced data exposure. By automatically deleting PHI after a set period, the volume of sensitive data stored is minimized. This reduces the potential impact of a data breach, as there’s less data available for unauthorized access. This goes hand in hand with limiting unnecessary data accumulation. By ensuring that only necessary and current data is stored, businesses can reduce exposed data and the burden on security systems. .
Automatic retention periods also help ensure compliance with healthcare regulations like HIPAA and CCPA, which often mandate specific timeframes for retaining medical records. Compliance reduces the risk of legal penalties and enhances overall data security protocols. By automating data retention periods, businesses can also simplify their data management and make sure their IT security organizations are only focused on protecting the risks that matter.
4. Why have traditional employee awareness training methods become insufficient in today’s data security environment?
Cyberthreats are becoming more varied and more sophisticated, while at the same time the digital ecosystem being used by healthcare companies is also growing more complex. Employees need to be free to access the data they need to do their jobs, but IT and Security teams need to be sure that sensitive data is being handled in a secure and compliant way. Traditional education and awareness training models simply won’t cut it. Businesses need to move towards a more collaborative shared responsibility model between their IT security organization and the broader workforce. Training is a key element of that model, but on-the-job training, delivered as part of a more modern approach, can be so much more powerful than more passive methods.
5. What strategies would you recommend for training healthcare employees in real-time about data security?
Today data security technology exists that can alert employees to where sensitive data is stored and how it’s being shared. For example, if an employee creates a file in Google Drive containing sensitive data, then they share that file publicly they will receive an automatic notification via their go-to collaboration tool like Slack or Microsoft Team. On the job, real-time training via risk alerts and recommended next action (such as ‘redact the data point’, ‘make the file private’ is the key.
6. Could you discuss how employees can be both a significant asset and a risk in healthcare data security?
Employees working in healthcare can potentially have access to a significant amount of sensitive data on a daily basis. Human error, insider threats and a lack of training and awareness are the biggest risks associated with employees.
However, well-trained employees can act as the first line of defense against cyber threats. They can identify and report suspicious activities, preventing potential breaches. When an organization is empowered and has the right tools in place to enable employees to act as a human firewall, security and compliance threats will diminish rapidly.
7. How do real-time notification systems alert employees to potential data security threats, and what are their advantages over traditional methods?
Real- time notification systems are a key element of implementing a robust human firewall to protect sensitive data. How they work is that the notifications are configured and enabled by the security team. They define what data sharing activities they want to notify employees. For example, if an employee creates a file in Google Drive, which contains sensitive data and they share that file publicly, an alert will pop up. Or an employee shares PCI data in Slack, again, an alert is triggered.
The role of the technology is to smartly identify the risks that matter, and trigger alerts when those risks are about to be exposed.
Remediation is another important element to the notifications. Once the technology has identified the risk, it needs to suggest a remediation. That might be something like redaction of a text, revoking of files access or simply overruling the alert and sharing the file as planned.
In the Metomic dashboard, for example, the security team has visibility on how many employee notifications are being delivered, how employees are responding to them (i.e. are they using these notifications to clear up their risks), so they can monitor trends in employee behaviors and address potentially risky behavior through training and education.
8. In the wake of the Postmeds data breach, what immediate actions should healthcare startups take to protect their customers’ privacy and trust?
The first step has to be implementing technology to identify the risks that matter across the business’ digital infrastructure – from cloud, to SaaS to GenAI. Once those risks have been identified it’s so much easier to mitigate against them via process improvements, employee enablement and ongoing education.
9. What long-term strategies should healthcare organizations adopt to consistently safeguard sensitive data against evolving cyber threats?
The three key strategies I believe healthcare organizations should focus on are continuous risk assessment, which means IT security teams need to conduct ongoing risk assessments to identify potential vulnerabilities and stay ahead of emerging threats. The second strategy is investment in the right technology ecosystem from detection to encryption, to make sure their system is protected against vulnerabilities. And the third is employee training and awareness. By continuously educating employees about cybersecurity best practices and their role in protecting sensitive data, IT security teams can focus their energy and resources on managing the risks that matter to their organization.
10. As a leader in data security, what advice do you have for healthcare industry leaders about prioritizing and investing in data security infrastructure?
My advice to industry leaders is to make data security a board-level priority for their business. Cyber attacks are growing at such a rapid rate, both in terms of their frequency and their complexity. The risk of a breach is ever present, and the impact of that breach could potentially bring a business down. Whether it’s in terms of reputational damage, loss of customer trust or heavy fines, there is no good outcome when a breach occurs. By investing smartly in a robust data security infrastructure, the risk of a breach can be reduced significantly. So why not invest now, rather than being forced to pick up the pieces when the breach has already occurred.
About Rich Vibert
Rich Vibert is the CEO and co-founder of Metomic, a next-generation data security solution that helps companies reap the productivity and collaboration benefits of popular workplace apps without exposing sensitive information to the wrong people and without getting in the way of employees doing their jobs. Prior to founding Metomic, Rich led data strategy at Sotheby’s. He earned a Master of Science degree in Mathematics from King’s College London and a Bachelor’s of Science with Honors in Mathematics from Durham University.
Digital Health Buzz!
Digital Health Buzz! aims to be the destination of choice when it comes to what’s happening in the digital health world. We are not about news and views, but informative articles and thoughts to apply in your business.