In an increasingly online world, health providers continue to leverage digital technologies to deliver more innovative, effective and accessible forms of healthcare. For many patients (particularly those in regional and remote communities), these technologies are critical to improving the many issues with traditional forms of healthcare, including access, convenience and fragmentation.
However, delivering healthcare in this way often involves the online collection and storage of sensitive health information. This, in turn, creates a significant risk of data breach. Patient privacy is no longer protected by the four physical walls of a GP’s consultation room. Understanding your privacy in this online environment can be difficult, and continues to change as technology develops.
So in these circumstances:
- How would you verify that your sensitive data is kept private and secure in online health environments?
- How would you confirm that an online health provider is following industry best-practice in relation to their technical security?
Fortunately, cybersecurity experts have developed international standards for information security as an answer to both of these questions. For example, if an online health provider has either the ISO27001 certification or the SOC2 certification, you can be assured that they have had their technical security independently tested and verified against these international standards.
In this article, we outline the challenge of assessing an online provider’s technical security and the importance of checking an online provider’s independent certifications. In line with our commitment to protecting our patients’ privacy, it’s our belief that all digital health providers should be independently certified against at least one of these international standards.
This protects patient data and ensures that healthcare can continue to be delivered online in a safe, secure and reliable way.
The information imbalance between online providers and users
Assessing the technical security of any digital provider can be difficult. This is because each digital provider may have their own complex and interconnecting series of providers, tools and code that make up their digital service (often called Tech Stack).
Unlike a physical environment, online environments cannot be easily observed or tested by a non-technical person. Moreover, the points of entry to an online environment are constantly developing and changing as a result of an ever-evolving technology landscape.
Usually, the software developers and IT professionals who build and maintain the Tech Stack are the individuals with the most knowledge regarding the technical security of a digital provider. Even then, some companies bring in dedicated cybersecurity experts whose sole focus is to understand changes to the threat landscape and uplift technical security controls. For example, all employees at Eucalyptus have a responsibility to protect patient data but we also have a dedicated in-house cybersecurity team made up of security engineers, IT professionals and technology risk specialists.
While this structure is important for improving a digital provider’s technical security, it creates significant information asymmetry between the provider and its non-technical users. Short of completing years of study or experience in technical security, how can a patient ever hope to understand an online health provider’s technical security just by using the platform?
The solution: Independent verification of an online service provider’s security
External certifications can bridge this gap between patients and providers, by ensuring that independent experts observe, test and verify a service provider’s technical security protections.
Currently, there are two main certifications that are recognised internationally:
- ISO27001: Developed by the International Organization for Standardisation (ISO).
- SOC2: Developed by the American Institute of CPAs (AICPA).
Each country or region may also have their own specific certifications. For example, the UK NHS uses the Digital Technology Assessment Criteria (DTAC) to verify the technical security and privacy protections of a digital health provider.
While there is some variation between these certifications, they generally involve the external testing and validation of a service provider’s controls relating to the privacy, security and integrity of information in digital environments.
This means that if you see a SOC2 or ISO27001 certification, you can trust that their technical security has been tested and validated by an independent cybersecurity expert. Indeed, we are proud to be one of the only digital health providers in Australia that is certified to ISO27001 and the DTAC regime of the UK’s NHS.
Does your digital health provider have an external certification?
At Euc, we fight for our patients’ privacy at a state and national level. In line with this commitment, we believe all digital health providers should be independently certified against at least one of the main international standards for information security. This protects patients from the risk of data breaches and ensures that healthcare can continue to be delivered online in a safe, secure and reliable way.
Until such time as minimum technical security measures are mandated for digital health providers, we advise all patients to check whether their provider has obtained independent certification for their cybersecurity (eg, ISO27001, SOC2, DTAC). This might just be the difference between a secure and insecure online health experience.
Authors
