Since 2020, digital health has taken on an even more important role in Brazil (and around the world) in the search for agile solutions to face the Covid pandemic -19. A recent study by Cetic.br (Regional Center for Studies on the Development of the Information Society) reveals that at least 50% of the Brazilian population has used online health services in the last 12 months. Thus, the use of technology for remote care has increasingly consolidated as fundamental for the democratization of access to health.

However, in relation to the processing of consumer data, caution must be redoubled in the health sector. Files and documents are a gold mine for cybercriminals, who use this information for scams. Therefore, information security is an essential task to prevent leaks and exposure of confidential data – which leads to fines, in addition to legal and reputation problems.

What must be protected?

All these implications make the technological security challenges for health so high that different strategies are needed to overcome them. In the routine of clinics, hospitals and laboratories, the most critical point is still the protection of patient data included in files that constantly circulate among different professionals.

Another point of attention is that emails can be holes for leaks. While many companies still rely on this tool for information sharing, since attaching a file is something everyone can do, this practicality can be risky when it comes to sending confidential documents.

In addition to the security risk involved (intercepting files, sending to the wrong recipient, or even an entire distribution group), emails are not designed for transferring large files (many services limit attachment sizes to 10 MB or less). The available capacity is insufficient to accommodate unstructured media formats such as video, audio and images.

However, transferring large files through email servers causes performance issues that affect reliability and file delivery. Having many copies of large attachments consumes space and creates storage management issues. As a result, the IT department loses visibility into file locations – which can be a problem during audits.

Alternatively, file transfer (FTP) solutions are better than emails but have limits that also compromise operations. With them, the main challenge is the lack of an automatic encryption method upon file sending and storage. Added to this is the fact that FTP solutions, based on manual processes without native means of automation and integration with business processes, are not scalable. Finally, files stored on an FTP server remain there forever or until someone removes them.

Privacy Laws and Data Hijacking

In this context, it is important to note that breaches in the healthcare sector in different countries can cost more than US$9 million per incident (data from IBM/Ponemon, published in the Beckers Hospital Review) – higher than that of any sector. According to IBM, nearly half (44%) of all breaches analyzed in the report exposed personal customer data, including health information, names, emails and passwords. Among the sensitive data that must be protected are: appointment reminders, big data (medical images, for example), billing and payment information, regulatory compliance reports, among others.

In addition to breaches, data privacy laws are also a challenge faced by IT and security professionals. In Brazil, with the General Data Protection Law (LGPD), the rules for the security of patient information provide for severe penalties for institutions that do not comply with the rules, with fines that can reach BRL 50 million.

Regardless, protecting patient privacy is the right thing to do regarding business ethics and business resilience. For this, companies need to be aware of the key issues for compliance with many laws, which include:

Authentication: verify that users are who they say they are.

Access control: ensure that data access is not allowed without proper authorization.

Transmission and Storage Security: Include encryption in data transmissions and at rest.

Integrity: Ensure protected health information is not altered without permission or detection.

Audit Control: Grant full visibility of file transfers.

Zero Trust

All of these issues can be controlled by ensuring that data is encrypted during transmission and storage, that changes to the file are detected, and that the audit trail shows everything that happened to a file during a process.

In the most effective data protection strategies, many IT professionals embrace the concept of Zero Trust, which means that the best way to protect all data and assets is to trust nothing until areas of the network are proven to be reliable.

As such, documents need a high level of protection and no one should be trusted to access them without explicit permission and validated authentication. For Microsoft, this model assumes the risk of breach and verifies each request as if it originated from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust “never trusts, always verifies”.

A key to enforcing the Zero Trust policy is ensuring strong identity management and protection, primarily through authentication, which must be enforced throughout the environment, limiting users’ rights to only what is absolutely necessary. That is, only those who need to open, transfer or receive a file can do so.

Today, in the healthcare sector, technology is responsible for connecting all stakeholders. Therefore, efficient security measures are indispensable to guarantee the integrity of the processes. Adopting information access control policies helps maintain the security and privacy of critical data, leveraging digital health, and contributing to expanding the reach of care. In this context, the greatest beneficiary must always be the patients, and the objective is to always maintain the security of their data.

*Francisco Larez is Progress Vice President for Latin America and the Caribbean.