Following the successful introduction of Alexa’s healthcare services earlier this year, Amazon has announced that its AI, Textract, is now HIPAA eligible. Textract offers a machine learning service that scans healthcare-related texts and data to help retrieve medical data quickly.
This is just the start. Over the past few years, data privacy regulations like GDPR, HIPAA, PCI DSS and CCPA have brought security concerns to the forefront of digital transformation projects. Today, we see compliance as a core requirement of nearly every digital project. Services that deal with huge datasets, like Textract, pose the threat of a potential breach due to the high volume of sensitive data being created at an increasing number of touchpoints. With an ever-increasing number of attack surfaces, the importance of data security remains imperative, while classic perimeter defense is becoming less effective.
Historically, cyber criminals have primarily targeted the financial industry, however more and more ‘softer targets’ are being affected lately, such as social services and healthcare. Many systems in the healthcare sector are just as data-rich as traditional targets, but their IT security often falls behind patient care in prioritization, making them easy targets.
Indeed, for the opportunistic hacker, healthcare information can be a treasure trove of data. One need look no further than the AMCA cyber heist of 2019 that compromised millions of patient records. Here, criminals stole valuable information including not just patient PII and lab test info, but also healthcare provider info, credit and debit card info, bank account information, and social security numbers.
It’s not just one-off breaches either. The HIPAA Journal recorded 365 data breaches in 2018 alone. As the healthcare sector was subjected to what equates to a breach every day, it is essential that industrywide cybersecurity should be implemented. The fact that the average HIPAA related fine exceeds $2,500,000 means that it is substantially cheaper to invest in adequate security before cyber-attacks occur.
For corporations with healthcare data, securing this information means that as soon as a patient’s name, social security number, and payment info are entered, the data should be immediately protected. Implementing data-centric security means that companies shouldn’t wait until the data is correlated, centralized, or written to various databases. Instead, protection should be applied to the data immediately. It matters less if mistakes are made in terms of getting systems updated with the latest patches, or not configuring your cloud security infrastructure correctly. When the healthcare industry focuses on securing the data in addition to securing their systems, patient identity (and sensitive data) losses of this magnitude may be significantly reduced.
While AI products like Textract promise to improve efficiency, companies must ensure that the organizations that they trust with their sensitive data are reliable and secure. Indeed, there should always be company-wide, holistic protection like data-centric security that works as an enabler for digital transformation initiatives – not only for single projects, but for projects across the organization, both now and in the future as HIPAA compliant AI services will become more and more commonplace.