Healthcare Startups: The Need for Advanced Security

The winds of change in the healthcare industry are blowing more forcefully than ever with the onslaught of various technological advancements like social media, big data, IoT, wearables, artificial intelligence, sensors and many others. Coupled with the revolutionary shift to value-based care, these change-enablers are fueling the emergence of healthcare startups, who are seeing new opportunities in the rapidly changing landscape.

Still, no other technological advancement has arguably spurred more innovation than anything else in the last 10 years as cloud computing. The cloud has significantly lowered the barrier to entry for anyone who has envisioned a technological solution to a problem. And it’s become clear, the healthcare industry has no shortage of these visionaries and innovators.

By taking advantage of the cloud’s economic benefits (zero CAPEX, flexible pricing, low TCO, fast time-to-market, etc.), many medical practitioners, who have hired or partnered with software developers, are now setting off to build the next big thing in healthcare. Their ideas around telemedicine, predictive health analytics, data-based diagnostics and other technology-based innovations are in turn driving digital health startup funding upward.

But there’s a hitch. Before their solution can become that next big thing, most of these startups need to accumulate a ginormous amount of data. Therein lies the problem. A significant part of healthcare data is highly confidential (a magnet to cybercriminals) and heavily regulated.

Security and compliance issues

Almost all these healthcare startups have great ideas. However, a lot of the founders that I speak with don’t understand what they’re actually getting into. Often, they’re unaware of their data security and compliance responsibilities until they try to sell their product to a large healthcare system and encounter a lengthy security questionnaire that they are ill-equipped to handle. As a result, they get that rude awakening at the 11th hour and then break into a mad dash to get their proper security controls in order.

What these small healthcare startups need to understand from the very beginning is that they’re entering a world that demands a much higher level of integrity and responsibility. This means, they’ll be subject to the regulatory requirements of HIPAA/HITECH and will consequently have to establish stringent controls to protect ePHI (electronic protected health information).

Because they’re mandated to meet a laundry list of regulatory requirements, their costs are going to be exponential compared to startups who develop, say, social platforms or marketing platforms, where sensitive patient data is not in the mix.

If you’re a healthcare startup, you really can’t afford to neglect data security, as the consequences of a data breach involving patient data can be very costly with the average global cost of data breach at $3.6 million or $141 per data record . But if you look at healthcare, which has the highest per capita data breach cost among all industries, the average cost per record is more than twice that, at $380.

Risk vs. dollars

Many of these small healthcare startups have their astronomical growth projections, understandably because they’re aiming to be the next Uber, the next Snapchat, or even the next Facebook. The problem is, they usually don’t take the value of patient records into account when they draw up these projections. But this must change.

For example, if your goal is to become a $100 million-dollar company, how many patient records would you likely have in your database? With a cost per record at $380, how much would it cost your business if a hacker managed to break into that database? That’s a calculation you need to factor in to understand your risk.

If you don’t do that calculation along your growth trajectory, it will be difficult to justify the required spend on security. It’s especially difficult when you’re still bootstrapping your startup and have limited financial resources. You could be caught in a dilemma between paying your developer to add a certain security feature or to speed up development and get your app to market as quickly as possible.

Proper steps to take

HIPAA is all about managing risk. With multiple occurring in any environment, businesses should start by conducting an assessment to determine the riskiest items or the most likely to occur and their respective impact.

Without an assessment, it is going to be impossible to understand what controls need to be in place and which risks are present in the environment.

Include administrative costs for HIPAA compliance

When you budget for security and compliance, don’t just include the cost for technical security controls. You need to factor in the operational overhead of the administrative side of HIPAA compliance as well. This can be highly time-consuming but must be in order before taking a product to market, especially if you don’t have prior experience creating the proper documentation.

Learn about HITRUST

Conduct some research on a compliance framework, such as HITRUST, which will help you wrap your head around the qualities of a true security posture; not just checkbox compliance. In fact, HITRUST is quickly becoming the de facto standard and requirement for business associates to transact with covered entities. Becoming HITRUST certified early in the business lifecycle could open you up to larger opportunities and shortened sales cycles.

Vet vendors meticulously

When vetting vendors, be aware that EVERYONE in the healthcare space will say they are HIPAA-compliant. You need to conduct due diligence to understand what you’re getting for your money. Remember that, when it comes to working with a vendor, a mistake in the beginning will be exponentially more impactful down the line as you increase the number of patient records that you collect and store.

Look for experience in both cloud and compliance

Hire a consultant or a development firm that specializes in architecting cloud environments and applications with compliance in mind. As you can see, there are several key building blocks to developing a well-rounded compliance strategy. The money spent on someone with expertise in this arena will easily pay for itself in lost time and delays in your process.  Just remember: because someone built your static marketing site does not make them qualified to architect and develop a highly secure healthcare application.

As our culture continues to focus on new technology to drive healthcare innovation, business owners and founders can find great success… but with the right security and compliance strategy in place. You’ll be on your way to a successful launch in no time and begin focusing on what really matters – generating revenue.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals