The attention of most people tends to primarily be on hospitals, clinics and doctors when thinking about healthcare data; however, a large number of confidential patient records are being processed by management and administrative companies, providing indirect care but playing a vital role in how patient records are stored, processed and organized.

This represents a less visible layer of risk that is just as important.

Examples of healthcare management businesses that provide support to many different medical practices include reimbursement management, practice scheduling and record management/information management services, which gives these central players access to an almost unlimited number of different types of confidential patient records across multiple geographic locations and providers.

The DermCare data breach incident is a good example of how the management systems and processes used to support the delivery of healthcare services can quickly become significant points of vulnerability. For example, while a single clinic's medical record system has a limited number of patient records, the practice management system for assisting the same multiple medical practices has a much larger volume and variety of patient record information stored.

The amount of data contained in these types of systems also makes them attractive – and potentially vulnerable to being exploited.

Administrative healthcare platforms are defined by their scale, as storage of patient information is just one example. These systems store financial records, insurance data, identity verification, and medical history. Together, by aggregating all of this information, an administrative healthcare platform creates a very attractive profile for someone not authorized to access it.

The DermCare data breach is another example of an organization’s challenge in determining the full scope of an event. When an organization experiences a cybersecurity incident on a complex administrative healthcare platform, such as a large healthcare provider with many locations, identifying the number of individuals whose data was stored on the system and what data was contained in their profile can take a significant amount of time. This delay results in an extended duration of uncertainty for those who have been impacted by the incident.

Additionally, organizations that operate under a management company often utilize shared administrative healthcare platforms to manage multiple clinics across different regions. Thus, a single cybersecurity incident can result in many patients from various clinics being affected, even if the actual point of entry was limited to one location.

Administrative systems are intended to give staff at different sites access to records quickly and therefore, there typically are multiple access points in the system. While increasing the number of access points increases the ability for organizations to perform operationally, organizations also need to have strong security controls in place to maintain proper access management.

The DermCare data breach is an example that demonstrates that there is more than just clinical systems where sensitive data exists. There is also sensitive data in organizations' administrative functions too, which provide operational support to their clinical functions.

For organizations, this indicates that it is necessary to protect organizational administrative infrastructure, as well as protect clinical systems. Organizations should utilize access control management, continual monitoring, and regular security audits to help protect their environments.

For patients, this illustrates that patients typically do not realize that when sharing data with one healthcare provider, there typically are other healthcare entities that are involved with storing and managing the data.

The administrative platforms will become increasingly more important as the healthcare industry moves toward more integrated systems and shared services. Security for the administrative platforms is not only a technical requirement; it is also necessary in order to maintain faith and trust among all stakeholders within the healthcare system.