Conor Hogan, Global Practice Director – Data Governance, Digital Trust, BSI oversees our global practice team of data protection and privacy professionals. His team supports clients from across the world to meet the evolving challenges of privacy and data protection compliance.
The future of healthcare includes a cybersecurity journey that every patient will take.
This journey will be a journey of availability.
As cybersecurity professionals, there are many mantras we all repeat. The foundational mantra of cybersecurity is easily the CIA triad: ‘confidentiality, integrity, and availability’. Another common mantra from the NIST CSF is ‘identify, protect, detect, respond, and recover’ which is also one that comes to mind immediately. Each practice in cybersecurity is ultimately focused on improving or protecting one of these three areas.
Confidentiality in clinical and non-clinical healthcare settings is by no means a new concept, protecting patient data is a fundamental tenant of practice with the mindset of ‘need to know’ and ‘sharing data only when necessary’ are engrained into clinicians and non- clinicians alike. The foundational beginnings of the cybersecurity industry began by protecting confidentiality in the financial industry. As protecting financial institutions and e-Commerce on the internet require strong confidentiality to work, confidentiality received more both monetarily and in terms of efforts to solve issues. Of course, integrity and availability also receive similar, but the leader has been, and will remain to be, confidentiality. This focus on confidentiality built the internet as we understand it. Without strong encryption and privacy on the internet, there would be no e-Commerce giants.
Globally there are legal requirements, which concentrate on the foundation mantra of CIA. Protecting the health data (electronic or otherwise) of patients is a federal requirement in the United States, as well as in many other countries. This law is known as HIPAA, which is the Health Insurance Portability and Accountability Act of 1996. HIPAA’s goal is based around protecting patient data referred to as ePHI (Electronic Protected Health Information) to improve portability. HIPAA doesn’t concern itself about the uptime of the electronic health record (EHR) system, just that the data that lives inside of it is protected. This has created a false sense of security in the healthcare sector, as not as much funding has been directed towards the integrity and availability of the ePHI. These investments have been made in the places that investors from the financial industry understand and in the place that regulatory requirements have made them spend: Confidentiality.
With the advances in edge computing and cloud-based technologies, today we are creating interconnected, digital, smart healthcare solutions. These systems are gaining traction by gathering more data and having more computing power to draw intelligence from these data sets. Using the data, we have even empowered ‘at home’ healthcare solutions with insulin pumps now able to increase, decrease or even stop insulin delivery based on measured and predicted interstitial fluid glucose readings.
In the future, these interconnected digital solutions will improve healthcare at a rapid pace. Soon, as compute and networking power continues to improve, remotely assisted or even AI assisted surgery looks possible. AI assisted diagnostic solutions are already making significant advances and should only continue to improve.
The future of healthcare includes a cybersecurity journey that every patient will take without knowing it. This journey will be a journey of availability. The digital revolution in healthcare can only happen with equipment online and security. As technology changes and more digital systems are relied upon, the “old way” of medicine will begin to look as odd as paper-based medical charting would look today. For example, when HIPAA was first introduced in 1996, estimates only ranged from 5 to 10% of physicians’ offices using some form of EHR system. Fast forward to 2020 and that number has reversed to an estimated 5 to 10% not using some form of EHR system. The change in a relatively short space of time is incredible. The ability for a patient care facility to “go back” to traditional medicine will disappear as those systems are retired and replaced. Or, to put it another way, once this digital journey starts, there is no going back.
This change is not without its challenges and issues however as the cyber-attacks we are seeing today are not only threats to release ePHI or sensitive trade secrets. These attacks are impacting the availability of systems to continue operations. Diagnostic systems, imaging systems, healthcare records, scheduling, and a myriad of other important systems are all digitized and networked. When under attack by threat actors, these systems are often made unavailable. The most well trained, intelligent, and fast acting care teams in the world can be rendered nearly useless without the ability to run any tests. Reverting to paper copies for records is common due to power failures, however its not as easy to manage imaging systems or diagnostics in the event of a cyber incident.
Recent news of hospital systems being compromised by ransomware, production of medicines halted by malware, and implantable medical devices with vulnerabilities highlights how immature the industry is in terms of understanding these and for mitigating these threats. Until recently, no one thought critical infrastructure and critical services would or could be attacked. These assumptions can no longer remain as attacks against medical providers and (insurance companies, government programs, assistance programs and individuals) are viewed as lucrative targets by cybercriminals and state actors perceived as being able to pay significant ransoms.
Today is the day to take action to protect, now and well into the future. One of the mantras that is repeated often in cybersecurity is the principle of taking a “secure by design” approach. This mantra refers to building security from the outset and acknowledges just how hard it is to secure a system after the design phase and after implementation. Adding strong cybersecurity protection into already designed, built or implemented systems is significantly more expensive and difficult than building security in from the start.
This “secure by design” approach will not happen without careful planning and the ability to leverage technology investments to their fullest. Network security architecture needs to meet the use cases and equipment in use. Equipment used needs to be securely designed, and be securely maintained. Policy needs to be implemented that ensures security controls are not by-passed without the risk being fully understood.
Like a physician treating a patient, today is the day to start because tomorrow may be too late.