Digital Health’s cybersecurity imperative
This article was written by Dave Anderson and originally was published on BlackRidge Technology blog
If you haven’t already heard, the age of digital health is upon us. And for healthcare providers, patients and consumers, it’s about time
Digital health, sometimes referred to as eHealth or Mobile Health, comprises many elements, but for this inquiry I’ll focus on defining digital health as how healthcare companies, hospitals and care services companies, and patients are adopting and using wireless devices, hardware sensors, software sensing technologies, the Internet, social networking, health info tech, personal health devices or wearables, and mobile connectivity to empower more efficient tracking, management, and delivery of “healthcare.”
Already, digital health has shown the ability to improve our own and our family’s health and live more productive lives. Digital health reduces many of the inefficiencies in healthcare delivery, it improves access to healthcare information and services, increases the quality of delivery, and allows much more personalized application of healthcare to patients. Simply, digital health focuses on connecting the systems, tools, medical devices, and services together that deliver needed healthcare to each of us and gives critical data insights to each player across the healthcare delivery landscape that weren’t available before.
The opportunities of digital health also come with an inherent risk, which has the potential to inflict great harm if not properly addressed and mitigated. Fortunately, this risk is entirely manageable. Healthcare companies that have quickly shifted to digital health strategies are now facing questions that other companies in other industries have been asking for years. That is, how do they adopt a digital strategy and support automation while providing appropriate security and privacy controls across the entire network to which these systems connect?
Many organizations are looking to FDA guidance to help with these questions. According to the FDA, devices are allowed to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients. Addressing cybersecurity threats and the subsequent security risk to patient data becomes especially challenging. As cybersecurity threats cannot be entirely eliminated, manufacturers, hospitals and facilities must work to manage them. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.
The nature of the healthcare industry overall introduces specific nuances that makes the response to this question even more important. Healthcare organizations, particularly hospitals, must not only determine how to best secure legacy systems and devices that support all functions of their business, but do so while they are simultaneously introducing new connected devices into their networks that have not been designed with proper security measures in the first place. Many design and manufacturing firms of class 3 medical devices simply have no concept of even standard security processes to ensure that the devices are manufactured securely, but also support proper access and authorization controls onto the device itself as well as to the data the device creates. Because healthcare companies and hospitals deploy these devices across their network, they are introducing new risks and vulnerabilities that could severely impact patient’s lives.
Many healthcare IT departments are trying to secure this new connected, digital health environment with static, reactive security products that were designed to detect and alert when a breach has occurred. Unfortunately, many of these companies are realizing that using these technologies is ineffective as they don’t prevent a hack from occurring or expanding once it happens. Attempts to secure data by adapting these products to segment key systems on flat networks that leverage the open standard internet protocol (IP) has proven too complex and costly as well.
So, how is this playing out? A hospital CISO recently stated that they have deployed the newest firewall technology to segment their PHI systems, and they have robust security policies in place, and yet they were still hacked. Some hospitals are now starting to allocate operational budget to pay off ransomware attacks, as this is cheaper and easier than trying to adapt current products across their digital health environment. Data breaches will continue to grow in scale and frequency until these issues are addressed.
To better address these challenges, a new and more precise layer of trust is required across the digital health landscape, that can lessen the impact of a security breach in health networks. Simply stated, if an IP address of a system can be found, the system can be hacked. This includes healthcare systems, databases, medical devices, or even simple operational devices such as printers that are connected into a digital health network.
The ability to cloak systems and devices has become a very effective option that can keep any unknown or unauthorized users from ever seeing the health systems or devices, whether they’re legacy or brand new. Companies can now completely prevent a bad actor from accessing critical and sensitive systems or devices that could expose patient data or jeopardize a device’s functionality. By placing this capability “pre-network session” establishment, this adds no further complexity to a network’s topology, and significantly reduces deployment time. A preventive approach, that delivers faster “time to security” is becoming a strategic imperative for every healthcare organization.
According to TMR, the size of the digital health market in 2016 was estimated at $180 billion and is expected to grow to $537 billion by 2025. So, these cybersecurity challenges aren’t going away. Healthcare organizations have an opportunity right now to embed cloaking technologies that can significantly prevent the risk of a security breach to their critical patient care delivery systems and connected devices. Using older security methods that try to detect a breach after it’s already occurred simply react rather than prevent and introduce far too much complexity and cost in deployment across a hospital network. With the increasing value of patient information to hackers, we’ll continue to see healthcare organizations, especially hospitals, targeted through their connected systems.
3 key take-aways on the digital health security opportunity:
1. Leading healthcare companies will begin to look at new security technologies that can prevent security threats, rather than simply detecting breaches after they have already occurred, and this will significantly improve the level of protection provided and reduce operational costs
2. New security technology will enable the cloaking of networks, allowing only authorized users to even see a system or device. The risk of a compromise is virtually alleviated when IT systems are visible to only known and authorized identities.
3. Every player across the digital health eco-system needs to be responsible for cybersecurity and addressing patient safety risks. Preventive models and cloaking technologies can be applied “pre-market”to protect against unauthorized access by non-malicious insiders, where vulnerabilities can be introduced.