Age of digital health – Cybercriminals sharpen focus on healthcare

Digital health has shown potential to improve our own and our family’s health and live more productive lives. Picture: www.praetorian.com

If you haven’t already heard, the age of digital health is upon us. And for healthcare providers, patients and consumers, it’s about time.

Digital health, sometimes referred to as eHealth or Mobile Health (mHealth), comprises many elements, but I’ll focus on defining digital health as how healthcare government departments, companies, hospitals and care services companies, and patients are adopting and using wireless devices, hardware sensors, software sensing technologies, the internet, social networking, health info tech, personal health devices or wearables, and mobile connectivity to empower more efficient tracking, management, and delivery of ‘healthcare’.

Already, digital health has shown potential to improve our own and our family’s health and live more productive lives. Digital health reduces many of the inefficiencies in healthcare service delivery.

It improves access to healthcare information and services, increases the quality of delivery, and allows much more personalised application of healthcare to patients. Simply, digital health focuses on connecting the systems, tools, medical devices, and services together that deliver needed healthcare to each of us and gives critical data insights to each person across the healthcare delivery landscape that weren’t available before.

The opportunities of digital health also come with an inherent risk, which has the potential to inflict great harm if not properly addressed and mitigated. Fortunately, this risk is entirely manageable. Healthcare companies that have quickly shifted to digital health strategies are now facing questions that other companies in other industries have been asking for years.

That is, how do they adopt a digital strategy and support automation while providing appropriate security and privacy controls across the entire network to which these systems connect?

While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients effectively.

Addressing cybersecurity threats and the subsequent security risk to patient data becomes especially challenging.

As cybersecurity threats cannot be entirely eliminated, manufacturers, hospitals and facilities must work to manage them. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.

Government health ministries and private organisations, particularly hospitals, must not only determine how to best secure legacy systems and devices that support all functions of their business, but do so while they are simultaneously introducing new connected devices into their networks that have not been designed with proper security measures in the first place.

Many healthcare IT departments are trying to secure this new connected, digital health environment with static, reactive security products that were designed to detect and alert when a breach has occurred.

So, how is this playing out? Unfortunately some hospitals are actually starting to allocate operational budget to pay off ransomware attacks, as this is cheaper and easier than trying to adapt current products across their digital health environment.

Hackers will always look for vulnerabilities to exploit, and if one approach doesn’t work, they will devise another and try again. The digital healthcare ecosystem is always evolving, too, and cybersecurity risk awareness has grown in recent times. Even before the escalation in ransomware cyberattacks in late October 2020, a sobering report from Germany in September 2020 of the first known death of a patient tied to a ransomware attack has made digital healthcare leaders more sensitive to the consequences of a successful breach.

A strong cybersecurity posture is a critical part of delivering the highest quality care and operating efficiently.

Unfortunately, a recent report shows that health care providers are the most targeted sector for cybercrimes, accounting for 80 per cent of all reported breaches. Nearly 500 providers were breached in 2020, affecting just more than 16.5 million patients.

The past 18 months has solidified the need to be prepared for the unexpected, whether that is a global pandemic, a natural disaster or anything in between. New threats are constantly shifting and emerging. For instance, the COVID-19 vaccine distribution pipeline is now facing serious cybersecurity risks as hackers attempt to take advantage of vulnerabilities in the massive global effort.

Cybercriminals continue to sharpen their focus on health care. By including stronger, more proactive cybersecurity measures in your organisation, patients and providers will be better protected from the dire consequences of an attack.

As the keeper of valuable patient data, it’s no surprise that the health care sector is one of the biggest targets for ransomware attacks. Many organisations lack visibility into the points of entry to their enterprise network, such as desktop computers, laptops, mobile devices, printers, medical devices and more. Also, hospitals often face a lack of cybersecurity experts and financial resources. Manual processes and an overwhelming number of alerts also create challenges.

You can’t kill someone with a computer virus, yet laptops and smartphones have more protection against hacking than most medical devices charged with keeping us alive! Take, for instance, the computerised insulin pumps that some diabetes patients use instead of injections for maintaining normal blood sugar levels.

What if someone ‘hacked’ one of these pumps? They could change how the insulin is delivered and put the patient in a potentially life-threatening situation. This is just one example of the dangers of medical device hacking. Other health care machines, such as MRI scanners, pacemakers and heart rate monitors, are also at risk.

With the increasing penetration of digital health, IoT, and connected medical device technologies to support growing healthcare demands, cybersecurity and data privacy are becoming the primary concerns of the digital health industry. Data breaches are estimated to cost the healthcare sector a whopping $US400 billion ($F812 billion) over the next five years.

The most serious breach of personal data in Singapore’s history (SingHealth) happened in July 2018, where even the Prime Minister’s health records were compromised! For a healthcare provider, a technology developer, or an investor looking into the digital health space, it is absolutely vital to consider the cybersecurity implications and how they impact your business decisions. Here are a few key considerations you should think about.

Cybersecurity threats can range from state-sponsored attacks to ransomware attacks by individuals or groups.

However, cybersecurity doesn’t just stem from outside sources, but can come from internal sources as well, and sometimes with no intent to harm, but rather by accident. In 2019, a Merge Hemo machine (a medical device that supports heart catheterisation) suddenly became unresponsive in the middle of an operation. Fortunately, the cardiologists were prepared, and the disruption was temporary. Further investigation revealed that the computer system had undergone an ill-timed software update, which automatically rebooted the system! Such simple and overlooked cybersecurity risks could potentially be life-threatening.

Traditionally, for the past few decades, ‘detection’ has been the centre of all the cybersecurity protection tools, be it anti-virus, sandboxing, machine learning, threat intelligence, intrusion detection, or network analysis tools. Every technology is, fundamentally, trying to ‘detect the bad guys’ in a bid to remove them if found. The deficiency with this approach is that there are countless numbers of new malware being developed every day around the world.

Security should begin as early as the concept stage. Many organisations think about security as a layer that gets built in ‘later’ – but this leaves room for vulnerabilities that were not thought of at the start. An analogy would be to think about building a house. It is crucial to build a strong foundation, but this thinking should start even at the planning stages. Retrofitting or going back later can help, but often still leaves vulnerabilities.

With the ever-increasing sophistication of advanced malware it is critical for enterprises working with digital health solutions to embrace a holistic approach in cybersecurity by looking at three factors – people, process, and technologies;

  • People — have multilevel, customised training for different levels of staff. The best technology and solutions do not mean much if individuals in an organisation are not well-equipped to respond to a cybersecurity threat;
  • Process — do not just focus on paper compliance and certifications, but engage strong cyber audit service providers, cybersecurity experts or ‘ethical hackers’ to conduct vulnerability assessments and penetration tests; and
  • Technologies — look beyond detection and augment with prevention-centric paradigms.
    As a wiser man than me observed; “We’re seeing an interesting convergence of technology, health, social issues and human progress.” As always, God bless you all and stay safe and secure in both physical and digital worlds this weekend.

 

  •  Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com

More Stories