With the increasing penetration of digital health, IoT, and connected medical device technologies to support growing healthcare demands, cybersecurity and data privacy are becoming the primary concerns of the digital health industry. Electronic health records (EHRs) of patients have been used to create fake identities, purchase medical equipment and medications, or even file false insurance claims. Data breaches are estimated to cost the healthcare sector a whopping US$300 billion over the next five years. The most serious breach of personal data in Singapore's history happened just last year, where even the Prime Minister's health records were affected. For a healthcare provider, a technology developer, or an investor looking into the digital health space, it is absolutely vital to consider the cybersecurity implications and how they impact your business decisions. Here are a few key considerations you should think about:
1) Cybersecurity isn't just an external threat; it can be internal as well:
Cybersecurity threats can range from state-sponsored attacks to ransomware attacks by individuals or groups. However, cybersecurity doesn't just stem from outside sources, but can come from internal sources as well, and sometimes with no intent to harm, but rather by accident. In 2016, a Merge Hemo machine (a medical device that supports heart catheterization) suddenly became unresponsive in the middle of an operation. Fortunately, the cardiologists were prepared, and the disruption was temporary. Further investigation revealed that the computer system had undergone an ill-timed antivirus software update, which automatically rebooted the system, leading to a temporary period of unresponsiveness. Such simple and overlooked cybersecurity risks could potentially be life-threatening.
Timeline of Singapore's personal data breach | Source: Channel News Asia
2) Digital vulnerabilities in healthcare are more common than you think:
Make no mistake, vulnerabilities and loopholes in both IT and IoT health cybersecurity are much more widespread than you think. Take, for example, one of the most common file types for storing and transmitting medical images across healthcare institutions, called DICOM (Digital Imaging and Communications in Medicine). DICOM is a very specialized file format created almost three decades ago specifically for the healthcare industry. The structure of a DICOM file is similar to that of an archive file, essentially being a container holding multiple files within it. Hence, it is possible in theory to "hide" malware, such as ransomware, inside a DICOM file, which can potentially lock down an entire hospital network, incapacitating the provision of care and potentially endangering lives. Such extreme scenarios are not just hypothetical. In 2017, the WannaCry ransomware exploited a vulnerability in Windows and nearly crippled the National Health Service (NHS) in the U.K. Microsoft had previously released patches to fix this vulnerability, but some hospitals had not applied these patches, and others were using older Windows systems. The hack hit one-third of hospital trusts and 8% of GP practices in the U.K, costing almost £100 million.
Computer hit with the WannaCry Attack | Source: AP
3) We must augment detection-centric approaches with prevention-based ones:
Traditionally, for the past few decades, "detection" has been the center of all the cybersecurity protection tools, be it anti-virus, sandboxing, machine learning, threat intelligence, intrusion detection, or network analysis tools. Every technology is, fundamentally, trying to "detect the bad guys" in a bid to remove them if found. The deficiency with this approach is that there are countless numbers of new malware being developed every day around the world. Such new malware ranges from variants of existing malware to completely redesigned malware that is making use of zero-day (meaning new, or "just born") vulnerabilities in operating systems and commercial applications. As a result, it becomes increasingly difficult to keep up with the latest zero-day malware. We may detect it today, but perhaps we won't be able to tomorrow. Thus, the fundamental inadequacy in detection-centric technologies necessitates augmentation with prevention-based technologies. One way is to consider "sanitization" and/or "microsegmentation." The idea is to deconstruct, neutralize, and reconstruct any content to its purest native form. Any file that doesn't follow predefined rules, such as macros, embedded scripts, or files, will be dropped whether it has a virus or not. Imagine having a Word document converted to an HTML file – all the Word-specific features get dropped, and when we try to rebuild the file to the way we understand it, any unwanted impurities get removed. This is a complicated process, but many cybersecurity consultants and developers can offer these services today.
4) Take a security-by-design approach, and not as an afterthought:
Security should begin as early as the ideation stage. Many organizations think about security as a layer that gets built in "later" – but this leaves room for vulnerabilities that were not thought of at the start. An analogy would be to think about building a house. It is crucial to build a strong foundation, but this thinking should start even at the planning stages. Retrofitting or going back later can help, but often still leaves vulnerabilities. At every stage of product design and development, startup founders are advised to consult experts, or "ethical hackers," to do penetration testing and try to hack their product. By doing so, vulnerabilities can be identified early on.
Security is always use case-dependent. It is always a trade-off between usability and convenience, and each healthcare stakeholder must make an internal determination on what level of "convenience" is necessary to give up ensuring a safe and secure environment to operate digital health tools, be it health IT or IoT solutions. With the ever-increasing sophistication of advanced malware and the different considerations discussed above, it is critical for enterprises working with digital health solutions to embrace a holistic approach in cybersecurity by looking at three factors – people, process, and technologies.
- People: Have multilevel, customized training for different levels of staff. The best technology and solutions do not mean much if individuals in an organization are not well-equipped to respond to a cybersecurity threat.
- Process: Do not just focus on paper compliance and certifications, but engage strong cyber audit service providers or "ethical hackers" to conduct vulnerability assessments and penetration tests.
- Technologies: Look beyond detection and augment with prevention-centric paradigms like sanitization and microsegmentation where necessary.
- Report: Hacking the IoT: An Overview of Technology Innovation in IoT Security (Members Only)
- Report: The Digital Transformation of Healthcare (Members Only)
- News: The Telegraph - WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled
- News link: Channel News Asia - Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted