While cybersecurity is an issue constantly addressed by the media and something small and large businesses alike are consistently focusing on, one of the biggest digital dilemmas comes from the healthcare system. This may be unsurprising, given that financial records and personal data are all stored within patient care files. Hackers are fully aware of the value of this data, and it’s about time that the medical industry shows that it does as well.
Sadly, one in four consumers have had their
healthcare data breached. This calls for swift action by the players in the
field. Some experts think that the answer can be found in blockchain. That’s
right — the same technology that secures Bitcoin and other cryptocurrencies
could soon become the key to protecting patient records.
While there have been ongoing discussion among
government and finance officials about the actual risks of cryptocurrency, it’s
generally agreed upon by tech experts that blockchain is one of the most secure
ways to go. Will the world see this technology implemented into its healthcare
systems soon, though? It’s very possible that the answer is “yes.”
The Security of Blockchain Makes
It the Best Ledger for Healthcare Networks
The reason that blockchain technology a
regular part of public discussion and being normalized in new industries so
frequently is its transparency and security measures. It’s garnered public,
private, criminal, and government interest due to this, and it’s doubtful that
its popularity will stop anytime soon. But what is it about the ledger that
makes it so safe?
Primarily, it’s the unique approach it takes
to security keys. There wouldn’t be a way for someone to modify or corrupt
information within a blockchain system without the relevant key. At one point
it was even believed that the technology was unhackable.
While there is still debate over what it means to hack blockchain networks and
whether or not it’s even been done, that debate still points to the safety of
those networks at large. Without a doubt, it is the most secure ledger for
protecting personal data — and hospitals may need it the most.
Making It Official
The lengths at which blockchain is being
adapted cannot be understated. Government officials are starting to explore the
technology, and the big four investment firms are even beginning to pay attention to it. But what
does this mean for the healthcare industry?
Well right now, blockchain still is not the
norm. Currently, if a hospital or healthcare organization wants to adopt it,
they are probably making the best move in terms of security.
While there are downsides to this kind of mass
adoption (discussed at further length below), it also calls for advancements to
be made, which could better these systems as a whole. It should be noted that
with something as new as blockchain technology hitting the greater market,
there are a lot of changes bound to happen that cannot be accurately predicted
right now.
The Adaptation of Blockchain in
Culture May Challenge Security
Granted, it is very important to recognize
that blockchain’s mass acceptance could adulterate the technology. With
businesses at large implementing it into their operations and the parallel use
of mobile money tools in modern society, people are going to start looking for
loopholes. Hackers are going to make it their duty to try and disrupt it.
For this reason, there needs to be external precautions set up for security. A good example is business insurance — something necessary for every hospital, even with blockchain implementation. The loss of mass amounts of data is bound to occur, so hospitals need to be protected, even when their systems seem foolproof.
Right now, hospitals and organizations at
large need to understand that blockchain is a very important technology to the
future of healthcare. But it cannot be solely depended on, either. Other
precautions need to be taken to protect patient data by the healthcare
industry. Blockchain may be the best option healthcare networks have for data
security.
It is not uncommon, in today’s age, to do large amounts of personal business online. This includes discussing or sharing medical records. You may think that any place that shares your medical records online would invest in intense digital security, but you would be surprised.
It takes just a small mistake on the part of the health organization working with your records and your data can be breached. In fact, there have been multiple examples of large medical organizations allowing thousands of patient’s information to be leaked.
In 2010, Columbia University Medical Center and New York-Presbyterian Hospital were victims of cyber security attacks involving the theft of close to 6,800 patient records. A Temple University doctor had his laptop stolen which contained the private medical files of nearly 4,000 patients. These are just two of way too many examples.
Part of the problem is that these records are being protected by individual not properly trained in digital security. Medical professionals all know about HIPAA (Health Insurance Portability and Accountability Act) — a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
They know that you don’t share medical information to anyone that isn’t approved of in writing by the patient. But even that standard is often broken by some medical professionals. So, if some people in the medical industry are willingly leaking information, just imagine how often information is leaked accidentally.
So, what can you do? As with most instances of digital security, it is best to take matters into your own hands. The only person who will always, 100 percent of the time, advocate for you – is you. It is vital that you do everything you can to protect yourself and your data when going online. This can prevent others from ascertaining your location, medical data, personal data, and much more.
Let’s take a look at a few ways that you can protect yourself in the digital realm:
Be aware with whom you are communicating
It might be obvious that you shouldn’t send personal information to strange email contacts or social media profiles, but not everyone considers the authenticity of medical websites. Often times people will look up medical advice and find themselves sharing personal details with any random website that offer to let you chat with a “real” medical professional.
These websites can not only put your medical information at risk but also your credit card information since we guarantee you won’t get to chat with anybody without coughing up your card number.
Beyond that, it is also important to consider the applications your medical facility is using to share your information. Before agreeing to access your data digitally, look into the software they are using to ensure it is considered respectable and safe.
The implementation of electronic health record (EHR) is not a new thing in the industry. The digital wave has completely transformed the way medical records were maintaining before and now. With increased demand for efficiency and faster solutions, more and more medical practices are embracing EHR to simplify and organize their data storage process. Initially, many providers were reluctant and hesitant to use EHR. However, with Medicare and Medicaid incentive programs, providers are encouraged to adopt EHR. As a result, since the time EHR implementation began in 2009, around 73 percent of providers have registered for the EHR incentive program.
However, still, some challenges hinder EHR adoption and slow down the process for many. The initial implementation may be easy, but the user experience was not a good one for many.
Here are some of the obstacles that medical practices, healthcare professionals and others from the healthcare industry face while leveraging EHR:
Software testing and quality assurance have grown in critical importance for companies. Over the few years, it has established itself as a formidable career choice which is unlikely to stop anytime soon. Now as the name implies, quality insurance is all about maintaining “high quality” on a constant basis. And it isn’t surprising at all to see the concept making its way to the core of several industry verticals including the healthcare.
Quality monitoring is gaining momentum for purchasers, patients, and providers who strive hard to evaluate the value of health care expenditures. Over the past decade, science has evolved in regards to quality measurement despite a few challenges that might be a counterforce to the demands of cost containment. Well, the following post explores those crucial challenges that must be addressed in the Healthcare sector. But before that let’s take a bit of a detour which will eventually lead us to the answer.
Why the healthcare sector needs QA and testing
Speed and quality are one of the core essentials that tend to serve the healthcare industry more efficiently leading to a significant amount of inventions and advancements. One of the best examples showing how digitalization is becoming more capable of transforming the industry is that more and more number of people and devices are found connected to deliver meaningful interference from the data generated.
Technology is the best support system where different kinds of applications are created to deliver best services even at a distant. A sudden increase is found in the growth of healthcare products such as wearables, followed by applications especially the ones being associated with them. It may quite interest you to know that these can be termed as products featuring a big market and will continue to have a tremendous impact on the economy even in the upcoming years. Down below I would like to mention a few reasons stating why QA testing tools and testing are crucial in the healthcare industry.
#1 Big Data Testing in Healthcare: Because of being well associated with tons of information related to their patient’s health conditions, the healthcare industry is believed to be one of the most highly data-intensive sector. Several healthcare institutions and the associated segments to devise the right strategy building the right and relevant kind of products. Initially invented to derive the right interferences and the data point big data testing also helps in making certain decisions in regards to drug inventions, disease cure, and the last but not the least research and development. These decisions are some of the best and informed ones that anyone could take.
#2 Security of applications: I am sure you will agree with me when I say that healthcare websites have the most sensitive kind of the data about their patients and their health-related information. By security testing and penetration testing, we can make the websites, as well as applications, hack proof and sustainable especially in challenging a digital scenario. It is very important to conduct quality assurance and testing to ensure security to all such applications.
#3 Usability testing in healthcare: Usability testing is the most required in the health care industry. However, there are various features and the user scenarios that a pharmacist or a nurse can continue to face during their working hours. Do you think these tasks are of prime importance? Absolutely not! In fact, they can be eased with the help of automation, adding in more number of features that will help to simplify the entire process.
QA Challenges in Healthcare Apps
Healthcare industry has also started to introduce mobile platforms across the care delivery cycle, creating a voluminous medical app market. Further, we have extracted a few QA challenges concerning testing and healthcare mobile apps and how to get over them.
Challenge #1 Users and their expectations
Software usability has been a core element in the healthcare industry. Look at those EHR systems; it is very important to come up with something that not just offers accurate physical records but also aggregate physical activity recommendations with nutrition tracking. While testing a mhealth app, thinks about situations which patients may need it. During critical cases, older patients can make the most of condition management app that aids well in finding what their actual condition is and tap the emergency call button at an extreme point.
In addition to this, healthcare mobile apps have the potential to influence the stakeholders this includes patients, caregivers, care team members, administrative staff, insurers and more. The app should adequately support their workflows, so QA specialists need to get a good picture of basic user needs. Let’s say for example if the patient likes to connect his or her smartwatch to the app to monitor heart rate while exercising or if a physician would like to review his patient’s treatment plan progress remotely.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is because of hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.
By Shane MacDougall, senior security engineer, Mosaic451
The other day I was asked what is the biggest information security threat facing any company in 2019. Is it ransomware? Some AI powered malware? Overpowering DDOS attacks? I didn’t hesitate – the answer is the same as it has been since I was first asked the question over two decades ago. The biggest threat to our infrastructure remains our users.
Social engineering, an attack where hackers extract information and access, not from traditional hacking attacks, but rather by interacting with a person in conversation, remains a devastatingly effective method of gaining unauthorized information or access to a network. It’s an attack vector that rarely fails. Unlike logical attacks, social engineering leaves no log entries to trip IDS or alert security admins. As organizations invest more dollars into security appliances and next-gen blinky boxes designed to harden their perimeter, attackers are increasingly opting to target the weakest link – the end user.
Recently, I was in Canada at the Hackfest hacker conference in Quebec, as host and organizer of the second installation of its social engineering “capture the flag” competition. The three part competition had the competitors first spend a week searching for specific pieces of information (flags) about their target company, from a list of items provided by Hackfest. The flags range from information that can be used for an onsite attack (who does your document disposal, what is the pickup schedule), those that can be used for a logical attack (type of operating system, service pack level, browser and email client information), networking information which gives the attacker information about the infrastructure (wifi info, VPN access, security devices), and finally information about the employee and the work environment, which could be used to help the attacker pose as an insider.
The second portion of the competition had the contestants hop into a sound proof booth, and were given 25 minutes to call their target company in front of an audience, and to gather as many flags as possible based on their dossier information. The third and final segment had competitors randomly draw a target, then each contestant had 30 minutes to use the audience members to search the web for flags or phone numbers to create a workable dossier. Each competitor was then put back into the booth to make another 25 minutes worth of calls in hunt of flags.
The results of this year’s contest were eye opening, but sadly reminiscent of last year’s event. Of the eight companies targeted, all gave out information that would give an attacker an advantage for a remote attack, on-site attack, or both. Specific breakdowns of results include:
75 percent visited a URL provided by their attacker
100 percent gave information about what version operating system/service pack version they were running
88 percent gave detailed information on what internet browser they were using
75 percent divulged information about Wi-Fi within their network
63 percent divulged information about secure document shredding, including their provider and the schedule for disposal
63 percent divulged detailed information about their email client
75 percent gave detailed information about the internal computer network
75 percent shared personal information about themselves and their work history
There’s no question that the forward march of medical technology has improved personal and public health, creating lasting positive change for humanity. New technology, however, sometimes comes with risks. While those risks rarely outweigh the potential advantages, fully exploring and preparing for them is an important responsibility.
New Solutions Pose New Dangers
One demonstration of this relationship occurred as we were developing medical devices meant to be used inside the human body. Using medical devices internally presents the problem of contamination from external sources, and we learned that killing bacteria isn’t enough — specifically, we discovered that the endotoxins produced by dead bacteria can also be harmful.
That particular issue, we’ve already solved. It is, however, an excellent example of how new benefits can present dangers that we hadn’t contended with before: our ability to kill bacteria presented a new problem as our technology continued to improve, and we started putting medical devices inside the body. We realized that some types of dead bacteria are still dangerous, and that our sterilization standards had to improve.
This relationship between new advancements and new risks continues today, although it takes different forms. The hot-button issue these days has more to do with data and privacy, which while not directly health related, has significant risks when breached.
Healthcare Data Innovations and Breakthroughs
Our ability to collect, process, and draw conclusions from ever larger amounts of data has been a huge boon to the medical industry.
Asset tracking is the process of using fluid, regularly updated databases to keep track of physical assets and tools at a facility. However, it’s useful in many more ways than inventory management. Scanning and mobile device technology allows an asset to be kept track of at every point in its journey, from storage to use.
This method of tracking and categorizing physical assets, as well as patients, can be very useful in preventing serious accidents caused by miscommunication. Even life-threatening mistakes, such as wrong-site surgery, can be prevented by good data management. Timing, types, and amounts of medication can also be streamlined with this process, which could for example automatically sweep a database for potential adverse reactions or conflicts before a drug is prescribed to a patient.
Giving doctors access to a digital database that covers a patient’s entire history is another advantage that advanced data technology can provide. These databases can be populated with information from several different sources, including family doctors, specialists, and even self-reported data. A doctor can have access to the notes of their peers in the medical community quickly and easily, vastly improving the care that a patient receives.
From a management point of view, new data technologies allow administrators to streamline the operations of their offices and hospitals. Understanding how to best utilize staff for a balance of efficiency quality has a direct impact on the health of patients.
Predictive analytics are another area which can be hugely beneficial to the healthcare field. Basically, it’s an automated process that does much of the work a doctor does already: look at a patient’s history, compare it with current medical knowledge, and use it to make predictions about that patient’s future needs. The difference is the scale at which it can be performed when automated and the sheer volume of up-to-date data that can be included. Doctors can’t be expected to keep up to date with every new study, but a database can be populated with that information to compare against.
On both a wide and individual scale, the applications of our improving data technology are saving lives and improving the quality of life of patients.
All this integration, however, comes with those pesky risks. Not nearly enough to warrant halting progress but enough to need heavy consideration.
Cybersecurity in Healthcare
The problem with health data is it’s often some of the most private and consequential data about human beings. That, unfortunately, makes it some of the most profitable to identity thieves, and even advertisers with few scruples. Healthcare data can be held to ransom, used for identity theft, or even insurance fraud. As DeVry University notes: “Your name, address, date of birth and Social Security number are all in one convenient location — ripe for stealing. Cybercriminals can take your private health information (PHI) and sell it for high prices. In fact, stolen medical records sell for 10 to 20 times more than stolen credit card numbers.”
Guest post by Sean Hughes, EVP managed document services, CynergisTek.
Healthcare has spent a significant amount of both human and financial capital addressing the security of their environments over the last several years – but have we forgotten a major vulnerability?
Printers and print-related devices (e.g. copiers, fax machines, scanners, etc.) continue to be a major component of our infrastructure and a big part of our clinical and business workflows, yet in most organizations, they continue to represent a gaping hole in our defenses. The advent of the EHR has not equated to the perceived reduction in print, but rather some research shows it’s responsible for an 11 percent increase in print in healthcare over the same time as the implementation of this technology. This increase in print volume brings with it an increase in the number of devices required to process the paper.
The approach most organizations have taken related to the security of these devices falls into one of two categories: segmentation of the network or reliance on manufacturers for “secure” devices. These approaches vary significantly from the approach most organizations have taken for other endpoint computing devices and leaves an organization open to the possibility of negative outcomes.
The industry has seen an increase in the computing power of these devices (e.g. internal hard drives, scan to file or application, residual data on devices, mobile printing, USB-enabled device access, etc.) and the bad guys are aware of this. More and more we see stories in the news of print devices being used as entryways for bad guys to circumvent our protections and put our data and our organizations at risk. According to an article published by BBC News in February 2017, “Hacker Briefly Hijacks Insecure Printers,” a hacker was able to access more than 150,000 printers that were briefly left accessible via the web.
The most effective way to address this threat is to treat these devices no differently than all our other data endpoints, be it a desktop, server, or any other piece of infrastructure. We need to look at these devices and ensure they meet the same security standards.
The most effective way to mitigate risks starts with knowing what the risks are. The first step should be a comprehensive printer fleet security assessment that is part of your overall security program. This can be accomplished either through your internal processes or by engaging a competent third party. Either way, you need to know what you don’t know, and you need to know it now.
The results of that assessment will drive the remediation efforts as well as define the ongoing measures our organizations should take. These steps will be directly related to the vulnerabilities identified but will most likely fall into the following categories: