We tend to have a negative view of risk, regarding it as a danger to the business. But, it also presents opportunities to push boundaries. If we reframe risk as a change-maker, then what degree of risk is acceptable? The healthcare industry faces this conundrum at every turn. Whether testing a toxic chemotherapy drug that could be lifesaving, or adopting IoT devices that provide detailed analytics, these advances can all expand the threat landscape.
Unlike testing pharmaceuticals in a controlled lab setting, the world of cyber and its risks are in constant flux. Healthcare data is at the top of cybercriminals’ lists, contributing to a record amount of breached health records in the past year. Full patient medical records are a valuable commodity on the dark web and?sell for up to $1,000?each.
Now, healthcare organizations can’t stay stagnant in implementing protections.
The reality of highly-regulated industries is that compliance mandates tend to govern security operations. But where regulations are cut and dry, risks do not fit neatly into boxes of “high risk” and “low risk.” Instead, risk is on a spectrum that requires a holistic cybersecurity strategy to appropriately prioritize and mitigate risk according to what is deemed as acceptable.
To help healthcare organizations mature security policies and become more comfortable with risk, here are three recommendations for 2020 cybersecurity planning:
Imagine for a second: you’re walking through the busy halls of your local hospital, only to notice that the doctors and nurses around you are constantly checking their phones and tablets. It strikes you as odd, and you can’t help but think: Isn’t anyone getting any work done around here?
Actually, they are.
With over 70 percent of examined patients using at least one health app to manage their diagnosed condition, and more than 318,000 mobile healthcare apps available in top app stores worldwide, the picture of doctors and nurses relying on their devices as literal “mobile assistants” is becoming a highly sought-after reality.
While this perspective is often bolstered by positive reviews of hand-held computer use by healthcare professionals – where digital assistant devices improved physician effectiveness during patient documentation, patient care, information seeking and professional work patterns — the mHealth industry still has a lot of room to grow in terms of digital health infrastructure.
Not to be put off, mHealth developers have nevertheless continued to advance their compliance, security, accessibility, and efficiency practices in the face of wide-scale transformative change. And when asked, most mHealth developers (myself included) will tell you that what motivates us to keep going has to do with the massive potential these technologies have to literally transform the field of medicine as we know it.
And what exactly is thatpotential? Every day our news feeds are inundated with articles promoting the latest in mHealth technology – from mobile apps that can perform an ultrasound, to apps that help patients track their own symptoms – so it can be hard to navigate the ever-widening world of mobile healthcare.
In light of such a big subject then, I’ve often taken to cementing my own understanding of mobile health by thinking about the ways in which these applications are already affecting physicians, clinicians, and other practitioners at every stage of their medical career.
Put differently, from the time that an aspiring healthcare professional begins their educational journey, to their first-accepted payment for needed treatment, mobile health apps are helping doctors transform the field of medicine before our very eyes. Here’s how:
In a lot of our popular media, physician education is represented as an arduous journey from beginning to end. With long nights studying, cadavers to examine, and an infinite amount of medical information to digest, med students are flocking to (mobile) medical education applications that can help them test their own knowledge in a way that suits their learning style.
It began in the 1980s with those wonderful word processors. Electric typewriters bit the dust, and health records could be entered and saved on floppy discs. This was only the beginning.
We’ve come along way, baby. As technology came to disrupt every sector of the economy, healthcare was no exception. Consider all that has happened in this sector and where we are today.
Consolidated health records in the cloud
Anyone who has been to a doctor recently understands this. That doctor may have your entire health history, from multiple providers, all in one place. This technology allows any provider to provide better care protocols according to each individual’s unique history and make recommendations for testing, etc. that will not be duplicating those already done.
Patients can also access their full health histories and provide access to family members as well. This allows more control of patients over their own healthcare and allows them to make better decisions for future care.
Use of big data for treatment protocol decisions
Now that providers have access to health data from all over the globe, they can review research studies, identify effectiveness based on specific symptoms, DNA makeups, and more. The net effect is this: research from all over the world is now available through tools that gather data, churn it, categorize it, and provide reports based on specific queries. Ultimately, better care for all can occur because of this shared data. Amy Castello, a healthcare writer for Trust My Paper, says this: “I conduct a lot of research on a number of healthcare topics. One of the most interesting is the strides that have been made in the use of big data. I see a future of customized care solutions that
Use of AI and machine learning to identify and predict disease outbreaks
When artificial intelligence is applied to bag data gathering, environmental conditions can be analyzed for their contributions to disease outbreaks. Likewise, when there are higher than average disease conditions among certain demographics or in certain geographical areas, AI can analyze data and report common characteristics that may be contributing to those outbreaks.
Development of vaccines
Every year, a number of medical reporting organizations isolate the specific viruses that have resulted in flu outbreaks. All of this information is then physically reported during a consolidated meeting, and decisions are made for the next vaccine composition. Now, all of the data can be digitally reported, and the recommended vaccine compositions determined by the use of artificial intelligence. Ultimately, this can serve to reduce some of the human “guesswork” that now occurs.
A decade ago, patients had to travel to their doctors’ offices for regular checks on chronic conditions. Now, wearable devices provide ongoing data electronically, so that patients are monitored from home, with alerts to their doctors when conditions change that they might warrant an office visit or hospitalization. Getting real-time data of this sort not only increase efficiency of care but results in lower costs for both providers and patients.
By Brooke Faulkner, freelance writer; @faulknercreek.
Up to a fifth of patients with serious conditions are first misdiagnosed, and that leaves tremendous consequences. With the help of healthcare technology, doctors are able to diagnosis patients more effectively and easier. For example, migrating patient data from paper to online, known as electronic health records (EHRs), has greatly aided the medical world. Technology, especially using artificial intelligence and predictive analytics, has enabled doctors to make faster, more accurate diagnoses, and thus provide better care.
The volume of big data
Duquesne University estimated there to be 150 exabytes of healthcare data collected in 2011. Four years later, they reported about 83 percent of doctors had transitioned from using paper to electronic records. By now, with the ubiquity of the cloud, these numbers have assuredly gone up.
Massive amounts of data make predictive analytics possible, as trends can be spotted and analyzed. By spotting patterns, diagnosis of a disease becomes easier even for doctors unfamiliar with a specific disease or symptom. Uploading symptoms allows a computer to compare records and identify symptoms comorbid of other problems. This allows even specialized doctors to recognize issues outside of their field. Medical mistakes lead to the death of some 440,000 people each year; while misdiagnosis is only a part of this number, correct diagnosis and treatment will reduce it.
Big data can even be collected in the form of PDFs as part of telemedicine. A doctor can send PDFs to patients as part of a poll or survey or simply to collect symptom information from the patient. From there, data entered in the PDF can be collected and analyzed, generating patient data or feedback for the doctor.
Google flu trends
Google ran what can best be called an experiment from 2008 to 2014. Using artificial intelligence, the search engine recorded flu-related searches in an attempt to predict the severity of an outbreak, as well as the affected geographical area.
It was a flawed model, and tried to use big data as a replacement, rather than a supplement, for traditional data collection and analysis. It completely missed a flu outbreak in 2013, the data off by a massive 140 percent, and Google Flu Trends ended its public version in 2014. The algorithm monitoring flu-related search terms was simply not sophisticated enough to provide accurate results. While new data is no longer available to the public, historical data remains available to the Centers for Disease Control and other research groups. It’s possible that once the algorithm and predictive analysis is capable, the program will continue.
Zingbox, provider of healthcare Internet of Things (IoT) analytics platform, announced new research demonstrating that hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights. These insights are then used to refine the attacks, increasing the chance of successful hack.
“Hackers are finding new and creative ways to target connected medical devices. We have to be in front of these trends and vulnerabilities before they can cause real harm,” said Xu Zou, Zingbox CEO and co-founder. “We make it our mission to assist and collaborate with device manufacturers to ensure the security and uninterrupted service of connected medical devices.”
Information gathering phase of a typical cyberattack is very time intensive phase where hackers learn as much as they can about the target network and devices. By simply monitoring the network traffic for common error messages, hackers can gain valuable insight into the inner workings of a device’s application; the type of web server, framework and versions used; the manufacturer that developed it; the database engine in the back end; the protocols used; and even the line of code that is causing the error. Hackers can also target specific devices to induce error messages. With this information, the information gathering phase is greatly shortened and they can quickly customize their attack to be tailored to the target device.
Zingbox’s research discovered that:
Information shared as part of common error messages can be leveraged by hackers to compromise target connected devices.
Hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings.
Leveraging this information quickens a hacker’s access to a hospital’s network.
“Imagine how much more effective hackers can be if they find out that a device is running on IIS Web Server, using Oracle as backend and even gathering usernames,” said Daniel Regalado, principal security researcher at Zingbox and co-author of Gray Hat Hacking. “That will help them to focus their attack vectors towards the database where PHI data might be stored.”
The research also revealed that the healthcare industry has made great strides in collaborating across providers, vendors and manufacturers: there was rapid response and a willingness to generate patches for their medical devices from three out of seven manufacturers whose devices were included in the study. However, there is still work to be done to bring the urgency of these findings as well as increased collaboration between security vendors and device manufacturers.
Remote monitoring. Smart sensors. Better communication and overall patient care. The internet of things has some incredible applications for the health industry — assuming we can overcome the security challenges it brings with it. But where do we start?
The potential of the Internet of Things to revolutionize the world has already been well-documented – as has its potential security shortcomings. I don’t believe it’s hyperbole to call IoT one of the most disruptive digital technologies ever developed, if not the most. But that disruption can easily be a double-edged sword.
Consider the healthcare industry, for example. Hospitals, care providers, and covered entities regularly work with some of the most sensitive data in the world, subject to some of the most stringent protections. They have an inarguable duty of care to keep protected health information (PHI) out of the wrong hands.
Incautious application of IoT technology runs directly counter to that duty of care.
Unless you want your organization to be included in that statistic, you’re going to need to take a step back and re-examine your security practices. The Internet of Things is by its very nature unlike any technology you’ve used in the past. What that means is that it requires a completely different approach.
You must have some way of monitoring, managing, and locking down any endpoints that might have even a passing connection to patient data. You need to implement new processes and procedures regarding how devices are used and interconnected within your organization. Finally, you need to be aware of PHI no matter where it is and who’s using it — and if someone is accessing it who shouldn’t be, you need the capacity to lock down their access and protect that data.
For an industry where even standard IT can prove challenging, that’s a pretty intensive list. It’s a small wonder, then, that many healthcare organizations choose to work with managed services providers rather than deal with things internally. And if, after a security assessment, you find that your own IT staff lack the expertise, that might be the best bet for you as well (at least until your staff can receive proper training).
Of course, selecting an IoT services provider comes with its own laundry list of challenges. You’ll need to school yourself in the tactics and language the bad eggs use to try to lure in new clients, and you’ll need to ensure that any providers you work with are fully HIPAA-compliant. There are a few signs you should look out for in that regard:
This summer, the U.S.-based pharmaceutical giant Merck has suffered the Petya ransomware attack that required to hand over a ransom or have its computers remain locked and inaccessible. One month before, the WannaCry ransomware attack devastated many big organizations around the world, including national healthcare organizations such as UK’s National Health Service (NHS).
Last week, cybersecurity experts warned that medical care would suffer from new additional risks they are not prepared to handle. The new threats are coming from the “Internet of Bodies” – IoT devices incorporated into human bodies for medical purposes.
“Healthcare companies are probably the most susceptible to upcoming ransomware attacks – and these attacks will come again, we have no doubts about it,” said Marty P. Kamden, IT security expert and CMO at NordVPN. “Outdated technology, lack of experience in managing the IT sector, and vulnerabilities of the new Internet-connected medical devices pose a grave danger to the safety and even lives of thousands of medical patients around the world.”
In fact, several months ago, the FBI (United States Federal Bureau of Investigation) issued a warning to all healthcare sector companies to remain vigilant of new cyber threats, possibly stemming from foreign governments.
Here is NordVPN’s advice about protecting healthcare companies from cyberattacks:
Don’t use FTP servers operating in anonymous mode. According to FBI, “some criminal actors from abroad are trying to target protected healthcare information (PHI) and other personally identifiable info (PII) from medical facilities to intimidate, harass, and blackmail business owners.” FBI was alerting healthcare companies against the use of FTP servers operating in anonymous mode.
You are as strong as your weakest link. Healthcare companies should choose their suppliers carefully and should work together with them to tighten overall IT security. The new trend is supply-chain attacks: attackers look for the weakest link in the supply chain to install their malware, which will affect all the companies within the chain. The supply-chain vulnerability was used in the destructive NotPetya attack, originating in Ukraine and branching out to various European and U.S. organizations.
Use a VPN. Healthcare organizations usually use Intranet for private internal communications, which include local area networks (LAN) as well as on-site networks. When employees need to access the organization’s Intranet while traveling or working remotely, they should use virtual private networks (VPNs) for a secure connection. When using a public or unprotected WiFi connection, VPNs create an encrypted tunnel that connects the computer and the Intranet or VPN server. This tunnel protects the connection from public access, should there be hackers ready to breach the system.
Mobile technology is impacting every element of American healthcare–from insurance and billing to documentation and caregiving, the impacts are being felt. The truly transformative element of the mobile revolution is not the technology itself, or the way it changes the look and feel of the tasks it affects. Despite complaints of the depersonalizing effect of technology, the ultimate value of mobile in the sector will be how it enhances and encourages communication.
Providers are Going Mobile
Already, flexibility and functionality have already drawn providers to mobile devices and solutions. Voice-to-text technology and similar automated solutions are in the offing to relieve the documentation burden that has dampered some amount of enthusiasm toward digitization. Bolstered by these advancements, caregivers will go from subjects of their EHRs to masters of patient encounters.
One of the huge benefits of mobility–as opposed to simply being networked on desktop computers or having a digital health records solution–is the capacity for greater native customization and app development. Native apps are like the currency of the mobile, smart device world providers are entering. Developers can deliver personal, branded interfaces that allow doctors to choose precisely how they want their dashboards to look, giving their EHRs a custom touch that has been sorely lacking throughout their implementation.
App-centric development will further reduce the friction of adoption and utilization, giving doctors a sense of empowerment and investment, rather than the bland inertia that has carried digitization thus far.
The personalization of the technology through app development will help boost adoption, and return the focus to what the technology enables, rather than how it looks or what it has replaced. Mobile technology’s strength will be in reconnecting doctors and patients, and creating bridges of data and communication across the continuum of care.
The Internet of Things (IoT) is taking hold in nearly every aspect of our lives. No longer are we content with simply connecting via a computer or mobile device. These days, our homes are filled with connected devices, all purporting to make our lives easier, more efficient, and in many cases, more entertaining.
However, the IoT’s creep isn’t limited only to our homes. One area where IoT is already taking hold and is expected to grow even more is in the health care industry. Often referred to as Medical IoT (or just connected medical devices), the adoption of connected devices is already at impressive levels and the trend is for even more devices to be accessible via the internet in the future.
For example, it’s not uncommon to find patients using wearable devices to collect and transmit data about their blood sugar, blood pressure, heart rate, and oxygen rate to their physicians, or to find wireless devices within hospitals that automatically transmit patient vital signs and other monitoring data straight from the hospital room to hospital staff, no matter their location. The assumption is that thanks to such continuous monitoring and real-time data, physicians can provide better quality care and improve patient outcomes.
Undoubtedly, the IoT certainly creates a great deal of opportunity within health care to deliver better outcomes. At the same time, though, there is also the question of the true value of connected devices in every circumstance. The fact is, while there is a certain “cool” factor associated with IoT technology, and a sense of wonder at the fact that a device can transmit data wirelessly, there is also a concern that developers will attempt to include connectivity just because they can. Unless the technology aligns with user expectations and behaviors, is reliable, and delivers actual meaningful outcomes — and doesn’t just add an unnecessary feature to the device — it is unlikely to be successful.
Therefore, when developing connected medical technology, it is just as important to consider why you are connecting it as it is to consider how you will connect it. Often, the how isn’t nearly as complicated as one might think, thanks to relatively inexpensive and widely available microcontrollers and applications. The why, on the other hand, is more complex, and requires developers to consider not only the potential benefits of connecting a medical device, but several other key points as well, among them the potential for data overload, the security of the devices, and addressing potential malfunction, to determine whether a device can benefit from connectivity.
Chief Concerns for Connected Medical Devices
While there are plenty of points to consider when developing any type of medical device, when the device is designed to be connected to the internet, there are additional things to think about.
Guest post by Puneet Gupta, chief technology officer, Brillio.
For those in the healthcare industry, the future feels at once full of promise and always just out of reach. Transformational advances in technology are on the horizon and fast approaching—but anticipating and adopting new tech can seem like an impossible task.
Perhaps the most promising tech trend for healthcare is the Internet of Things (IoT): the increasingly interconnected network of intelligent devices and objects that share data and enable the physical world to be integrated into digital systems.
While nearly every industry can employ IoT systems to create greater efficiencies and support new business models, the healthcare industry is particularly poised for major gains. According to a recent report, IoT in healthcare alone will be a $117 billion market by 2020.
IoT technology and digital integration has enormous potential to create meaningful experiences and better outcomes for patients, doctors, and healthcare professionals. And yet, amid all this promise, the current state of healthcare IoT leaves a lot to be desired.
How Healthcare Companies Need to Re-Imagine Change
Why is IoT adoption still lagging in the healthcare industry, despite all this potential? Many companies are simply thinking about technological change the wrong way.
Naturally, most people try to think about such changes from a 30,000-foot perspective. IoT is such a huge strategic transformation, it’s easy to get overwhelmed and not know where to begin.
I prefer to look at things differently. Instead of surveying major paradigm shifts from a million miles away, let’s flip the model and focus in on micro-experiences—small, concrete touch points along a user’s journey where technology can make a meaningful intervention.
By building from the ground up in real-world contexts—instead of from the top down in the abstract air—you’ll be able to quickly implement a number of IoT solutions and see the impact. Overarching systems will organically develop up over time as you create valuable micro-experiences on the ground.
While contemplating a global shift only generates new questions, breaking IoT down into bite-sized, tangible moments grounded in reality opens the door for immediate achievements. That’s what we call the art of the possible.
4 Examples of IoT Micro-Experiences in the Healthcare Industry
In the spirit of focusing on context and individual instances, let’s look at four real examples of how we’ve deployed IoT micro-experiences in healthcare.