Several months ago, I had the unique opportunity of judging a security competition at a major university in New York City. The ground rules were simple. Students needed to propose the best legislation to help secure the consumer from hacking and cybercrime. The presentations were really quite amazing and insightful with one common thread – it all revolved around the impact of a breach based on the ‘internet of things”. Difficult to imagine, but not completely preposterous, scenarios were laid out where common consumer electronics could get hacked such as your NEST thermostat, your smart refrigerator or even Fitbit which tracks your workouts and exercise. Imagine this highly personal information being lifted from you by a stranger and being held for ransom or even being sold to the highest bidder. In actuality, these scenarios are merely the storm clouds on the horizon. The actual impact of hacked IOT information can be far worse when it comes to healthcare and is not science fiction.
The Unspoken Bond
Regardless of how healthy one is, we all see doctors, dentists, and other health professionals. Even if one is not sick, we are likely to see a doctor once a year if for nothing more than a wellness checkup. For most of us, some health incident will crop up within the next year which can range from a common cold, to an illness, medical condition or emergency. We WILL see a doctor. Within any and all of these scenarios, we will be sharing information with the doctor, nurses; in fact more people than we actually realize. Since the beginning of time, we have had a special relationship with doctors, nurses and allied health professional where they often know more about us than perhaps anyone else. We entrust then with information that we would share with very few people and we expect that what we share with them goes no further.
The Healthcare Internet of Things
What most average people on the street do not realize though is the whole IOT story when it comes to healthcare. X rays, MRIs, CAT/PET scans, labs and a host of other healthcare data is completely digitized. Drying films and printed doctors’ orders and results have become digitized and are internet based. Your most private information which was the unspoken bond between you and your doctor, sit on some server somewhere and in most cases is vulnerable to the same security concerns that any data is exposed to. What’s worse though is that your healthcare data is a highly coveted commodity to steal, which puts it at high risk for theft.
In my previous blog, I noted that healthcare information in amongst this most coveted pieces of information that can be stolen because it can be resold three times (identity, credit, health). But what happens if the unthinkable occurs; that your healthcare information is made available to your next employer, to your insurance company, to someone you may be dating, your childrens’ school. What happens when getting a job, the quality of insurance, your future mate or where your children get accepted to school is based on stolen and sold healthcare information taken from the Healthcare Internet of Things (HIOT)?
Someone Is Securing That?!
When I tell this story to hospital administrators or even the common person going to see the doctor, their typical response is incredulity. “It cannot be that bad”, “someone is securing is”, “what about all of the security already built in to stop this?” The truth is, that in each of these cases, you are largely playing the odds. Because of the digitized systems we have today coupled with the distributed environments of virtually every healthcare system, large amounts of healthcare data traverses across wide expanses past perimeter defenses that protect a perimeter-less environment. Many of the very devices such as MRIs and diagnostic equipment whose purpose is to protect our health are causing us harm by being completely unprotected. Many of these devices are running old Windows OS’s and cannot be patched because doing so invalidates any manufacturer warranty. Is there any question that given useless perimeter defenses and the inability to do basic patching that our most confidential information is also the most vulnerable?
For decades the good guys and bad guys have played the high stakes game of “catch me if you can” when it comes to security. As soon as we solve a security issue, cyber criminals devise a new method to get to the information they want. Unfortunately with the increased attractiveness of healthcare information to the hacker, healthcare has become “patient zero” in this ever escalating scourge facing our industry.
There is an answer though – and that is based on securing the target namely the data, rather than the attack vector (traditionally the perimeter). It is possible to change the approach we take to cybercrime. In the past, it was our goal to ensure that the bad guys were always on the outside. Today, due to cloud based architectures and insider threats there is no outside or inside because all the information is “in plain sight”. Continuing with the same approach to security that we’ve had in the past makes the likelihood of a breach to no longer be a question of “if” it will occur, but rather a question of “when”.
Our new approach to security should take a few very concrete steps:
- Limit who sees what by having a granular access control policy – or simply who gets access to what. Clearly within the healthcare system, doctors and nurses see very different information than the health insurance company or dietician.
- Even when health professionals have access to patient information or lab data, not all the information is required. Give access to what people need to do their job and mask information on data elements that are not required (ie: full social security number, insurance information etc).
- Realize a breach will inevitably occur. By encrypting patient data, diagnostic films and lab data, even with a breach, it is impossible for the hacker to do anything with the information because it is gibberish to them.
Healthcare continues to gain remarkable scientific strides. Patients rely on these strides to solve illness and keep us healthy. The Healthcare Internet of Things marries technology with health to produce remarkable positive outcomes. By deploying the right security, we can not only provide medical interventions that were not even dreamed of a decade ago, but we can also ensure that patients remain safe in the digital works. Think of is as a prescription for your online health.