Cybersecurity in Healthcare: What you must consider from day 1 of product development
When you develop a digital healthcare product, there is a lot to consider, not the least of which is cybersecurity. Here’s why:
Digital health tools continue to push us forward in terms of data collection, drawing not only on remote monitoring devices, but more and more on behavioral indicators from non-health data sources (social networks, mobile apps, etc.). However, as more data becomes linked, we face a particular challenge in terms of cybersecurity.
Today’s massive linkage of data, however, could transform ‘non-health’ data into sensitive health data. (Schneble et al.)
Adjacent data promises acceleration in diagnosis and treatment innovation, but it puts enormous pressure on an already-weak spot: cybersecurity issues in healthcare.
In 2017, the British Standards Institution (BSI) published a whitepaper to raise awareness about the pressing need for improved cybersecurity in medical devices as a result of increased hyperconnectivity (between patient records, medical devices, digital solutions, and health-related apps). The paper asserted that “digital technology and remote monitoring heighten the need for security measures to protect against data breaches during collection, transmission, and/or storage of data.” In addition to the legal ramifications (privacy, legal actions, and stigma-related economic loss due to identifiable data/GSP monitoring), they noted that a breach in security and data also poses a huge threat to patient health.
In fact, in 2018, the American Medical Association released a Digital Health Implementation Playbook, stating that “cybersecurity is not just a technical issue; it’s a patient safety issue.” This guide revealed that 4 out of 5 physicians have already experienced cyberattacks, and 1 in 10 have experienced a downtime of up to two days. This downtime is not only unsafe, inconvenient, and expensive, but it can prove fatal if it compromises medical device safety and effectiveness.
As we continue to innovate and draw from more varied data sources in the future, cybersecurity must be considered at every step of a device or solution’s development. Between healthcare accounting for almost 80 percent of all breaches globally and the alarming increase in attacks since the COVID-19 pandemic began (source), it is clear that siloed, minimal, or afterthought approaches are not enough.
WHAT AN ATTACK LOOKS LIKE
Healthcare organizations and entrepreneurs using or interacting with networks and patient data need to be prepared for the inevitable cyberattacks. However, these can come in many different forms, so let’s look at some examples (BSI Group):
Disruption of care or service (potentially fatal outcomes)
Deception of staff with fake email or websites to obtain credentials or install malware
Unintentional or intentional “insider threat”
Loss of patient information
Data breach, information/data theft (exfiltration), and loss of assets
Blackmail, extortion, and duress through exploitation of stolen sensitive data
Intellectual Property (IP) theft
KNOWING THE ENEMY
Understanding attacks also means understanding the enemy and their motivations. Here’s an overview of the most relevant (BSI Group):
Attackers or “Hacktivists” issue simple attacks to further political agendas or for thrill-seeking purposes
Bot-network operators overtake systems to distribute phishing schemes, malware, and spam
Criminal groups attack systems for monetary gain (spam, phishing, spyware/malware identity theft, industrial espionage, ransomware, extortion)
Foreign intelligence agencies utilize cyber tools for intelligence, espionage, and sabotage
Disgruntled/Accidental Insiders, meaning employees or vendors with access, change security features or introduce malware
Phishers execute schemes to steal identities/information for monetary gain
Spammers send unsolicited communication containing hidden/false information or leading to denial-of-service attacks
Spyware/malware authors distribute malware for monetary gain
Terrorists disrupt, destroy, or exploit critical infrastructure to threaten security or fund activities
Industrial spies use attacks to gain intellectual property and knowledge
Keep in mind that not all enemies are malicious or even have agendas. Solutions also require protection from accidental (human error, equipment failure, natural disasters, etc.) or unintentional (system complexity issues) threats.
WHAT YOU CAN DO ABOUT CYBERSECURITY
Between the high percentage of healthcare organizations that have reported attacks to the number of potential enemies, the issue of cybersecurity can feel overwhelming. So, let’s introduce two different frameworks that can help guide innovators and organizations to increase and ensure protection of both patient data and “cyber physical aspects” (i.e., medical devices and solutions).
One guiding model is a modified Parkerian Hexad, built on the classic “CIA Triad,” and expanded to include operational technology for cyber physical assurance. Here are its core principles (BSI Group):
Confidentiality: controlling access to systems and information or data
Integrity: maintaining information’s consistency, coherence, and configuration
Authenticity: ensuring that systems and processes are not tampered with
Utility: ensuring that the system and data remain usable or transferrable to successor systems
Availability: ensuring that the systems and data are consistently accessible
Possession: preventing unauthorized control/manipulation
Resilience: ability of the systems/data to recover quickly after adverse events
Safety: ensuring features and maintenance prevent the creation of unsafe situations for users and the environment
Another recommended framework is the National Institute of Standards and Technology’s (NIST) guide to Industrial Control Systems (ICS) Security. This framework focuses on protection for devices or solutions (especially those under ISO 13485 requirements) where attacks could compromise patient health or safety; and it relies on a segmented approach. Operational features and their connection to systems or networks are grouped into zones, and each zone is analyzed to address potential vulnerabilities and develop countermeasures. The core tenets of this framework are listed below (BSI Group):
Control System Availability
Equipment Protections (including for embedded computers that monitor/control physical systems)
Functioning Operations (both in normal and degraded/emergency modes)
Time-critical system responses
CYBERSECURITY IN HEALTHCARE TAKEAWAY
Cybersecurity is, unfortunately, an inevitable occurrence, and the stakes couldn’t be higher. It’s not just the threat of ransomware bankrupting your enterprise, but it could also be a matter of life or death. Take collaborative steps to integrate cybersecurity awareness, assessments, plans, and safeguards from day 1 of the development process…and every day after that as well.
If you’re interested in this subject, I recommend you dive into the details. Here’s some top reading picks to get your started: