Cyber security: an ‘indigestion problem’ in healthcare industry
In August 2011, Marc Andreessen famously wrote an essay in The Wall Street Journal, “Why Software is Eating the World”. It talked about the growing significance of software in business across a wide swathe of industries. Fast forward to the present day in 2017 and we can safely say that the process of eating is complete. However, there is an “indigestion problem”, which is becoming quite prevalent on account of cyber “insecurity”.
A case in point: last month the International Association of Athletics Foundation (IAAF) publicly disclosed that they were victims of a massive cyber attack. It is interesting to note what was stolen—no, it was not the credit card numbers of athletes but their therapeutic use exemption (TUE) data. The IAAF attributed the attack to a group called APT28 (aka Fancy Bear), which has been known for specialised cyber attacks.
Then, the Anthem Inc. medical data breach of 2015 (now revised to 2014) ensured that the organisation had to utilise the entire amount of $100 million of cyber insurance just to notify its customers. The name of the nation state behind the breach has still not been released in public domain.
As an industry professional, I have always been used to headlines about the financial industry being targeted and being in the news as a victim. The rise in healthcare data breaches was at first surprising, but then, when one starts to look at the big picture, it actually makes sense and even becomes interesting to dig deeper into.
Mobile devices like smartphones and tablets are used by just about everyone today to collaborate and communicate. Most individuals routinely spend up to 4 hours a day on these devices.
So when you start leveraging smart applications on the phone that collect and analyze more and more data of your daily life—where you go, when and whom you meet, what you eat, how much you walk, how much you sleep—the mobile device actually starts to know you much better than your best friend of many years or perhaps even your spouse. And that’s when you get into the crosshairs of an attacker.
Such a profusion of applications allows a hacker gain access to your mobile device and thus your private data. Unlike the law enforcement authorities, hackers really do not need to brute-force your personal identity number (PIN) or clone your fingerprints—they can simply enter via the smart application on your phone or, most probably, with a simple phishing email requiring you to click to open your healthcare report. Anecdotally, most individuals have fallen for this simple but effective technique with disastrous consequences.
The issue of cyber security in healthcare is compounded by the fact that today most smartphones provide a wide variety of applications on Apple and Google stores. These applications enable users to perform anytime, anywhere monitoring and even diagnose lifestyle diseases.
Medical devices such as patient monitors and medication-infusing pumps—many of which are life-sustaining or life-supporting—often connect directly to the Internet to enable quicker and affordable medical care. However, such medical devices and other mobile health solutions are a double-edged sword.
They have the potential to play a transformational role in healthcare management, but they can also become a vehicle to expose patients and healthcare organizations to cyber security risks.
Among the unintended consequences of unregulated digitization and increased networked connectivity are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access. Take the case of wirelessly connected and implanted defibrillators for controlling the heartbeat. In the right hands, these are valuable medical aids, but researchers have demonstrated that it is possible to glean personal information by eavesdropping on the signals these implants emit.
Indeed, there is a possibility that such a device can be reprogrammed to deliver a fatal jolt of electricity directly to the organ it is monitoring. The Ponemon Institute estimates the cost of data breaches in the healthcare industry to be about $6.2 billion per year.
To address the multi-faced challenges of cyber security, the US National Institute of Standards and Technology (NIST) formulated a cyber security framework. The framework’s building blocks are Identify, Protect, Detect, Respond and Recover. It can be implemented by companies in any sector and of any size for creating a cyber-resilient organisation.
In December 2016, the US Food and Drug Administration (FDA) released a final guidance document regarding post-market management of medical device cyber security. (The final guidance document is available here)
In the Indian context, while we still discuss and debate the pros and cons of linking Aadhaar cards for multiple-use cases, I would recommend that we as individuals spend the next 30 minutes or so after reading this article just to check what applications we have downloaded on our mobile devices and make informed decisions about what personal data they are transmitting and to whom.
Now, that should be something relatively easy to digest.
Nimitt Jhaveri is an information technology architect and cyber security expert who runs his own venture, BitScore CyberTech LLP