Skip to main content

Privacy & Security

By Bill Siwicki | 03:37 pm | March 20, 2019
Four experts in healthcare cloud computing offer CIOs and other health IT workers who are starting – or maintaining – cloud migrations some well-rounded advice.
By Beth Jones Sanborn | 03:15 pm | March 20, 2019
With increasing buzz around population health and social determinants of health, those two forces are poised to change philosophies around care delivery and how a hospital or health system works to keep the surrounding community healthy. While that likely means good things for patients and outcomes, it also drives more sharing, more data and more risk of losing your privacy. There is also a big push for increasing a patient’s autonomy around their personal health information and the access they have to it, especially via personal devices which are likely to be used in the future to communicate directly with providers, if they aren’t already. There is also the continued push toward interoperability and the use of AI and machine learning. David Finn, EVP of Strategic Innovation for CynergisTek, said that while all these things carry huge potential to positively impact healthcare delivery, they also create new dimensions of risk when it comes to cybersecurity. “It has been my mantra for ten years that we have to change the way we think about data. It is our most valuable asset. It’s how we run our business and care for patients. But we have not adjusted our thinking about data to how the bad guys think of it. Until we think about what you could do maliciously with that information, I’m afraid we will not catch up with them,” he said. Many of these trends are already exploding, so it’s no surprise then that they are all included in Finn’s list of top cybersecurity issues healthcare will face in 2019 and 2020. If they aren’t on your list of concerns, Finn says they should be. 1. FHIR and APIs New proposed standards for interoperability and new FHIR standards for letting systems share health information, as well as facilitating patient access through open APIs, recently made waves through the healthcare landscape. Just as patients have access to other personal information like banking via apps on their devices, the notion is that they should have equal access to their PHI. Finn said that while he doesn’t disagree with that concept, data standards for APIs were proposed but no one talked about security, even though he said APIs are a known security risk in most industries. Such standards and policies need to have cybersecurity standards embedded as well. That means they have to be as big a part of the conversation as patient care itself. “To call for that kind of sharing without addressing security points back to all the issues we had in 2018 and prior. We just haven’t elevated privacy and security to the same level of understanding or given it the same seat at the table as we work through a lot of these issues.” 2. Keep your business associates close and your data closer In 2018, the number of cyber incidents related to business associates climbed, yet the concept of clinically integrated supply chains is gaining traction because it is a faster and more efficient way of operating, Finn said it also increases risk and exposure to third-party error or misconduct. “Unless we design all these things with the security built in up front, I’m afraid we may actually be making things worse for ourselves,” he said. 3. Digital transformation and the silver bullet That transformation, including telehealth, personalized medicine and the use of connected personal and medical devices, is most certainly upon us. While all those methods represent a potential positive impact on care and outcomes, they also mean more data, more formats, more cloud development and they all require specialized security needs, especially when it comes to medical devices. When it comes to medical device security issues, Finn said there are dozens or hundreds of vendors who claimed to have solved medical device security. They get a “fancy new tool” they think will find and fix everything. The inherent problem with the “silver bullet mentality” is tools are just tools. “A stethoscope has never cured anyone. An x-ray has never healed a broken arm. They are very helpful in figuring out what’s wrong but we are getting away from basics by thinking there is a silver bullet. At the end of the day, it’s going to come back to using those tools to find out where your issues are and what you need to do. But we need people to go in and do that work. If there is one area of innovation taking the healthcare world by storm, it’s AI and machine learning. And with good reason. From claims processing to diagnosing cancer, Artificial Intelligence seems to have limitless potential is numerous sectors of care delivery and operations. But much like the headaches we so often hear about when it comes to launching EHRs and other innovations, AI has the potential to be launched badly. And such tools can also expose systems to risk if security is an afterthought, not an equal player. “It takes a really smart person who understands the data to look at what those systems are telling you and make adjustments that actually improve what you are doing. My hope is we start thinking about the security before we start jumping on all this new stuff. We have to do it. There’s no argument about that but we have to do it right.” 4. Moving to the cloud Cloud computing presents another double-edged sword in that operationally, it is cheaper and more efficient, at least when it comes to up-front costs. Moving more data and applications to the cloud and getting that processing out of data centers ]makes a lot of sense, he said. But the pitfall is the frequent perception that once we have given something over to a cloud vendor they are going to protect it. Third party risk and lack of understanding of what the cloud model really means, how you recover when a cloud-based system goes down or in the case of an attack, the response, is going to be very different with a cloud-based system versus if all that data and applications were in your data center, where you have control over everything. We need to back up and look at how we are doing it, Finn said. First and foremost, more front-end vigilance is needed when it comes to arbitrating contract requirements and fleshing out potential vulnerabilities. And whether you are cloud-based or if you are keeping it all in-house, you still need a detailed response plan and recovery team for if your cloud goes down or is taken down by cybercriminals. “Just like in your data center you have to have a disaster recovery plan and you have to test it, you still have to have an incident response plan and you have to exercise it to make sure you’re not missing anything,” Finn said. “And we just typically don’t do that with our cloud providers.” 5. Phishing is still a force to be reckoned with Finally, Finn said that despite rampant usage and success with phishing attacks by hackers, awareness and training related to phishing-related events actually went down from 2017 to 2018. In fact, 2018 had more phishing attacks than ever before in healthcare. It is imperative that this seemingly simple method of invasion be treated with the utmost urgency. “It comes back to awareness and training which will keep us focused on the real issue which is how we think about data and how we use it,” Finn said.
By HIMSS TV | 05:54 pm | March 18, 2019
Users are no longer the weakest link in the security chain, claims Adrien Gendre, chief solutions architect at Vade Secure, who discusses the biggest threats to email security and AI-originated phishing attacks.
By Dean Koh | 12:01 pm | March 15, 2019
The Health Sciences Authority (HSA), a statutory board under the Ministry of Health (MOH) in Singapore, said in a statement on March 15 that one of its vendors, Secur Solutions Group Pte Ltd (SSG), had failed to properly secure a HSA database against access over the Internet. The database contained registration-related information of 808,201 blood donors which includes name, NRIC number, number of blood donations, dates of the last three blood donations and in some instances, blood type, height and weight. According to the HSA, the database did not contain any other sensitive, medical or contact information. A cybersecurity expert discovered the vulnerability on March 12 and alerted the Personal Data Protection Commission (PDPC) on the next day - HSA worked with SSG immediately to disable assess to the database. A police report has also been made by HSA and is in contact with the expert on deleting the information. Investigations are pending and preliminary findings indicate that other than the cybersecurity expert who raised the alert, there were no other unauthorised access to the database. The information provided to SSG was placed on an unsecured database in an internet-facing server on January 4 this year and the vendor did not put in place adequate safeguards to prevent unauthorised access. “We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA's centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” said Dr Mimi Choong, CEO of HSA in a statement. Including this latest case as reported by HSA, the Minstry had experienced four IT-related incidents since the SingHealth cyberattack which happened from June to July 2018. The other two incidents occured in January 2019 in which the confidential information of 14,200 HIV-positive individuals were leaked and last month, MOH said that a computer error had resulted in 7700 people receiving inaccurate CHAS healthcare subsidies.
By HIMSS TV | 03:45 pm | March 14, 2019
There are unique security challenges of the healthcare industry, including a skills shortage and regulatory landscape, according to Mimecast’s Josh Douglas and Dino DiMarino, who share how to meet those challenges.
By HIMSS TV | 04:11 pm | March 13, 2019
Joyce Brocaglia, CEO of Alta Associates and founder of Executive Women's Forum, details the need to fill board of director seats with people with security skills as well as diversifying cybersecurity teams.
Cloud Computing
By Nathan Eddy | 03:58 pm | March 13, 2019
The industry has some unique challenges to tackle and moving to the cloud often leads to breaches.
By Verizon | 10:50 am | March 13, 2019
A lot of attention is focused on network access security; it can be easy to overlook the vulnerability of data at the edge.
By HIMSS TV | 07:22 pm | March 12, 2019
The major themes at RSA include AI skepticism, challenges with diversity and workforce development, and how to incorporate agile tactics into cybersecurity best practices, says Tom Sullivan, editor-in-chief of Healthcare IT News.
By Leontina Postelnicu | 08:57 am | March 12, 2019
Dame Fiona Caldicott has been appointed as the first statutory national data guardian for health and social care, nearly five years after the role was first created.