Rise of Patient-Connected Devices Requires Commitment to Proven Cybersecurity Practices

Household IoT systems create new vulnerabilities

Healthcare is increasingly moving to the household: Driven primarily by testing, screening and monitoring products, the global home healthcare market is expected to surpass $364 billion by 2022, up from just over $239 billion today, according to a forecast from MarketsandMarkets.

Network connected devices – particularly those considered part of the Internet of Things (IoT) – account for a great deal of this demand. By 2019, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently deployed by 64 percent of organizations). As indicated, this adoption surge has extended into the home, with medical practitioners remotely monitoring just over 7 million patients worldwide – a figure that is projected to increase to 50.2 million by 2021, according to research from Berg Insight.

Life-threatening risks

If the bad guys start hacking patient-connected or embedded devices, there could be life-threatening outcomes. An adversary may, for example, manipulate a machine to inject a lethal dose of drugs. Or exact a ransom from a patient or their family. What’s more, it would be extremely difficult to identify the source of such a horrible attack. Patient-connected and/or implanted devices are rather rudimentary in terms of technology sophistication. They will not contain detailed log files of everyone and everything that has somehow connected to them, and they certainly won’t store enough information about IP addresses to lead investigators from an incident to a likely culprit.

Relatively recent recalls speak to the potentially dangerous risks which inadequately secured devices bring, including those used at home: In September last year, Abbott announced a voluntary recall impacting 465,000 pacemakers due to a possible hacking threat. In October 2016, Johnson & Johnson sent an official notification to 114,000 diabetic patients that a cyber attacker could exploit one of its insulin pumps, the J&J Animas OneTouch Ping, disabling the device or altering the dosage, according to the company.

Network separation and patching

While the scary scenarios call to mind something out of a sci-fi movie, our responses to the threats require a commitment to old-school remedies: network separation and patching

Through separation, vendors, hospitals, home healthcare providers, etc. work with patients to ensure the devices run within their own network, with their own routers and connective components. They will not, for instance, interact with other wireless networks in the home, such as a virtual personal assistant. The medical device is sealed off by firewalls and segmented setup/implementation so it only maintains connections between the patient and the healthcare provider who is monitoring the device.

Then, vigilant patching of the standalone network assures that the device remains current and well-defended. Because we cannot entrust patients with this role – most would not be capable of the patching, and, besides, a number of regrettable things could happen if they tried – the vendor and healthcare provider must proactively pursue this.

At Merlin International, we stay on top of the latest trends in healthcare technology and cybersecurity to offer the most timely and effective solutions and services to our customers. We understand and appreciate all of the good that medical devices can do – as well as the risks they introduce – and we plan and design our products to directly address this. If you’d like to learn more about what we do, then please contact us.

A Healthy Plan: The Three Critical Components of a Successful Identity and Access Management Strategy

Applying IAM practices to cyber networks and systems

Most homeowners come up with well-established “rules” for their houses: They don’t allow anyone and everyone to come inside. And, for those who are part of the household, there are certain places which are off-limits. A child does not, for example, bring the Nintendo Switch to the study when mom is writing an annual corporate report. The dog can roam freely in the basement and kitchen – but definitely not in the master bedroom.

So if we’ve set up such rules for our homes, why don’t we – as members of the healthcare industry – do the same for our cyber networks and systems? Fortunately, we can. Through practices collectively known as Identity and Access Management (IAM), IT departments centralize, standardize and automate users’ allowable entry to networks, systems, files, data, apps and other resources.

Partial adoption of IAM capabilities

To date, we’re just scratching the surface as to IAM’s potential: The global IAM market is expected to grow from $7.94 billion in 2016 to $20.87 billion by 2022, according to projections from Stratistics MRC. Yet, despite the anticipated adoption, current research findings convey a state of IAM capabilities that’s divided between the “haves” and the “have nots” among healthcare organizations and companies in general:

  • Only one of ten healthcare organizations indicate that they’re leveraging IAM as a highly impactful component of their cybersecurity strategy, according to the “Cybersecurity 2017: Healthcare Provider Security Assessment” report from the College of Healthcare Information Management Executives (CHIME) and KLAS Research. One-quarter have either purchased an IAM solution but have not yet implemented it, or aren’t implementing anything.
  • Nearly three-quarters of healthcare professionals use colleagues’ passwords to access electronic health records (EHRs), according to survey research published by Healthcare Informatics Research, and 57 percent say they’ve done this 4.75 times on average. Literally 100 percent of medical residents admit to the practice, along with 83 percent of interns and 77 percent of students.
  • Nearly three of five senior-level IT security professionals still rely on manual processes – as opposed to automated ones – to control and audit access to critical systems, according to research from SPHERE Technology Solutions. More than three of ten rate their organizations as “low” in terms of overall IAM maturity.
  • Companies considered at the highest level of IAM maturity, however, are seeing significant benefits, according to research from Forrester Consulting. They experience one-half the number of breaches (5.7 on average over a two-year period) than the least mature organizations do (12.5), with 43 percent of high-maturity businesses indicating that they’ve never had a network breach. As a result, the estimated value of their losses due to attacks is much smaller – $4.3 million over the two-year period, as opposed to $9.5 million for the least mature organizations.
  • What’s more, nine of ten of those at the highest level of maturity are deploying integrated IAM platforms, according to the Forrester research. When asked to rank the benefits of IAM, top performers cited improved privileged activity transparency (51 percent), reduced findings from compliance audits (51 percent), greater individual accountability (49 percent) and the elimination of redundant IAM tech (46 percent).

The growing urgency of greater IAM adoption

Healthcare organizations will need to strongly consider more investment in IAM practices and solutions, according to a U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force report published in June. The “Report on Improving Cybersecurity in the Health Care Industry” recommends stronger authentication to “improve identity and access management for (healthcare) workers, patients, and medical devices/EHRs.” Too often, clinicians, support staff, patients and additional users simply enter passwords to call up systems, according to the report, when biometrics, tokens, multifactor authentication, wearable tech and mobile technologies could provide better protection while building a “trust relationship” with patients.

It doesn’t help that developing an effective IAM program is more complicated than ever, especially as healthcare organizations maintain tech apps and functions both on-premise and in the cloud. With all of the options out there, there are a myriad of platforms that we depend upon, with their own security procedures. Still, whether your organization runs its tech solutions on-premise, in the cloud or a mix of both, you can implement a strong IAM program which greatly protects your network and systems across-the-board – as long as you include the following three, critical components:

A thorough inventory

Whether you run a small, rural clinic or a multi-location healthcare corporation with 40,000 employees, you must conduct a top-to-bottom inventory of all users and their roles. You then match roles to appropriate access areas – a nurse has to call up patient data, for certain. But sensitive company fiscal files? Not so much. As part of this effort, in addition to documenting what people can call up, you need to determine what they can do with it, i.e., “read only” or make changes to a particular file.

Because this amounts to a tall order for large enterprises, you probably want to consider applying risk-based principles to inventory prioritization. In other words, focus on those who deal with the most – and most sensitive – data first. This would include financial executives and data analytics team members, the latter because they pretty much have access to everything.

Enterprise-wide usage identification

This is where you find out what users are actually accessing, as opposed to what they’re supposed to access. As you conducted segregation of duties in step one, you now deploy automated analytics tools to examine activity logs and identify whether employees (not to mention contractors and additional third parties) are entering into areas which do not appear to serve a legitimate, work-intended purpose. The facilities supervisor, for instance, may check room temperature levels for patients. But he has no business pulling files which contain the health insurance information of those patients.

Continuous monitoring

Once you’ve inventoried roles and identified the degree of appropriate and inappropriate activity via automated analytics tools, you cannot “set it and forget it.” You have to constantly monitor what’s going on to ensure individual roles align to allowable actions. The tools must be capable of adjusting to changes in responsibilities – when a surgeon is promoted to chief of staff, her duties will expand and, accordingly, so should her access to various parts of the organization. When the surgeon leaves for another hospital system, however, the cybersecurity team has to eliminate any access to internal assets.

To make such oversight possible, the automated analytics product needs to deliver a “single pane of glass” view of activity. Your cybersecurity team should not have to click from one screen to another to track individual tech systems, file-sharing interactions and email exchanges. With a cohesive and unified monitoring experience, the team will be best positioned to view – and respond to – everything in real-time.

At our homes, we don’t “set rules” to dictate a “Department of No” environment. Instead, we seek to establish a sense of order, so that a closed door at the very least tells a child to “Knock Before Entering.”

Similarly, IAM enables healthcare organizations to incorporate the same manner of guidelines and enforcement, so a lab worker is granted authority to review medical records, as opposed to such authority being assumed and allowed with little to no restrictions. Through effective inventory, identification and monitoring, an IAM program doesn’t inhibit business at hand. It supports it – building widespread confidence among managers, employees and patients that everyone is accessing what they’re supposed to, and nothing more.

Reflections on HIMSS Discussions

Meeting HCO security needs on a budget

In the month since this year’s HIMSS conference no less than three data breaches involving the exposure of patient information have made the news. Though the methods by which the hackers gained access to this critical data varied – in one instance a malware attack, while data storage error and employee email were allegedly implicated in the others – the fact remains that healthcare organizations (HCO) are facing an increasingly uphill battle in securing the right technology and talent to avoid becoming tomorrow’s next headline.

While each HCO has a unique set of considerations and priorities, when it comes to data security nearly all are facing some version of the same challenge: finding the talent and technologies to meet both needs and budgets. Smaller organizations whose resources are often more limited seem to be struggling in particular. At HIMSS, a security analyst from a more modestly sized hospital shared with me that though he would like help there wasn’t the money to make hires, and even if the budget did exist he’d face the further difficulty of finding the right talent to fill positions.

The biggest challenge: staffing

In multiple conversations with HIMSS attendees, insufficient staffing was consistently noted as the biggest challenge to improving cybersecurity posture. This mirrors results detailed in our study ‘The State of Cybersecurity in Healthcare Organizations in 2018’, conducted in partnership with the Ponemon Institute and released immediately following the conference. According to 74 percent of respondents, the lack of in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks. As a result, organizations are looking to help augment the staff they do have with technological solutions. 

Among solutions gaining prominence with HCOs looking to improve security without breaking the bank are identity and access management tools. Affordable and unobtrusive, multi-factor authentication is proving popular for preventing password fraud, specifically among remote and privileged access users. Organizations have also seen luck implementing security information and event management (SIEM) solutions that aggregate data produced across networks, servers, databases, applications and devices.  But monitoring and managing SIEM data can be complex and time consuming, often requiring one or more dedicated staff depending on an HCO’s size. And finding the necessary expertise to quickly identify weakness and threats to IT infrastructure could prove problematic, with nearly 80 percent of Merlin study participants finding it difficult to recruit IT security personnel.

The affordable technological solution

According to the HIMSS participants with whom I spoke, the perfect technological solution would provide a 360-degree view of their cybersecurity with analytics and AI layered on top,  something we at Merlin are working to deliver.  In the meantime, our research shows there are plenty of lessons to be learned from high-performing healthcare organizations in significantly reducing cyber attacks. High performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices (a looming and largely unaddressed threat, according to HIMSS presenters).  These organizations are also proactively investing in employee awareness about cybersecurity risks – conducting audits and assessments, providing regular training and incentives, and conducting phishing tests, for example –   and ensuring third-parties safeguard patient information.  Implementing any one of these practices would improve cybersecurity posture critical to patient safety.

You don’t need to be a healthcare information and technology professional to recognize that HCOs are facing constant, increasingly destructive and costly cyber attacks.  Doctors will tell you that even small changes can deliver positive results to overall health. That advice could just as easily apply to cybersecurity. Only through the incremental implementation of both new technology and best practices can we protect patient data and access to essential care, and improve our overall IT health.

What Healthcare Organizations Need to Know about Blockchain

Blockchain: the next, great frontier?

Is blockchain the next, great frontier for healthcare? Or has the hype far surpassed reality – that it’s a pipe dream that could never conceivably work in such a complex and heavily regulated industry?

I believe the correct answer lies somewhere in between: Blockchain brings the promise of improved, more efficient information management, with possibly even better security. But, like any other technology that is new, complicated and disruptive, we should “walk before we run” by trying it out on a smaller scale to get a sense of “success stories” and “lessons learned” before expanding its reach.

At the very least, it’s encouraging to see that industry leaders are taking a close look at blockchains as a remedy for current information-management woes. The general public commonly associates the technology, understandably, with bitcoin and other cryptocurrencies. However, the actual innovation behind blockchains can apply to a far broader range of industries, including healthcare.

Traditionally, “owners” of particular patient information and other records store, keep and hopefully secure the data. If a vacationer has an accident at the beach, for instance, a physician from an oceanside clinic may need a prescription history of the vacationer from the family doctor from home, since the family doctor “owns” the information. The clinic has to request the history from the family doctor’s office – and if the accident occurs on a weekend, the information won’t be available until the following Monday.

Blockchains can help the industry “cut to the chase” by storing a vast array of data on linked, encrypted blocks which aren’t “owned” by any particular institution or person – circumventing cumbersome and complex procedures required to deal with a deluge of data that grows by the minute. The blocks are replicated throughout a network which is always kept in sync with consistent, updated information, producing a much-sought “single source of truth.”

Regardless of which healthcare organization employs them, users gain access to the blocks through authorization processes based upon the relevancy of the data to their job roles. From the patient care perspective, blockchain records could eventually include details about prior operations/illnesses, medications prescribed, blood work results, etc. From the healthcare provider administration and research side, they could cover clinical trials, insurance policies, billing accounts, etc. Note the use of the word, “eventually,” here, because we do not feel that such use cases are entirely possible right now – at least not without creating serious issues.

Despite the potential for obstacles, the industry appears poised to buy-in in a big way: The global blockchain in healthcare market will grow to $5.61 billion by the end of 2025, up from its current value of $176.8 million, according to a forecast from BIS Research. By sometime this year, no less than 86 percent of surveyed healthcare executives anticipate that their organization will finance blockchain applications in at least nine categories, with medical/health records (94 percent), billing and claims management (also 94 percent), medical device data integration (92 percent), asset management (91 percent) and contract management (90 percent) accounting for the top five categories for planned adoption, according to research from IBM.

When asked about the problems that blockchains could solve, healthcare providers cited inaccessible information (61 percent), information risks (60 percent), transaction costs (58 percent) and inaccessible marketplaces (58 percent), according to the IBM research.

But, to reach this point, we’d have to address the aforementioned obstacles, as posed by the following challenges:

Patient Identification

There is no unified, consolidated system for identifying every patient who would be connected to a blockchain. If a doctor and his team members in Detroit have to call up the medical history of a local patient named “Henry Brown,” how do they know they’re accessing information about the right Henry Brown? There are likely many people in the city with the same name. For blockchains to work as an all-encompassing, real-time repository of health records, we would need to develop – through the government and/or an industry effort – a reliable, comprehensive national patient identification database linked to all electronic medical records (EMR) systems to ensure that the right people are accessing the right information.

Data Volume

Blockchains are not currently designed to store very large files (radiology images, genetic testing results, colonoscopy videos, etc.). For now, this limitation will lead to the storage of large data “off chain,” with the blockchain itself strictly containing pointers to all the data.

Patient Privacy

Blockchains are inherently transparent – they reveal every transaction in the chain. This presents privacy issues, especially for patients. Blockchains for cryptocurrencies, of course, have gotten hacked, so the same likelihood exists for blockchains supporting medical purposes. One solution: Designating patients as the “owner” of their blockchains, just as cryptocurrency investors “own” their own e-wallets. If the patient owns a blockchain, the patient can decide who is allowed to view it on a case-by-case basis. Conceivably, the patient would also have to approve of the cybersecurity measures taken to protect the blockchain, or at least agree to absolve outside parties of any responsibility for a hack.

Authorized Access

Who should access blockchain, and how much should they see? How do you enforce authorized access? This necessitates understanding of contractual obligations between parties to take part in serial immutable transactions. Since these peers are frequently geographically distributed, a central entity would have to ensure that the contracts are adopted, executed, cataloged and auditable. They should adhere to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for storing the protected health information (PHI) of Americans, and the EU’s General Data Protection Regulation (GDPR). Because the communications need to be secured, highly effective encryption must not only secure the data in the blocks, but protect communication among the many peers. Existing systems will have to rethink how information is presented and consumed, since many were written in early days without interoperability in mind.

Information Validation

Medical records are incredibly intricate. They involve a myriad of dense data related to symptoms, treatments, tests, etc. How do users know that a diagnosis on the blockchain is the most recent and “true” one? Again, the clear establishment of the most recent and relevant data would require the government and/or industry standardization of the deployment of date/time stamps, statuses, and additional information-validation tools.

“Walk before we run”

Given the challenges, it’s inadvisable for the industry to dive “head first” into blockchain adoption. By definition, a disruptive technology, well, disrupts – often with both good and bad outcomes. If we focused on smaller and simpler business use cases – perhaps the tracking of joint implants or opioids, to cite two examples – we can improve the chances for positive experiences by standardizing practices as related to user authorization, privacy, information validation and security. With that, we can then decide how to expand (or not expand) our deployment. As a result, we’ll view blockchain not as some kind of new and mysterious and possibly risky disruptor, but as a better way to do what we do now.