Healthcare information security

Security Technologies in Healthcare

Infosec
October 11, 2016 by
Infosec

Introduction

Information technology is an integral part of healthcare solutions nowadays. The Internet of Things (IoT) concept is already integrated into the design of various healthcare technologies. IoT healthcare products therefore inevitably arouse similar information security concerns as other network connected technologies. This new era of the healthcare industry generates considerable service and financial improvements for patients. Instant access to accurate patient data dramatically reduces the financial and time costs for both medical service providers and users.

Such convenience has created an unprecedented patient data ‘gold mine’ and multiple penetration points for malicious attackers. The multidisciplinary nature of healthcare assets brings about major information security risks resulting in identity theft, insurance fraud and data manipulation. Healthcare data is highly profitable. Exploiting millions of patient data can help cyber-attackers create scams, as well as allow marketing and insurance agencies to promote new services and conduct sophisticated market or suspected fraud investigation. Besides, the supply chains of healthcare solution providers can involve significantly diversified suppliers and contractors. The endpoint security, hardware and software compatibility and interoperability of each device in the supply chain can hardly reach perfect security. One concrete scenario is the case of remote robotic surgery. A man-in-the-middle attack (MiM) can take place in case the telecommunication channel between the remote surgeon and patient is not secure. Consequently, the patient’s life can be at stake.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Security Technologies Basics in Healthcare

Bring Your Own Device (BYOD)

Bring your own device (BYOD) refers to a policy that personnel are allowed to bring their personal digital devices to the workplace and use them to connect to the workstation’s database, electronic service, communication, etc. BYOD is very popular among healthcare professionals due to the urgent nature of medical services. For example, doctors can take pictures of their patients’ X-ray scans, MRI images, wounds, etc., using their smartphones to communicate with their colleagues instantly. This practice can help ambulances, hospitals and any relevant institutions get better prepared for the patient.

Nevertheless, BYOD adds an additional burden to security management. Medical care institutions are obliged to allocate supplementary resources to define a successful and manageable BYOD program. They have to study and weigh the menace that each type of mobile digital device can pose against themselves. Most of the time, a comprehensive BYOD program includes a mobility usage policy that details employee responsibilities, education, and penalties. Personnel have to undergo internal training to be informed about using their personal device in the workplace.

Moreover, on the technology level, apart from educating personnel with good security practices for their mobile devices, such as using anti-virus programs and being alert about fraudulent messages, specialized software solutions can be a further protection. For example, healthcare service providers can implement a virtual desktop infrastructure (VDI) to limit the personnel’s access to patient data on their smartphones. The VDI administrator can assign specific timeslots to the users to access information based on relevant tasks and schedule. Another solution can be adopting a mobile device management (MDM) software to protect patient data. One of the key features of an MDM software is to allow personnel to verify their preferred tablets or smartphones as well as remotely destroy any sensitive data in case of loss.

Encryption

Both IoT devices and electronic healthcare record (EHR) systems are built on the basis of facilitating data exchange. Data security, therefore, is a priority in the design and implementation of a healthcare device or system. Indeed, it is a complex mission to cope with the trust issue for the entire healthcare supply chain ranging from software, computer processors to recording devices. The more sophisticated the system is, the more amplified the security risk will be.

Data loss can happen in any connection point in the supply chain. And, to a certain extent, it is inevitable. Yet, if healthcare data is encrypted, then the stolen data’s value will unquestionably diminish. The data thief’s cost in decrypting the stolen data will become very high and thus discourage network intrusions of a similar motive. The latest HIPAA regulation does not consider stolen but encrypted data as a security breach, in which there will be no negative legal impact against the victim. Hence, encryption technology should be employed in the process of transmitting healthcare data as well as on the database. For example, using digital signatures, encrypted channels and emails to communicate and exchange sensitive patient data is an essential practice that not only enhances healthcare system security, but also alleviates privacy concerns.

Comprehensive Healthcare Security Environment

The mission of healthcare professionals is to deliver medical treatment to patients, not deal with information security issues. Healthcare institutions can be particularly vulnerable in two aspects. On the system level, they are the warehouse of valuable data like a patient’s drug record, payment information, social security number, etc. Simply disturbing the personnel’s access to this information or wipe it from the database can deal a catastrophic blow to the organization. On the physical level, it is even more complicated because physical security has to be considered and integrated into the holistic deployment of a healthcare security system. Therefore, many specialized vendors and developers offer customized security technologies to healthcare institutions.

VMware—Virtual Machine Risk Mitigation

Virtual machine software (VMware) provides additional virtualized space for its users for multiple purposes and scenarios. VMware can be used to create virtual desktops, computer environments, sandboxes, etc. In other words, this technology can create a few scapegoats to deal with cyberattacks, or multiply backup databases and desktops. For example, in the event of a cyberattack against an EHR system, the concerned healthcare institution either retrieves data back from other virtual machines or creates a decoy EHR to take the attack. The institution might still suffer data loss, but it will continue to run the service with the backup data and workstations on the cloud. The risk and loss are both considerably reduced.

The ascension of ransomware in the last couple of years makes VMware technology more and more popular. Ransomware targets careless personnel. Once it is activated, the entire server will be encrypted with the attacker’s key. Unless the victim is willing to pay a ransom, the locked server will rarely be decrypted again. VMware technology can be an insurance for healthcare institutions.

Industry Integrated Solution

As mentioned, healthcare professionals are not trained to manage information security issues. Experienced information technology vendors such as Oracle, Cisco, Siemens, etc., develop security service packages to suit the needs of an entire medical establishment. For example, risk assessment can be broad aiming at more dimensions than remote cyberattacks. Building entrance identity verification, video surveillance, security personnel background check, remote trusted third party monitoring, etc., are all instances that go beyond software, hardware and data security of a particular database or device. Blacklisted and suspicious individuals who could spy, disrupt and damage the physical information technology infrastructure of the building are as problematic as those attacking in cyberspace. Such solutions deal with comprehensive security regarding risks that can be initiated and generated within the physical building.

Future of Healthcare Security Technology

In the U.S., policy enforcement in securing healthcare technology has been in effect for over a decade. The number of innovative startups suggesting healthcare solutions using augmented reality, EHR system, wearable smart device and robotics increases every year and those who already secured their market position are developing fast. The following table shows a list of major healthcare technology security concerns and the startups’ solutions:

Startup Security technology Targeted security risks Solution

Virta Laboratories Continuous risk assessment and optimal system uptime Existing security tools leave gaps when deployed in diverse medical environments, and they often introduce new risks of downtime. Customized solution for hospitals and medical device manufacturers to measure and visualize exposure to cybersecurity risks without interrupting clinical workflow and defend against ransomware.

eKincare Encryption Spyware and data theft on the users' digital device Encrypt patient health records and keep it on the cloud so that they can access the dashboard anywhere using a PC or a mobile device.

Bitglass Encryption Spyware and data theft on the users' digital device A combination of visibility and data security — access control, data leakage prevention, cloud encryption, file encryption, data tracking/fingerprinting, etc.

Box & SafeNet Encryption Spyware and data theft on the users' digital device Box Enterprise Key Management lets users hold on to their encryption keys while using the Box platform (in partnership with Amazon Cloud to provide server set up service).

Gurucul Early anomaly detection Advanced cyberattacks of various motives and strategies The PIBAE (Predictive Identity Based Behavior Anomaly Engine) platform uses machine learning algorithms and advanced analytics to detect anomalous behaviors such as spikes in activity during off-hours and abnormal transaction patterns, with the goal of stopping breaches before they happen.

Preventice IoT monitoring system Intended fraudulent data Preventice provides an always-on, remote-monitoring wearable device that measures arrhythmias outside of the hospital, as well as a dashboard that lets physicians and caregivers know when to reach out to help an individual with cardiovascular risks. It measures each heartbeat correctly and securely stores patient data in order to avoid creating false alarms or introducing security risks.

Gartner research suggested in a study that IoT healthcare devices and solutions are expected to generate an additional 1.9 billion USD in economic value to the existing one by 2020. This figure shows the optimism of IoT healthcare technology development. However, it also means that large scale cyberattacks will continue to take place. The Anthem hack in 2015, for example, which resulted in the loss of 78.8 million patients’ personal and health data such as contact information and social security numbers, has provoked fierce public discussion around the world. While healthcare professionals wish to perfect their solutions and products via information technology, it is essential not to neglect the security aspect in design, deployment and evaluation.

 

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

 

Infosec
Infosec