How to Keep Health Data Safe in the Age of Disruptive Technologies

We are elbow-deep in an age of disruptive technologies that aren’t just buzzwords any longer, but are entering into our health systems and every day clinical care.

The University of Pittsburgh Medical Center, for example, an innovator in using analytics, has recently also begun harnessing artificial intelligence to improve care.

The health system has developed AI-based algorithms used on its more than 27 petabytes of data to define patient subpopulations — those with congestive heart failure or asthma, for instance — to target interventions to those groups. It’s developed algorithms using electronic health record data to predict patient decline in hospitals.

In operations, it uses AI to predict which patients won’t show or cancel appointments within 24 hours, an effort to determine the availability of same-day appointments.

Machine learning and artificial intelligence are among the disruptive technologies research firm IDC highlights in its Worldwide Health Industry 2018 Predictions report. Others include: the Internet of Things, 3-D printing, next-generation security, augmented reality, virtual reality and blockchain.

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks

New Health Technologies Mean New Vulnerabilities

Securing the proliferation of data from these technologies will provide an immense challenge for healthcare organizations, according to Lynne Dunbrack, research vice president for IDC Health Insights.

With more data, there’s a bigger attack surface, she points out.

“The data sets are more robust now. They include clinical data, financial data, other identifying data of the social demographic. The personally identifiable data can then be used for medical identity theft. It all makes healthcare data that much more attractive for cybercriminals to attack healthcare, which is considered a soft target compared with other industries that invested earlier in security technology,” she says.

The explosion of IoT devices and networked medical devices are the biggest security threats among the emerging disruptive technologies in the view of Christopher Frenz, director of infrastructure at Interfaith Medical Center in New York. He wrote the Open Web Application Security Project’s (OWASP) report on medical device deployment.

Frenz points to the WannaCry ransomware attack, which affected some radiology equipment, as the most chilling example.

“WannaCry showed it’s not just a patient information issue, but a patient safety issue as well,” he says. “This creates a whole new and wholly unacceptable meaning for denial of service.”

Holistic Security Can Offer Health Systems Safe Harbor

Among the IDC predictions: By 2021, the world will have seen its first $100 million class-action lawsuit against a medical device manufacturer for negligence because of a cyberattack causing the death of more than 25 people connected to networked medical devices while hospitalized.

The security implications of new technologies must be evaluated individually, according to John Houston, vice president of privacy and information security at UPMC. It has a structured program to do that, whether it be artificial intelligence, Google Glass or any other emerging technology, he says.

“Any platform is going to have specific components that raise specific considerations from a security perspective, especially around how it’s going to be used in a hospital setting,” Houston says.

He considers the dramatic shift to the cloud one of healthcare’s greatest security challenges, since the data no longer remains under the organization’s control. And sensitive data is being pushed out in all sorts of new ways to patients’ devices and to physicians who may be vacationing in other parts of the world.

“I really have to think about how data is stored and delivered all over the planet. … It really is a problem of scale and where that data resides,” Houston says.

Security must be part of the conversation from the early design stages of any new project.

“You need to think about how it’s going to be used, how it’s going to be accessible, how data is going to be managed,” he said.

Healthcare’s approach to security traditionally has been comparable to the way preschoolers play soccer, according to Dunbrack — everyone goes after the ball at the same time. When there are phishing attacks, for example, everyone invests in anti-phishing technology.

“You really need to take a holistic view of security,” she says, advocating for a layered approach to cyberdefenses.

Every new technology is going to bring new risks, so any good security program is going to involve continuous evaluation and continuous improvement, according to Frenz.

He recommends using zero trust and defense in depth strategies because the traditional firewall approach to security just doesn’t work anymore, he claims. Signature-based defenses increasingly are ineffective because the majority of attacks involve malware the systems haven’t seen before.

The next-generation security IDC refers to uses AI and machine learning to determine normal system behavior and alerts on aberrations. By allowing only “known good” communications — the acceptable calls components need to make to do their jobs, for instance — it relieves organizations from just chasing after the ball.