Federal Authorities Urge Healthcare Sector Entities to Take Caution
A host of cutting-edge technologies such as artificial intelligence and nanomedicine contain the potential to revolutionize patient care, but federal authorities are warning medical practices to evaluate the associated security risks.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center joined a growing chorus of experts who simultaneously laud the potential of more accurate, AI-led detection of cancer, 5G cellular network-driven remote care tools and better drug delivery via nanoparticles while also urging caution. HC3 issued a threat brief spotlighting the potential security risks of emerging technologies.
Experts agree that the promise of various technologies in healthcare must be carefully deliberated with the associated security risks.
“To say that organizations adopting these emerging technologies will come with security concerns is an understatement,” says Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.
Here are some of the benefits and associated security considerations of the technologies HHS HC3 examined:
- Artificial intelligence: AI-driven analysis of big data sets can help accelerate and fine-tune diagnostic findings and clinical decisions. But because AI requires very large collections of data in order to learn, this data could be at risk if not encrypted at rest and in transit. Also, repurposed data could be re-identified, posing patient confidentiality issues.
- 5G cellular: 5G is expected to enable telemedicine and telesurgery due to the low latency it offers. 5G-enabled medical device and other medical IoT will need end-to-end and whole device encryption, strong authentication and other security measures to be implemented.
- Nanomedicine: The use of nanomaterials for applications such as diagnostic medical imaging or medical therapies – such as nanoparticles to deliver drugs to specific cells in cancer treatment – face remote connectivity issues, including potential disruption of nanotechnology devices through distributed denial-of-service attacks.
- Smart hospitals: As facilities make use of the latest network-enabled devices and other advanced gear, software and components, large patient data repositories at rest and in motion need to be protected, “data pipes” must be resilient and systems must be continuously monitored.
- Quantum computing and cryptography: Quantum computing is expected to affect cryptography across many industries in the next decade, including potentially in healthcare for the protection of patient information. This will result in a need to assess, review and possibly update all cryptographic algorithms that are part of an information infrastructure.
Assessing the Risks
Jon Moore, chief risk officer at privacy and security consultancy Clearwater says the stakes for good security are higher for a patient care setting, where lives can be saved or lost.
He is particularly concerned by the effect of quantum computing. “Imagine a race to identify and replace all the encryption algorithms currently in use in systems across the globe before hackers exploit them with quantum hacking tools. Organizations struggle today just to keep up with updates in their encryption protocols let alone finding and replacing all of them,” he says.
“Of course, this assumes that there are existing or new algorithms that are sufficient to protect against the threat with which they can replace them,” he adds.
How some of these newer technologies are implemented into existing healthcare environments is also a critical security consideration, other experts say.
“Smart hospitals have a blend of old technologies and newer innovations, improving the experience for both the patients and the clinicians,” says Sri Bharadwaj, chief operating and information officer of Longevity Health Plan and chair-elect of the Association for Executives in Healthcare Information Security, a healthcare CISO professional organization.
The key is to realize that legacy technology that is embedded in “newer shiny objects” still has the same security risks that have to be mitigated through strong administrative and technical controls to provide a robust complement to the newer technology, he says.
Teresa Tonthat, vice president of information services and CISO at Texas Children’s Hospital, offers a similar assessment.
“If nanomedicine is being built on the same framework and principles as legacy medical devices, I have grave concerns,” she says.
“One thing to always keep in mind is that as security leaders our job is to perform due diligence and assess the risk of all services and technologies. We are also to find ways to help mitigate the risk, where possible, and raise the risk awareness to the organization,” she says.
“It’s not our job to accept the risk for the organization but if any high-risk technologies are adopted, we must ensure we have the right people, process and capabilities to prevent, detect and respond to threats if the risks come to fruition.”