Nov 8, 2020

Security in cross border healthcare: fundamentals?

Historically, the medical professional handled patient data with the privacy and integrity that the Hippocratic oath demanded.

 

Now that medical data is handled by so many different, non-medical professionals, in different organisations with different objectives, new standards have to be incorporated into data management architecture to match the same privacy and integrity that the medical professionals apply. 

This places the burden on the Information Security Professional to champion the cause at corporate level and provide the confidence and security that patients need.


Unfortunately, there are a few gray areas in the interpretation of the scope and responsibility of the Information Security Profession. The Wall Street Journal reported on the secret transfer of 50 million Americans medical data to Google for their own purposes under the Nightingale Project. It is also reported that Amazon, Microsoft and Apple are also pushing aggressively into the healthcare market. (wsj.com11/11/2019 4:27) This is not to be confused with another deal between Google and other smaller groups like Colorado Centre for Personalised Medicine, who only send encrypted data with the keys being held only on the medical site.

 

 

Let's raise the Bar...

 

Obviously, the massive tide of opportunities presented by larger organisations moving into the healthcare market cannot be ignored. For some people, the temptation to broker a deal with Google regarding your user data may appear financially tempting. However, as we all know, with that bait comes the call to maintain ethical standards of the medical profession, within our business and security framework.

Similarly, with the massive increase in commercial value of medical data among the criminal community, comes a call for greater depth and breadth in information security services for medical data. The volume of commercially available attack tools is growing daily. The sophistication of the more targeted attacks often requires a degree of forensics beyond the scope of most in-house cyber security teams. Very few organisations can afford the cost of a team of specialists in such a wide range of experiences.

Medical Professional Standards

The aim in Caresocius is to promote the same standards of integrity and confidentiality in Information Security that are applied to the medical profession.

To make this more real, lets make it personal.

How would you like your mothers medical data to be sold, profiled and used to manipulate her daily life, what she buys, where she goes and even what news she receives.

The security community recognise that medical data has greater longevity so more commercial value than even banking details. Banking details can be changed but medical data stays for the rest of our lives.

 

One challenge is to enable even the smallest point of contact with medical data to have the same data vault integrity as institutions with the resources to employ a full information security management and response team.

Another challenge is to promote and maintain adopted ethical approach to data security at all levels of operation.

Perhaps it is a little easier to promote ethical standards in a tight-knit, business community. Generally speaking, the larger the community the harder it is to get the adoption of ethical standards as a way of life.

However, presenting and maintaining a viable security profile for a clinic, at all levels of the organisation is a challenge when resources and experienced staff are not readily available.

 

Beyond the Bounds of the Enterprise

In these times of global connectivity, some wanted and some unwanted, even the smallest institution can be hit by a state-sponsored actor on another part of the globe.

Since they are no-longer the target but they become the vehicle to target others, the concept of the “Small, insignificant target” no-longer exists. Every member of the team is a useful target to the commodity hacking tools now available.

So, even the smallest medical service provider needs a strategy to stand against the thousands of spiders creeping across the threads of the global web.

The general feeling used to be that only the larger companies have sufficient resources and SME's are stuck, stranded, without any defence against the tremendous breadth and depth of commercially available exploits on the fingertips of potential criminals.

At Caresocius we want to dispel that myth:

It is time to stand on the shoulders of giants and offer the armoury of tools and services they have to spent years developing.

On the shoulders of giants

While waiting for the annual check-up on my car I met John Sherwood, the founder of SABSA, an enterprise security architectural standard. In that conversation I found confirmation of my concerns that we should broaden the security scope from Cyber Security to Enterprise Security- protecting the entire business model.

It became clear that although we had a small team, our personal experiences in emergency, crisis and recovery scenarios, coupled with I.T. and network management was sufficient to shift the focus from the narrow field of internal cyber security to externally supported Enterprise Security. It became clear that cyber security must incorporate the security of all aspects of the enterprise, from cleaner to client facing web services.

To carry this out would normally require considerable in-house resources. At Caresocius we decided to adopt the concept of standing on the shoulders of giants.

Why try to do in-house what is already available somewhere else!

With the global connectivity of data comes the global connectivity of security products and services. 

The strategy has been to develop four columns of expertise and experience that we could depend upon; Governmental, Industrial, Academic and International Standards.

With these columns we can offer a stable support to the full spectrum of clinical service providers with the confidence that their armoury behind us can deal with most of our security concerns.

 

Governmental

In 2016, the UK Government, national Cyber Security Centre formed the Active Cyber Defence initiative to reduce the high volume of commodity cyber attacks on UK businesses.

They recognised that the NCSC already developed strategies to help their national infrastructure defend against commodity cyber attacks. Recognising that these were plaguing much of British industry they decided to offer these services to vetted organisations working in critical industries.

We have found the services and experience invaluable, from basic take-down service, mail check, web check and a vulnerability disclosure platform to guidance and collaboration from highly skilled professional.

Industrial

Having explored various organisations, we formed partnership with a few high value partners. These have given us the capacity to carry out remote vulnerability analysis, rapid detection and response, cloud protection for the sales force, and to call upon specialist services for escalated incident response if needed. 

Academic

It is always useful to keep track on what the academic community is doing in their explorations and development of new lines of research and development. With the changing academic climate, many universities are seeking industrial contacts to generate revenue and their input is highly valued. As part of the E.U. Funded H2020 CUREX project. This has a focus in cyber security in healthcare. It works to discuss challenges, methodologies, tools and solutions to reduce the risks in clinics and hospitals.

International Standards

It became clear that standards are more of an asset than a problem.

We have seen how ISO27k, GDPR and HIPAA bring a degree of structure and consistency to the industry. They enable us to promote a genuine, maturity assessment to the board of most organisations. The risk of penalties is no-longer a burden to the InfoSec team but becomes a checklist that brings financial pressure on the commercial side to take things seriously and invest in security.

We find that bringing GDPR to the attention of Medical Data Management outside the E.U. re-enforces the need for Security by Design and restores the concept of Personal Ownership of data. This in turn lead Caresocius to place a Block-Chain approach into the long term development program for patient controlled data. 

In Conclusion

With £130bn stolen from global consumers in 2017, the global cyber crime market is an attractive source of revenue for organised cyber-crime. The situation is getting more serious within the US healthcare market where Universal Health Services stalled due to a cyber-attack, forcing some hospitals to resort to pen and paper. With an average ransomware payment of $234k USD and a median payment of $110k USD, the US healthcare services are becoming more aware of the risks they face. Not all these attacks are sophisticated. The fatal attack on a hospital in Germany was a result of widely used commodity software with known vulnerabilities that had not been identified. The legacy systems of some medical equipment and associated IT have been a challenge for some health centres. There may be a general reluctance to throw away a perfectly good medical scanner just because it can only work under Windows 7 for example.

However, with the globalisation of data comes the globalisation of the tools and services available from the cyber security community. Find the sources of experience and skills among the wealth of services available and build partnerships that will benefit you both. Do not try to go it alone, the front-line battle is too broad and the sheer volume of attacks too great.

You will be surprised at the quality and level of support these partnerships can bring. These mature professionals have acquired a range of experiences and have a willingness to step in if the problem seems overwhelming. There is an entire armoury of tools and services available from a variety of sources with years of experience. They are able off a depth and range of services to tailored to the level of involvement required.

Our partnerships can provide the armoury of tools and services you need for today, the maturity to recognise when things need to change, and the versatility to implement that change.