Healthcare information security

Emerging Technologies in Healthcare

Infosec
September 28, 2016 by
Infosec

Technology development has been transforming and adding values to healthcare service providers and practitioners. Many technological innovations have been introduced to the field in the last decade. It has brought a great deal of advantages and convenience to patients in particular, enhancing service quality and efficiency. The application of various healthcare technologies has also lowered the financial and time costs in studying patient records and developing healthcare solutions.

Today’s medical care, consultation and assistance are highly connected through the Internet. The healthcare service provider and customer can exchange feedback with each other instantly. The Internet of Things (IoT) further encourages healthcare device manufacturers to design new products with embedded systems to record and follow up the patient or customer’s health data. The entire ecosystem of healthcare technology is growing rapidly in the world, notably in the U.S. New healthcare solutions are being brought to the market every day. Nowadays, a patient’s needs can be better met thanks to this new technology era. However, this fast healthcare technology development also generates negative impact, in particular, information security and confidentiality issues to the stakeholders of the industry.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

This article presents a number of emerging healthcare technologies, discussing their usage and security vulnerabilities.

The emerging healthcare technologies

Electronic health record (EHR)

EHR is a system that comprehensively collects patients’ medical data such as their previous medical treatment history, drug usage, allergies, test results, X-ray scans and other relevant information. Healthcare professionals can access the patient’s data file instantly and thus carry out a thorough medical examination.

Prior to the introduction of EHR, medical records were dispersed. The same patient might have various medical records at different medical service providers. Consequently, the monitoring and follow-up of the same patient’s medical history can be duplicated, lost and therefore inaccurate. Hence, the implementation of EHR has multiple advantages for healthcare service seekers, practitioners, researchers and government.

Patients have one unique and centralized health record. Doctors and pharmacists can rely on this information to provide better treatment and medical advice. In addition, EHR stores millions of patient records which provide valuable raw data for high level medical science and public health policy research. For example, governments can rely on the EHR to observe and monitor public health issues and trends; pharmaceutical corporations can study the consumption of certain medicine and its effects on one particular person, an ethnicity or a population.

A notable EHR startup is Practice Fusion. It is reported that the company covers approximately 25% of Americans’ health records and more than 110,000 healthcare practitioners are subscribers of Practice Fusion’s service. For less than a decade since the U.S. healthcare digitalization wave started, Practice Fusion’s figures look promising and impressive for the future of EHR development.

Remote surgery

Remote surgery describes the telepresence of the surgeon. Tele-robotics technology allows surgeons to remotely manipulate a medical robot and perform surgery on a patient thousands of miles away from his physical location. Remote surgery brings previously unimaginable surgery scenarios to reality.

For approximately a decade, remote surgery’s application has achieved considerable success. A notable example is the case of a Canadian surgeon, Mehran Anvari, who sewed up a cut for a patient living in the ocean, at the Aquarius underwater base. Another example is the widely adopted Da Vinci Surgical System. Since its introduction in the early 2000s, it has been promoted all over the world for complex surgery adopting a minimum invasive approach. In 2012, an estimated 200,000 operations performed by the Da Vinci Surgical System around the world was recorded. Through remote surgical robotics, surgeons and patients can avoid traveling costs. Therefore, the patient can receive faster or immediate treatment without the physical presence of the surgeon. One more developing example in remote robotic surgery innovation is Johnson & Johnson and Verily Life Sciences LLC. The joint venture started their fund raising less than a year ago aiming at 150 million USD for adding advanced imaging and sensors to surgical tools to help doctors during operations.

Augmented reality

Augmented reality (AR) is a modified and adapted reality created by computer sensors, GPS, software, etc., to assist the user in carrying out a particular task. For example, AR can establish a third person view to give a different portrait of the same scenario or telecommunicate a first person view to a third party.

AR’s application in healthcare can be, for instance, virtual diagnostics and remote medical emergency reporting. AED4EU is a mobile application designed for such a purpose. It assists its users in reaching the closest medical assistance center with geolocalization. In Australia, the startup Small World introduced a service in collaboration with Google Glass for breastfeed assistance in 2014. A remote counselor can instantly advise a mother wearing Google Glass about problems regarding breastfeeding in 1st person view.

AR can also be applied to remote surgery which allows surgeons to visualize the entire surgical operation scenario. In healthcare education, AR is widely adopted in medical schools’ lecture rooms. Medicine students can study different surgeries from a variety of perspectives. Moreover, they can practice their surgical skills in an AR simulated environment. The dental school at the University of Strasbourg currently employs AR technology to assess their students’ sculpting coursework. Faculties and students of Strasbourg University’s dental school, like Dr. Roger Joerger and Dr. Alexis Jenny, are prominent researchers and practitioners in applying the AR technology in dental care.

Wearable/ smart devices

Wearable healthcare devices have been marketed not only for their main purpose, but also as symbols of being trendy and fashionable. The rise of IoT significantly encourages healthcare device manufacturers to develop products that constantly exchange user data to their monitoring networks. The application of wearable medical devices ranges from basic usage, such as sport performance recording and sleep quality follow-up, to more sophisticated functions, like Asthma management and posture correction systems.

There are many different devices in the market and most of them require installing a smartphone application. The wearable devices are then connected to the users’ smartphone via Bluetooth or local network. Thus, the users’ data can be synchronized with the device manufacturers’ database and monitoring system.

As an example, the renowned worker safety solution provider, Kinetic, creates a workforce injuries monitoring system for labor insensitive industries. Such an innovation can contribute to reduction of employer medical costs for their workforce as well as optimization of workforce performance as a result of decreased injuries. Kinetic can be considered as a pioneer in the IoT environment and we are very likely to see an increasing number of startups providing innovative IoT smartwear solutions in the near future.

The emerging healthcare technologies emphasize network connection and data synchronization to attain the monitoring, alert and follow-up objectives. This development background inevitably generates many network connection points in the manufacturing and data storage supply chain. Therefore, it may arouse the interest of malicious individuals or groups in exploiting possible vulnerabilities.

Healthcare and information security

Having overviewed the emerging healthcare technologies, it is evident that healthcare seekers can achieve better convenience and satisfaction through these new methods. Nevertheless, such innovative treatments are often accompanied by new risks. Healthcare is a large and multidisciplinary field. It generates fierce debates regarding healthcare cybersecurity, financial issues and personal health and safety risks.

As a matter of fact, healthcare data involves high monetary value for both criminals and legitimate businesses. On the one hand, malicious criminals can use the healthcare record of a certain patient to design a personalized phishing scheme. On the other, advertising and marketing agencies can do the same to promote specific products to the targeted patient or population. This lucrative aspect naturally attracts actors of different objectives to exploit.

Many healthcare service providers and smart device manufacturers have already integrated their design or service with embedded constant network connection and data synchronization. More importantly, for digitalized healthcare practices with high risks like remote surgery, surgeons manipulate, communicate and give instructions to the patient situated in the other side of the world via the Internet. In other words, not only the customer, patient or user’s private information is at stake, but their lives can also be in danger. Both risk exposure vis-à-vis intended cyberattack and unintended internal leak.

Motherboard published a brief but intensive investigation in July 2016 about the vulnerabilities of remote surgical robots. The journalist interviewed bio-robotics researchers at the University of Washington about the security vulnerabilities of remote tele-robotic operation. A number of teleoperation scenarios such as space exploration, high temperature and pressure environments as well as battle fields were discussed to show the increasing reliance on remote control and operation technologies. The investigation further demonstrated a potential risk during a remote surgery that could entice a man-in-the-middle attack (MiM) and thus endanger the life of the distant patient. In the words of the researchers, a silent assassination can take place without anyone learning its happening. Speaking of this life and death scenario may seem distant and unrealistic now as remote surgery is not yet exceptionally popular, nor is it a medical necessity for a significant population.

The Anthem hack in 2015 resulting in the loss of 78.8 million patients’ personal and health data such as email addresses and social security numbers has hit the news headline on Wall Street Journal. Obama’s chief adviser on cybersecurity, Michael Daniel, was a customer of Anthem’s insurance service and thus a victim of this cyber incident. The Obama administration immediately requested Congress to reinforce data protection for consumers. A year following the Anthem hack, except for some vague leads suspecting the Chinese army’s involvement, the culprit behind such a large scale and high profile attack is still on the run. Very recently, a group of Ukrainian hackers, Pravvy Sector, has succeeded in gaining unauthorized access to the server of Central Ohio Urology Group and stolen 223GB of confidential data. Stolen healthcare data is available in the dark market for sale. Obviously, the demand for such information is strong and healthcare technology advancement has generated, at the same time, opportunities for criminal endeavors.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Although there are certainly security regulations and guidelines for healthcare technology developers to follow, the financial and time costs of abiding by them as well as keeping updated can be an obstacle for corporate designers and developers. Under such circumstances, it is foreseeable that network security breaches against healthcare service providers and device manufacturers will go on to take place in the future.

Infosec
Infosec