The healthcare industry, including all partners, suppliers and advisors, is being inundated with new challenges. Meeting the expectations of digitally aware consumers, improving patient care, adopting new medical devices and technologies, and complying with evolving requirements all demand the protection of patient privacy. This paper explores the security challenges that come with these new demands, and the need for new and creative ways to address health cyber security and privacy, both inside and outside of the data centre.
This is the second paper in a series. The first paper, Healthcare Data Security: Part I, The Problem with the Future is the Past, offers a prescription for improving healthcare data security based on inventorying “protected” data items, conducting a business-oriented risk assessment and developing an iterative action plan.
Cyber security used to be a computer issue in the data centre. Healthcare management was a computer-intensive recordkeeping activity. There was a time when passwords, access controls and encryption pretty much covered the needs of a responsive healthcare cyber security program.
Things have changed. Healthcare compliance requirements have extended the concept of maintaining patient privacy to partners and service providers. Electronic medical record creation, storage and transfer have extended the need for security and privacy controls outside the healthcare enterprise, demanding a new set of standards and procedures to protect patient privacy among providers, payers and specialty services. For the most part, such issues can be addressed by continually improving cyber security policies and procedures; however, other challenges such as the Internet of Health Things, are not being addressed.
Growing Connectivity beyond Health System Walls
Today’s medical professional is rapidly adopting advanced technology that is expected to both treat patients and maintain data. This technology is designed with built-in Internet connectivity that often is embedded in or placed near patients, not always in a medical facility, creating additional challenges.
Hospitals, clinics and medical facilities are being extended beyond their walls with home diagnostic and treatment capabilities using devices that can be interrogated and programmed remotely for specific purposes. Unfortunately, along with this enhanced connected capability come advanced challenges. Access to these devices and technologies could be gained in a number of ways by unauthorized individuals desiring to disrupt proper operation. Such bad actors could cause device failures or shutdowns. Even more threatening is the potential for introducing program code that purposefully compromises patient privacy, and could even cause physiological harm.
The U.S. Food and Drug Administration (FDA) has been observing that this new medical technology has the option of programmable operation and has published draft guidance for the security of these devices. Their publication, “Post-market Management of Cyber security in Medical Devices,”1 is an introduction to some guidelines for addressing security in this new area of the healthcare industry.