Reflections on HIMSS Discussions

Meeting HCO security needs on a budget

In the month since this year’s HIMSS conference no less than three data breaches involving the exposure of patient information have made the news. Though the methods by which the hackers gained access to this critical data varied – in one instance a malware attack, while data storage error and employee email were allegedly implicated in the others – the fact remains that healthcare organizations (HCO) are facing an increasingly uphill battle in securing the right technology and talent to avoid becoming tomorrow’s next headline.

While each HCO has a unique set of considerations and priorities, when it comes to data security nearly all are facing some version of the same challenge: finding the talent and technologies to meet both needs and budgets. Smaller organizations whose resources are often more limited seem to be struggling in particular. At HIMSS, a security analyst from a more modestly sized hospital shared with me that though he would like help there wasn’t the money to make hires, and even if the budget did exist he’d face the further difficulty of finding the right talent to fill positions.

The biggest challenge: staffing

In multiple conversations with HIMSS attendees, insufficient staffing was consistently noted as the biggest challenge to improving cybersecurity posture. This mirrors results detailed in our study ‘The State of Cybersecurity in Healthcare Organizations in 2018’, conducted in partnership with the Ponemon Institute and released immediately following the conference. According to 74 percent of respondents, the lack of in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks. As a result, organizations are looking to help augment the staff they do have with technological solutions. 

Among solutions gaining prominence with HCOs looking to improve security without breaking the bank are identity and access management tools. Affordable and unobtrusive, multi-factor authentication is proving popular for preventing password fraud, specifically among remote and privileged access users. Organizations have also seen luck implementing security information and event management (SIEM) solutions that aggregate data produced across networks, servers, databases, applications and devices.  But monitoring and managing SIEM data can be complex and time consuming, often requiring one or more dedicated staff depending on an HCO’s size. And finding the necessary expertise to quickly identify weakness and threats to IT infrastructure could prove problematic, with nearly 80 percent of Merlin study participants finding it difficult to recruit IT security personnel.

The affordable technological solution

According to the HIMSS participants with whom I spoke, the perfect technological solution would provide a 360-degree view of their cybersecurity with analytics and AI layered on top,  something we at Merlin are working to deliver.  In the meantime, our research shows there are plenty of lessons to be learned from high-performing healthcare organizations in significantly reducing cyber attacks. High performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices (a looming and largely unaddressed threat, according to HIMSS presenters).  These organizations are also proactively investing in employee awareness about cybersecurity risks – conducting audits and assessments, providing regular training and incentives, and conducting phishing tests, for example –   and ensuring third-parties safeguard patient information.  Implementing any one of these practices would improve cybersecurity posture critical to patient safety.

You don’t need to be a healthcare information and technology professional to recognize that HCOs are facing constant, increasingly destructive and costly cyber attacks.  Doctors will tell you that even small changes can deliver positive results to overall health. That advice could just as easily apply to cybersecurity. Only through the incremental implementation of both new technology and best practices can we protect patient data and access to essential care, and improve our overall IT health.

What Healthcare Organizations Need to Know about Blockchain

Blockchain: the next, great frontier?

Is blockchain the next, great frontier for healthcare? Or has the hype far surpassed reality – that it’s a pipe dream that could never conceivably work in such a complex and heavily regulated industry?

I believe the correct answer lies somewhere in between: Blockchain brings the promise of improved, more efficient information management, with possibly even better security. But, like any other technology that is new, complicated and disruptive, we should “walk before we run” by trying it out on a smaller scale to get a sense of “success stories” and “lessons learned” before expanding its reach.

At the very least, it’s encouraging to see that industry leaders are taking a close look at blockchains as a remedy for current information-management woes. The general public commonly associates the technology, understandably, with bitcoin and other cryptocurrencies. However, the actual innovation behind blockchains can apply to a far broader range of industries, including healthcare.

Traditionally, “owners” of particular patient information and other records store, keep and hopefully secure the data. If a vacationer has an accident at the beach, for instance, a physician from an oceanside clinic may need a prescription history of the vacationer from the family doctor from home, since the family doctor “owns” the information. The clinic has to request the history from the family doctor’s office – and if the accident occurs on a weekend, the information won’t be available until the following Monday.

Blockchains can help the industry “cut to the chase” by storing a vast array of data on linked, encrypted blocks which aren’t “owned” by any particular institution or person – circumventing cumbersome and complex procedures required to deal with a deluge of data that grows by the minute. The blocks are replicated throughout a network which is always kept in sync with consistent, updated information, producing a much-sought “single source of truth.”

Regardless of which healthcare organization employs them, users gain access to the blocks through authorization processes based upon the relevancy of the data to their job roles. From the patient care perspective, blockchain records could eventually include details about prior operations/illnesses, medications prescribed, blood work results, etc. From the healthcare provider administration and research side, they could cover clinical trials, insurance policies, billing accounts, etc. Note the use of the word, “eventually,” here, because we do not feel that such use cases are entirely possible right now – at least not without creating serious issues.

Despite the potential for obstacles, the industry appears poised to buy-in in a big way: The global blockchain in healthcare market will grow to $5.61 billion by the end of 2025, up from its current value of $176.8 million, according to a forecast from BIS Research. By sometime this year, no less than 86 percent of surveyed healthcare executives anticipate that their organization will finance blockchain applications in at least nine categories, with medical/health records (94 percent), billing and claims management (also 94 percent), medical device data integration (92 percent), asset management (91 percent) and contract management (90 percent) accounting for the top five categories for planned adoption, according to research from IBM.

When asked about the problems that blockchains could solve, healthcare providers cited inaccessible information (61 percent), information risks (60 percent), transaction costs (58 percent) and inaccessible marketplaces (58 percent), according to the IBM research.

But, to reach this point, we’d have to address the aforementioned obstacles, as posed by the following challenges:

Patient Identification

There is no unified, consolidated system for identifying every patient who would be connected to a blockchain. If a doctor and his team members in Detroit have to call up the medical history of a local patient named “Henry Brown,” how do they know they’re accessing information about the right Henry Brown? There are likely many people in the city with the same name. For blockchains to work as an all-encompassing, real-time repository of health records, we would need to develop – through the government and/or an industry effort – a reliable, comprehensive national patient identification database linked to all electronic medical records (EMR) systems to ensure that the right people are accessing the right information.

Data Volume

Blockchains are not currently designed to store very large files (radiology images, genetic testing results, colonoscopy videos, etc.). For now, this limitation will lead to the storage of large data “off chain,” with the blockchain itself strictly containing pointers to all the data.

Patient Privacy

Blockchains are inherently transparent – they reveal every transaction in the chain. This presents privacy issues, especially for patients. Blockchains for cryptocurrencies, of course, have gotten hacked, so the same likelihood exists for blockchains supporting medical purposes. One solution: Designating patients as the “owner” of their blockchains, just as cryptocurrency investors “own” their own e-wallets. If the patient owns a blockchain, the patient can decide who is allowed to view it on a case-by-case basis. Conceivably, the patient would also have to approve of the cybersecurity measures taken to protect the blockchain, or at least agree to absolve outside parties of any responsibility for a hack.

Authorized Access

Who should access blockchain, and how much should they see? How do you enforce authorized access? This necessitates understanding of contractual obligations between parties to take part in serial immutable transactions. Since these peers are frequently geographically distributed, a central entity would have to ensure that the contracts are adopted, executed, cataloged and auditable. They should adhere to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for storing the protected health information (PHI) of Americans, and the EU’s General Data Protection Regulation (GDPR). Because the communications need to be secured, highly effective encryption must not only secure the data in the blocks, but protect communication among the many peers. Existing systems will have to rethink how information is presented and consumed, since many were written in early days without interoperability in mind.

Information Validation

Medical records are incredibly intricate. They involve a myriad of dense data related to symptoms, treatments, tests, etc. How do users know that a diagnosis on the blockchain is the most recent and “true” one? Again, the clear establishment of the most recent and relevant data would require the government and/or industry standardization of the deployment of date/time stamps, statuses, and additional information-validation tools.

“Walk before we run”

Given the challenges, it’s inadvisable for the industry to dive “head first” into blockchain adoption. By definition, a disruptive technology, well, disrupts – often with both good and bad outcomes. If we focused on smaller and simpler business use cases – perhaps the tracking of joint implants or opioids, to cite two examples – we can improve the chances for positive experiences by standardizing practices as related to user authorization, privacy, information validation and security. With that, we can then decide how to expand (or not expand) our deployment. As a result, we’ll view blockchain not as some kind of new and mysterious and possibly risky disruptor, but as a better way to do what we do now.

What Healthcare Organizations Should Consider Before Migrating to the Cloud

Limited cloud adoption

On the surface, findings from a Healthcare Information and Management Systems Society (HIMSS) research convey a sense that healthcare organizations are universally embracing the cloud. According to the study, an estimated 84 percent currently use cloud services.

But dig a little deeper and you discover that adoption is limited, especially for critical functions related to electronic medical records (EMRs) and enterprise resource planning (ERP). Only 34 percent of healthcare organizations have migrated clinical applications and data to the cloud, and just 32 percent use the cloud for archived data and Health Information Exchange needs. In addition, less than one-quarter are turning to the cloud for back office apps and data.

Key considerations before migrating

In my interactions with industry executives, many say they’re testing the waters, with email, file storage and the like. Even so, they’re reluctant to wholly replace in-house data centers with public cloud versions. Use of EMR, ERP and analytics vendor hosting is popular, however. But this should generally be considered as private cloud hosting in a geographically separate data center.

Yet, given the vast and often-reported benefits of the cloud – including the improvement of workflows through greater flexibility, collaboration, efficiency, rapid scalability, and productivity – many of these same executives are seeing advantages in an increased presence. In determining whether the cloud is right for an organization, I stress four key considerations:

1. Security remains the greatest concern

Indeed, security ranked #1 among adoption barriers in the HIMSS study, as cited by 54 percent of study participants. While the sentiment is understandable, I believe the issue is somewhat overblown. Cloud vendors have more security measures in place, with more infrastructure and power. If breaches do occur, they’re usually the result of employees not adopting proper guidelines and security best practices. In my experience, following a reputable cloud vendor’s rules will keep you as or even more protected than would keeping everything on-premise.

2. Network reliability can be uncertain

If you use a private host for your network, you likely have strong datacenter redundancy for maximum uptime. But if you’re running your network on a public cloud, you’re entirely dependent upon the internet. If your connection to the Internet goes down, you will lose access to business-critical resources until connectivity is restored. That’s a big gamble. You could reduce risk by paying for two or three regional internet services– but this may prove too costly for some organizations. And for those in rural areas, it’s not even feasible.

3. Speaking of costs…

If you’re planning to store massive volumes of data in the cloud, you’re looking at a hefty monthly bill – one that will typically exceed what you’d pay with an on-premise datacenter. That said, if you have a large amount of infrastructure which has to be replaced, it could make sense. You eliminate the “short-term pain” of a huge capital investment by rolling it into a monthly, operational expense. For some organizations, this approach may be more fiscally realistic.

4. “So what if we simply ‘dip our toes’ into the waters with a hybrid model?”

This comes up in my conversations all the time. Healthcare executives want to put “safe” data assets in the public cloud, and keep more sensitive/mission-critical ones closer at hand. However, hybrid models elevate the complexities of ID management. If you extend the network over a combination of on-premise, private hosted, private cloud and/or public cloud options, you create ID management issues which could result in operations disruptions and potential employee backlash over the inability to access the data, files and apps that they need to do their jobs. HIPAA data access logging and auditing become a larger and more diverse challenge.

Currently, there are few tools available which would help IT teams resolve these problems. We have experience at Merlin with a very powerful tool that provides a single “pane of glass” to manage identities across all environments and many key applications regardless of where they are hosted.

Weighing the pros and cons

As you can see, deciding whether to migrate significant IT functions to the cloud isn’t a “one size fits all” proposition. You must measure the pros and cons based upon your organization’s size, location, industry niche and other relevant factors, while also assessing the various comfort levels with any changes the cloud may bring. Finally, calculate expected ROI comparing it against the financial impact of not making the switch.

In other words, cloud migration is as much a business proposition as it is a “tech thing.” Proceed accordingly.

How Healthcare Organizations Can Reduce the Cybersecurity Risks of IoT

The increasing adoption of IoT

If you walk through the corridors of a hospital today, you will inevitably be surrounded by the Internet of Things (IoT). From X-ray machines to heart monitors to even HVAC units and refrigerators, healthcare organizations are turning to connected devices and machines to provide not only better care but an improved “patient experience.”

Because of this, the IoT’s presence within the industry is expected to increase rapidly for the immediate future: The IoT healthcare market is growing 30.8 percent every year and is projected to reach just over $158 billion by 2022, up from $41.22 billion this year, according to research from MarketsandMarkets.

By 2018, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently present within 64 percent of organizations) followed by energy meters (56 percent) and X-ray/imaging devices (33 percent). Four of five executives expect IoT to encourage more innovation, while about three-quarters anticipate that it will expand organization-wide visibility and boost cost-savings.

Proactive steps to prevent security breaches

Yet, there are concerns about the technology, as 89 percent of healthcare organizations have suffered from an IoT-related breach, according to the Aruba research. Hackers are well aware, of course, that IoT brings new vulnerabilities, and they are eager to exploit them. In April, testimony from a top Merck & Company cybersecurity executive before the House Committee on Energy and Commerce’s Oversight and Investigations Subcommittee validated the concerns.

“In just the last few years … we’ve seen more than a hundred million health records of American citizens (compromised or threatened) in a couple of well-publicized incidents,” said Terry Rice, vice president of IT risk management and chief information security officer (CISO) at Merck. “We have seen how software vulnerabilities in insulin pumps and pacemakers can be exploited to cause potentially lethal attacks. And we have witnessed entire hospitals in the United States and the U.K. shutting down for multiple days to combat ransomware infections in critical systems. Unfortunately, I believe these incidents underrepresent the risk we are facing.”

Given the developments, healthcare CISOs and their teams should consider the following proactive steps to prevent horror movie-like “Attack of the Connected, Wild Things” scenarios – steps that respond to both the technological and human-focused elements of this emerging technology:

Segment everything

You should create a dedicated, separate network for IoT. With a segmented architecture entirely fortified by its own firewalls, you ensure that IoT devices will never interact with the rest of your enterprise network environment – including patients’ personal information, fiscal reports, HR records, etc. Connected devices and machines will strictly communicate with the servers which support them, and the ports and destinations they serve. Thus, if attackers compromise them, there’s only so much damage they can do, because their activity and malware is sealed off from everything else.

Establish controls over implementation

Frankly, organizations are taking an “anything goes” approach with IoT – one that undermines their ability to properly oversee and control it. A facilities manager, for example, could decide to install a connected alarm system in the elevators. An anesthesiologist may plug in a new product to see how it works. Hospitals win research grants all the time, and these grants often arrive with IoT-enabled technologies to assess.

In too many cases, however, all of this takes place without bringing in the CISO. Non-IT executives approve of an acquisition, and their staffers simply “plug in” without thinking of whether they’re introducing new vulnerabilities. So, clearly, CISOs must work with C-suite leaders to come up with policies which will require the involvement of security teams with any IoT initiative, large or small, with threat vigilance always incorporated into the process.

Expanding visibility

The CISO’s mantra, “You can’t protect what you can’t see,” is more relevant than ever. It’s difficult to protect the enterprise, after all, if you don’t know who is plugging in what, and where. Through the effective, organization-wide visibility of all systems activity, you will receive notifications every time new IP addresses show up. When they do, you can verify whether they are properly sealed off within your segmented, IoT network. If they aren’t, you can shut them down until IT can locate them and redirect them to the segmented network.

Maximizing the benefits of IoT

As always, hospital executives, doctors, nurses and additional staffers are dedicated to delivering the best care available for their patients. More than ever, they’re discovering that IoT is making this possible. But to maximize the benefits of these innovations without placing the network, systems, and data at risk, IT must collaborate closely with operations/business units so IoT is sufficiently segmented, and nothing is introduced which can harm anything outside of its own, contained ecosystem. In other words, you can take advantage of many “good things” through these devices without unleashing an army of “wild things.”

Rise of Patient-Connected Devices Requires Commitment to Proven Cybersecurity Practices

Household IoT systems create new vulnerabilities

Healthcare is increasingly moving to the household: Driven primarily by testing, screening and monitoring products, the global home healthcare market is expected to surpass $364 billion by 2022, up from just over $239 billion today, according to a forecast from MarketsandMarkets.

Network connected devices – particularly those considered part of the Internet of Things (IoT) – account for a great deal of this demand. By 2019, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently deployed by 64 percent of organizations). As indicated, this adoption surge has extended into the home, with medical practitioners remotely monitoring just over 7 million patients worldwide – a figure that is projected to increase to 50.2 million by 2021, according to research from Berg Insight.

Life-threatening risks

If the bad guys start hacking patient-connected or embedded devices, there could be life-threatening outcomes. An adversary may, for example, manipulate a machine to inject a lethal dose of drugs. Or exact a ransom from a patient or their family. What’s more, it would be extremely difficult to identify the source of such a horrible attack. Patient-connected and/or implanted devices are rather rudimentary in terms of technology sophistication. They will not contain detailed log files of everyone and everything that has somehow connected to them, and they certainly won’t store enough information about IP addresses to lead investigators from an incident to a likely culprit.

Relatively recent recalls speak to the potentially dangerous risks which inadequately secured devices bring, including those used at home: In September last year, Abbott announced a voluntary recall impacting 465,000 pacemakers due to a possible hacking threat. In October 2016, Johnson & Johnson sent an official notification to 114,000 diabetic patients that a cyber attacker could exploit one of its insulin pumps, the J&J Animas OneTouch Ping, disabling the device or altering the dosage, according to the company.

Network separation and patching

While the scary scenarios call to mind something out of a sci-fi movie, our responses to the threats require a commitment to old-school remedies: network separation and patching

Through separation, vendors, hospitals, home healthcare providers, etc. work with patients to ensure the devices run within their own network, with their own routers and connective components. They will not, for instance, interact with other wireless networks in the home, such as a virtual personal assistant. The medical device is sealed off by firewalls and segmented setup/implementation so it only maintains connections between the patient and the healthcare provider who is monitoring the device.

Then, vigilant patching of the standalone network assures that the device remains current and well-defended. Because we cannot entrust patients with this role – most would not be capable of the patching, and, besides, a number of regrettable things could happen if they tried – the vendor and healthcare provider must proactively pursue this.

At Merlin International, we stay on top of the latest trends in healthcare technology and cybersecurity to offer the most timely and effective solutions and services to our customers. We understand and appreciate all of the good that medical devices can do – as well as the risks they introduce – and we plan and design our products to directly address this. If you’d like to learn more about what we do, then please contact us.