Why the medical sector cannot keep pace with data breaches.
The health care industry is still woefully ill-prepared for the Cyber Age. This is a rather dismal assessment, considering that the volume of personal health-related data is an order of magnitude greater than the equivalent data in the financial segment and growing rapidly.
The past decade has seen the health-care records industry go electronic. While that may be great for the health care industry, there is plenty of debate about privacy risks for patients. Within the past couple of years, millions of personal health care records have been leaked. Yet the health care industry is still behind other critical industries in security spending. In fact, ABI Research notes that security spending in the health care segment will only amount to $10 billion by 2020 in the United States. That’s about 10% of what the other critical segments, such as finance, infrastructure components, and defense, will be spending by 2020.
The explanation most often heard is that the focus of that industry is health care, and it has long been the case that personnel care little about anything other than delivering the best possible service. Jon Heimerl, senior security strategist at Solutionary, notes that the goal has always been to make medical devices as easy to set up and connect as possible. Adding security controls, often goes against the very nature of health care professionals.
Ken Hoyme, distinguished scientist at Adventium Labs, has a similar view. In a recent talk he pointed out that device developers and end users in hospitals have a difficult time comprehending why anyone would want to harm patients. “The view of from this end is, ‘Why would anybody want to do that?”
That model has worked since the dawn of health care. However, with technologies like big data, the cloud and virtualization coming online, and organized, focused exploits from professional hackers, even the health care industry has to bite the bullet and fight cyber crime.
With the conversion of most of everything to digital, The priority becomes how to protect data as it becomes more and more prolific across the entire heath care spectrum. The emergence of the cloud as the predominant storage solution is a challenges that the health care sector has to get its arms around.
Some are looking to models from other industries, and there is some credence to that, but the biggest issue with this industry is HIPAA, which has very different metrics than most of the other industries. “Cyber security for health care is still a small, fragmented market and security is lacking,” says Michela Menting, practice director for the digital security service at ABI Research. However, as more and more breaches occur, pressure will increase to get this behemoth secured within the 1996 U.S. Health Insurance Portability and Accountability Act (HIPAA) framework.
The health care industry is following in the footsteps of the automotive industry, where no one expected cars to ever be connected to anything.
“One of the reasons we don’t have a lot of security in medical devices is because it is still fairly new to have connectivity in medical devices,” said Menting. “But to integrate connectivity means that the medical device manufacturer has to partner with the connectivity vendor. With HIPAA, that can be a challenge because it isn’t simply designing the connectivity solution into the device. In order to make sure the integration is accepted requires the involved parties to go through a bunch of regulatory loops to ensure the device is safe around humans.”
The security angle is tricky here because security is dynamic. It requires regular updates. A common way to do this is with over-the-air (OTA) programming. “But unlike mobile devices where you can bang on any security software without any restrictions, with medical devices, you cannot connect or add whenever or whatever you want because you need regulatory approval to a make any changes,” she said. You cannot just fiddle with the hardware or software because it has gone through a number of certifications and testing, and changing anything requires, at a minimum, re-certification.
Therefore, whether it is a minor modification on the hardware, or a security update, the requirements are the same. That is what makes integrating security a difficult proposition in medical devices, and manufacturers would rather leave it out due to the difficulty in adding it in.
The cloud and security
The cloud is a much-needed solution for the health care industry. In the face of consistently rising costs, and pressure to reduce operating and capital expenses, the cloud offers a solution to several parts of the health care wheelhouse. For example, it presents a way to share massive amounts of data securely at a lower cost.
However, the cloud also adds another layer of complexity to the already difficult proposition of securing medical devices and related health care data. It will be easier to do it in software. “The first set of solutions for medical devices will likely by software based, not embedded,” confirms Menting.
And there is another challenge to this track. Pretty much every segment of health care has to get on board. Without that global commitment, the smart connected health grid won’t function to the maximum potential.
At the top there is a problem with the way the U.S. Food And Drug Administration is structured. Currently, it doesn’t have specific regulations relevant to cloud computing. The FDA generally applies existing regulatory schemes in the face new technologies, such as cloud computing. However, cloud computing is a complex set of components that presents several challenges to that approach. While the FDA has control and responsibility over medical products shipped in interstate commerce, it does not have any authority over health care providers themselves. But the ubiquitous nature of cloud computing means that health care in the cloud becomes a service rather than a product, which complicates matters significantly even without considering security issues.
Another challenge is the increased complexity of cloud computing software solutions. Software is much easier to handle in the cloud than in hardware. And with medical device software, there is a tendency to be extremely conservative and singular in application. It is generally installed on only one platform, and locked down. Such scenarios limit interactions between a device and the computer system, only.
With cloud computing that paradigm changes radically because cloud architectures consist of multiple software applications communicating with the cloud server software. That set-up can include a variety of operating systems, hardware, middleware and virtualization layers. That is, in fact, the strength of the cloud model – its ability to interact with the cloud servers through a wide array of operating system, hardware, and platforms.
That complicates things significantly for health care security, though, because of the fact that information is scrupulously protected by HIPAA, along with numerous other state laws and ethical standards.
That also flies in the face of cloud computing software solutions because health care data often is transmitted wirelessly or using the Internet Protocol, exposing it to potential compromise. In addition, because the cloud is diffused, consolidated health care data in one location from thousands of individuals poses a high chance that a lot of records can be stolen very easily.
Trying to reel in the issues with health care cyber security is a bit like herding cats when it comes to HIPAA because there are so many security avenues the health care space needs to address. The security issues themselves, however, aren’t much different than those faced by other industries.
Many of today’s medical devices integrate reconfigurable embedded systems. Such systems are known to be vulnerable to cybersecurity breaches. As interconnected medical devices proliferate, and connect via hospital networks, the Internet, other medical, and smart devices, the risk of cybersecurity breaches that could affect how a medical device functions rises dramatically.
“Medical devices with processors have bugs in the same way that other kinds of devices do,” notes Paul Kocher, president and chief scientists at Rambus‘ Cryptography Research division. “So there really isn’t any fundamental difference in addressing that, but there is a big difference in that the consequences can be life threatening.”
For example, there have been some research papers published that present the possibility that one can, via a wireless connection, modify the programming of a pacemaker in a way that could harm the wearer. But such scenarios are still mostly confined to movie scripts.
“What I see as a major concern is the case where devices have direct, or indirect connections to the broader network,” Kocher says. “For example, if a patient is connected to a device that talks to a system that is connected to the Internet, or the cloud, that tunnel of connectivity completely changes the risk profile.”
This is akin to going from only people in your immediate vicinity being able to grab your wallet, to everyone in the world who has a cyber connection being able to grab your wallet. So now, says Kocher, “the wallet or medical device is at much greater risk that than if it were only accessible to the people around me.”
Presently, it is somewhat unclear if it’s even possible to completely lock down chips or devices, whether health care or otherwise.. So in that vein, health care isn’t much different from other industries. “But the steps one can take to manage security risks in other devices, such as frequent security updates and automatic reboots after such updates do not tend to work very well in a medical environment,” remarks Kocher.
Much of this falls back to the FDA, and much of what the FDA does goes back the original premise of their charter — that medical devices have to meet standards of safety and reliability. While that premise is certainly sound, it also hinders progress in a cyber-connected world, in terms of efficiency, cost, and progress. That creates a bit of a conundrum—how does one keep the premise of the FDA intact, while bringing health care into the cyber age? Currently, there isn’t a real solution to that problem. But as Kocher remarks, “At the end of the day I would rather have a life-saving remedy with security risks than to have no remedy at all.”
Kocher also notes that he expects to see some movement in dealing with some of the security issues that health care presents in the next year or so.
It is unlikely the FDA will make any radical changes any time soon. In fact, it is passing the responsibility on to the health care industry. So how will the industry respond? If history is any indicator, until there is a major breach past just leaking medical records, such as a life-threatening incident, probably very little. That is not to say that solutions aren’t available, however.
From an engineering perspective, there are several avenues that can investigated, according to Kocher:
• Develop more secure operating systems with enhanced locked down capabilities that present better security tracking and evidencing.
• Use processors that, rather than having top performance as the main design requirement, have security as the top priority.
• Have better detection of anomalous situation.
• Use multiple processors that check their answers against one another.
The biggest issues still involve network connectivity, though. In the end, no matter how tight the security is and even if all the possible measures are implemented, it is very unlikely that systems can be made totally bulletproof against determined adversaries.
There have been high-profile breaches in health care, such as the one at Anthem earlier this year. There also has been some attention called to the potential of corrupting devices such as a pacemaker, notably by former vice president Dick Cheney. However, such device corruption has yet to materialize. That is not to say it can’t happen, but so far there is little to be gained by taking a pacemaker or insulin pump hostage or corrupting them. There is, however, a lot to be gained by scamming health care documents.
Anthem is just the tip of the iceberg. No matter how painful it is, the health care industry needs to improve data confidentiality. Because data isn’t a life-safety issue, in contrast to medical devices, there is really no reason the industry can’t move that up a few notches, even with HIPAA and the FDA involved. And that is a target of opportunity for the semi biz – to put hardware into the gateways, interconnect and storage devices, especially in view of the integration to the cloud, and, eventually, the IoT.