April 3, 2019
We’ve never had more information about our health stored electronically than we do today, and the quantity being generated is steadily increasing. Wearables track our every step and heartbeat, test results can be viewed online, hospitals are using more IoT devices to help with our care – the list goes on.
Protecting that data has been a struggle for some time. The United States passed legislation called HIPAA in 1996 to help keep medical information private. In 2016, a string of ransomware attacks across the United States and Canada frequently made the news for locking down hospital systems and patient data.
This is reflected in the statistics: a popular paper from IEEE Access points out several reports, one of which found that 40% of the 43 health and fitness apps they inspected “imply high risk” to users’ privacy. Another found that of 24,000 health-related apps for iOS and Android, “95.63% of the apps pose at least some potential damage through information security and privacy infringement.”
For hospitals, the threat surface is varied and hard to manage. According to Kayne McGladrey, IEEE Member and Director of Security and Information Technology at Pensar Development, “Medical institutions are deploying an increasing array of IoT devices from a variety of vendors. This is not always by choice of the medical institution; rather, as vendors have connected all of their products to the Internet, it forces buyers to adopt heterogeneous IoT technologies.”
Features that are meant to make life easier can also contribute to the issue. Karen Panetta, IEEE Fellow and Dean of Graduate Education, Tufts University, says “Third-party modules, add-ons, guest accounts and remote accessibility continue to be the access points of choice for these attacks.”
A main reason ransomware attacks have continued is that they’re still profitable. It’s easy to get hung up on the injustice – after all, incapacitating a hospital’s computer system when people are receiving life-saving treatment isn’t easy to stomach. But hospitals often pay the asking price that the hackers set. Why?
McGladrey’s answer is simple: “The costs associated with paying a ransom in these environments would be considerably lower than the litigation and fines if people were to be harmed by the lack of availability or the destruction of medical data.”
In some situations, attackers will go after individuals instead of institutions. When Panetta sees patients get targeted, she says it’s typically because “most patients, especially the elderly, are vulnerable and more likely to provide a payment on demand from requests that seem to come from sources that appear knowledgeable about their private information.”
While the threats are well documented, several ideas on how to improve the situation are emerging. An incoming concept that’s frequently brought up is the use of machine learning to identify and analyze attack patterns. “With this, they can avoid and even anticipate some attacks on systems in general and medical institutions in particular,” says Andre Gradvohl, IEEE Member and Professor at University of Campinas.
Another idea proposed in an IEEE Access paper is authenticating health data with facial recognition, so that only people with proper permission are able to access it. Since this type of authentication has already made its way to phones, it could make for a smooth adoption process.
There’s also been some research into directly transmitting health data via satellite from hospitals to avoid any reliance on local networks that might be insecure. This would be particularly useful in rural areas that could also benefit from the increased connectivity to other medical hubs.