Season 2: Cybersecurity for Connected Healthcare Systems: A Global Perspective
Cybersecurity for connected health devices is top-of-mind as we task experts from around the globe to share ideas on prescriptive approaches to maximizing the benefits of these devices while re-engineering the strategy to better protect patients’ data privacy and security.
Episode 1
Threat Modeling and Frameworks for Cybersecurity in Connected Healthcare Ecosystems
Listen to the premiere episode of Season 2 featuring Florence Hudson, Executive Director of Northeast Big Data Innovation Hub, as she explains the need for addressing cybersecurity, together with the IEEE SA Healthcare and Life Sciences Practice, a global program encompassing open collaborative innovation, systems thinking, and trust security solutions to create, capture, and secure value in the global connected healthcare system.
Speaker
Florence Hudson
Florence Hudson is the Executive Director of the Northeast Big Data Innovation Hub. She is also the Chair of IEEE P2933 Clinical IoT Data and Device Interoperability with the TIPPSS Working Group.
“I am passionate about protecting human life with improved TIPPSS – trust, identity, privacy, protection, safety, and security for connected healthcare,” Hudson says.
Follow Florence Hudson on LinkedIn.
Full Transcript
Maria Palombini
Hello, everyone, and welcome to season two of the IEEE SA rethink health podcast series. I’m your host Maria Palombini and I lead the IEEE SA Healthcare and Life Sciences Practice. Coming off the premiere season introducing some of the more inspiring technology compelling us to rethink the approach to better care for all, this season, we will focus a little bit more on the growing threat that could impede the trusted adoption of these great technologies and applications. And we’re going to bring experts from all corners of the globe to talk about the regulatory technical application side for connected healthcare systems and where cybersecurity is the pediment to getting trusted adoption. When we look at all the IoMTs, the artificial intelligence, the blockchain, or traditional health wearables. Today, I’m very excited to have with me, Florence Hudson, she’s going to be talking about the growing challenges and alternative ways to address cybersecurity in a connected healthcare system.
Florence Hudson
Thank you, Maria, for that wonderful introduction. I’m delighted to be here today and to be able to speak with all of you about this very important topic, and also to share opportunities for you to consider how you can participate from anywhere around the world to join us in this effort. I’m the Executive Director of the Northeast Big Data Innovation Hub headquartered at Columbia University in New York. I lead one of four big data innovation hubs funded by the US National Science Foundation. And we are a collaboration hub, a community convener and a catalyst for data science innovation. And as you know, in connected healthcare, it’s all about the data. How can you leverage the data? How can you move the data? How do you access information about the patient, and the medical records? And then how do you keep everything secure and protect the patient? So that’s one of the key areas we’re focused on. In the Northeast Hub, we partner with the other three NSF Big Data Innovation Hubs around the country, and through IEEE and other activities like our COVID Information Commons and partners to extend our reach around the world.
And I’m very fortunate to be the chair for the IEEE UL, which is IEEE and Underwriters Laboratories working together. Our P2933 Standards Working Group on Clinical Internet of Things Data and Device Interoperability with TIPPSS.
Maria Palombini
And for those of you who don’t know what TIPPSS means, it’s trust, identity, privacy, protection, safety, and security.
Florence Hudson
And TIPPSS is a framework that we envisioned with IEEE, actually in February 2016, at an end to end Trust and Security for the Internet of Things workshop at George Washington University in Washington, DC. And we’ve made tremendous progress since then, on better understanding the challenges and risks and connected healthcare and clinical IoT related to TIPPSS. And what we’re doing as a standards working group is envisioning the technical and process standards that we can recommend to improve the trust identity, privacy, protection, safety and security, with the purpose to enable secure data sharing, and connected healthcare that improves healthcare outcomes while protecting patient privacy and security, and mitigating risks in data and patient protection and safety. Everything is hackable. So all this great technology we’re using also creates risks. So anyone who wants to join us, they can. You can look up IEEE P2933. You don’t have to be an IEEE member. And it’s free to join.
Maria Palombini
Well, thank you very much for it. So when I first met Florence, and we were sitting I believe in a car in a taxi together, Florence happened to share with me that she was an aeronautics engineer. And I’m looking at her, I’m like, do you know how the planes work kind of thing? And she was like yeah. But now you’ve gone into health care. So maybe you could share a little bit what motivates your passion to be involved on the healthcare side of things?
Florence Hudson
I’m really trying to protect the humans very honestly. My mother died the day I was born. And of course, I couldn’t protect her then. So I’m always trying to keep humans alive. It’s just a general need that I had. And I know being a technologist that the connected healthcare devices are hackable, the data is hackable, the sensors are hackable, the actuators are hackable, there’s way too much bad stuff that can happen. I feel like it’s our responsibility as the technologists and the providers and people who care for patients to work together to keep the patient safe, as well as to leverage technology and data to improve healthcare outcomes.
Maria Palombini
We are collaborating on a five part virtual workshop series focused on cybersecurity for a connected global healthcare system. And IEEE SA Healthcare and Life Sciences Practice, the P2933 group, and the Northeast Big Data Innovation Hub are all collaborating to present the series. So what do you envision as the objectives and goals of this five part premier series that we’re doing in 2021?
Florence Hudson
So at the Northeast Big Data hub, we actually have a cybersecurity risk initiative. And we have an award. Some funding that goes along with that. And we did an initial workshop about a year and a half ago. And we talked about Internet of Things. we talked about clinical IoT, and then some other aspects. I decided that because I’m leading the P2933 Working Group and working so closely with you and IEEE Standards Association, that this is a great opportunity to go deeper. It ties in so well with the health focus area at the hub with a responsible data science focus area at the Hub. Before I took this role at Columbia, and the Northeast Hub, I was actually working for the NSF Cybersecurity Center of Excellence, Indiana University. So this is like my zone.
What I want to do is to help us work together to increase awareness about these challenges, these TIPPSS, challenges and trust, identities, security, and privacy and safety, and then help us work together to address these challenges. So through these workshops, we want to invite everyone who can to participate. Then what we want to do is funnel our work from workshop to workshop and then into the standards efforts.
So as an example, the first workshop, which is the global connected healthcare, cybersecurity risks and roadmap workshop, will have us talking about the specifics of security. And then what are the other elements, what’s going on with privacy and ethics? What about interoperability? We actually lay the groundwork. What are the challenges? What could a potential roadmap look like? What could we possibly do in the future?
We look at where we are, and we envision where we could go. The next workshop is privacy, ethics and trust and connected healthcare, which is a very important topic, a lot of new policy and regulation is coming out. And it’s very related to security, because you need the security for privacy. So it’s very connected. But we want to go deep on the privacy as well as the ethics and the trust related to that. Then the next workshop, building what we continue to build is on data and device identity, validation, interoperability, and connected healthcare, when we’ll talk about how do we maintain trust; how do we validate identities of the devices and the humans and then working with each other; should this device trust that device, should trust that human, should that human trust that device. There’s a lot to think about. That would be the third workshop. The fourth workshop is around connected healthcare Integrated Systems Design bringing this all together, what does this whole picture look like; how do we leverage artificial intelligence machine learning to potentially improve the integrated system design, identify potential risks, and then do something about it. And then the one in November is connected healthcare technology and policy considerations. In our first workshop in February 2016, where we created the TIPPSS framework, we actually had an IEEE technology workshop, a technical workshop in security for IoT. he next day, we had this Etap workshop, which is for experts in technology and policy. And so our vision here is to get more of the policy people involved, then we would have people from all around the world and regional experts as well regarding GDPR in the EU, HIPAA or new things in the US and other areas. We can talk about the technology and policy considerations from multiple perspectives, and then decide from there what would our recommendations be? Do we actually want to have deeper discussions at a regional level because the policy is so different, and those are the type of things that we can work together.
We want this to be very collaborative, where we’re identifying the problems together, and identifying potential solutions together, and then funneling that into some of the standards work if people would like to get more involved.
Maria Palombini
All of the workshops will be available on demand. If we cannot join us on the live date, we can definitely make sure you catch us on demand and all the information is available on the cybersecurity workshop series website, which is accessible from the IEEE SA Healthcare Life Sciences site, just click on cybersecurity workshop series. How do you think this workshop series can really move the issue on cybersecurity?
Florence Hudson
What we decided is that we would have the first workshop to kind of talk about the overall connected healthcare cybersecurity risks, then roadmap, but then go deep in each workshop so that we can pull it apart. Look at the problem, find the right tail and the right wing and then put it together with the fuselage and make it fly with the standards working group P2933. We welcome people to funnel into that with us. And we’re hoping we find new people to come in and add to the solution.
Maria Palombini
If people want to get involved, what would you say to them? Like, why should someone who’s an expert in any of these fields want to be a part of this particular workshop?
Florence Hudson
That’s a great question. I’ll give you an example of someone we’re very excited who is involved with us in our region in the northeast, Julian Goldman, who’s at Mass General in the Boston area, as well as at Harvard. And so he’s going to be our keynote speaker in the first workshop. He’s had the integrated clinical environment view that he’s had from a technical perspective while he’s a doctor, and we hope that as they come in, they’ll be able to leverage their expertise as a device manufacturer. One of our vice chairs of P2933 is William Harding, who is in the Technical Fellows Leadership Program at Medtronic. Another one of our vice chairs is on the provider side. He’s the chief information security officer at Indiana University Health, Mitch Parker. Our secretary is at Draeger Medical Systems, Ken Fuchs. We have people from Cerner, we have people from all sorts of organizations. So you can all be part of the solution because we all see a different part of the problem, looking at the elephant overall for the series. The learning outcomes include understanding the risks and threat vectors and connected healthcare and IoT systems, advanced technologies that can be leveraged, as we discussed to address these risks and societal challenges. And then standards efforts in related technology and policy opportunities to address the risks. So it’s really understanding the challenges, and then seeing how you could actually get involved to be part of the solution. Registration is free. We look forward to engaging our region as well as the world in this challenge and opportunity together.
Maria Palombini
Thank you so much, Florence. And I want to thank everybody for tuning in. This is obviously an area of important interest for any single person, any patient that’s interested in this area, you can access information about the global workshop series off the IEEE SA Healthcare Life Sciences Practice site, which is easily accessible at ieeesa.io/rethink. And with that again, Florence thank you for joining me and we look forward to seeing you in one of our workshop series this coming year.
Episode 2
Cracking the Cybersecurity Code to Accelerate Innovation - A View from Australia
Can cracking code on cybersecurity in the connected healthcare ecosystem accelerate innovation in the world of mobilized care?
We are taking a different perspective from the land down under with Ashish Mahajan, Non-Executive Director of IoTSec Australia Inc, and Chair of the IEEE SA IoT Ecosystem Security Industry Connections Program. In this podcast, Ashish provides insights into the vulnerabilities of the entire data value chain in the IoT ecosystem that impede maximum utilization and innovation in public health, wellness, and healthcare. Hear how stakeholders in Australia are looking to live the mantra when the world gives you lemons, it’s best to make lemonade.
Speaker
Ashish Mahajan
Ashish Mahajan is a trusted cybersecurity enabler focused on assisting organizations to build Cybersecurity capabilities and Cyber Resilience by design combining this industry exposure and thought leadership.
Ashish in the past has led various Cybersecurity greenfield opportunities including strategy development, risk management, policy development, industry compliance certifications, and regulatory requirements. Through this able leadership and guidance, he has not only delivered the projects and assisted organizations in meeting the needs of business but also has brought value to add that can be expanded to other areas of business and is adaptable to additional compliance requirements.
Ashish is also a member of the Internet of Things (IoT) community and is a frequent speaker on the risks involving threats in the IoT landscape, particularly on critical infrastructure in healthcare environments. He is also Chair of IEEE SA IoT Ecosystem Security Industry Connections Program. Ashish is also a member of the IEEE P2733 Working Group. This standard establishes the framework with Trust, Identity, Privacy, Protection, Safety, Security (TIPPSS) principles for Clinical IoT data and device validation and interoperability.
Follow Ashish Mahajan on LinkedIn.
Full Transcript
Maria Palombini
Hello everyone, and welcome to Season Two of the IEEE SA Rethink Health Podcast Series. I’m your host, Maria Palombini and I lead the IEEE Standards Association Health and Life Sciences Practice. The practice is a platform for multidisciplinary stakeholders from around the globe who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security protection and universal access to quality of care for all individuals. I would like to welcome today Ashish Mahajan, for a discussion on how cybersecurity and connected health can be an accelerator for more innovation. He is the Non-Executive Director of IoTSec Australia, and he’s Chair of IEEE SA IoT Ecosystem Security Industry Connections Program. So with that, Ashish, why don’t you tell us about the great work you do in IoTSec, and then a little bit about this industry connections program you’re leading at the IEEE SA?
Ashish Mahajan
Certainly. I want to start by saying the IoT space is expected to grow to 25.1 billion by 2025. And that could be worth up to 26.1 billion by 2027, with the compound growth around 19.8%. This growth we’ll see in the next five to 10 years. But what it means is that it will likely have touched every aspect of our life from our refrigerators to our shoes, to medical devices, to car automation and home automation. And of course, cybersecurity remains a key issue concerning broad technology, as well as data related activities. So while IoT devices can greatly increase the productivity of our business, there’s an old saying that new rewards come from new risks and cybersecurity of IoT devices is a big challenge for us. Now, the work that we are doing at IoTSec in partnership with IEEE is to bring them in across the community. IoTSec is a not-for-profit organization, it looks at advocacy on the research initiatives that helps to ensure the proper awareness or the awareness of the secure practices by the ecosystem and we will be working with IEEE SA to publish white paper, reports, proposals for standards, guidelines, and probably webinars to bring awareness across our community.
Maria Palombini
I know that IoT across multiple industry domains is flourishing. It’s really important to call out the fact that it’s not just about medical devices. There are so many devices on or around us that are not obviously specific for medical application, but still impact our overall wellness and daily lifestyles and things of that nature.
Ashish Mahajan
I always say, when it comes to IoT and security, the industry is too late to consider security and we are kind of catching up to embed security in IoT devices and also the future IoT devices.
Maria Palombini
Cyber breaches and security vulnerabilities are a major concern, when we think about the current state of connected health devices and obviously the trajectory for the future of mobile health. From your expertise and your experience, what do you consider to be some of the major impacts if cybersecurity and digital health space are not addressed effectively?
Ashish Mahajan
I guess there are two folds to this question – the trajectory of the future of mobile health. Now in the past few years, there has been a cultural shift and a technology shift from variables focused on promoting wellness to those designs to post real time tracking and also the monitoring of patient vital signs. According to research, the average person is likely to generate more than 1 million gigabits of health related data in their lifetime. As you can tell, this technology has huge potential to not only improve health literacy and wellness levels, but also to reduce global health. According to one estimate, remote patient monitoring might have saved nearly 200 billion across all conditions over the next 25 years. If you consider this, being able to remotely monitor patients in their home is a significant opportunity for caregivers and for industry alike. And most importantly, for the patients, this is going to change the whole gimmick of how patients will be treated at hospitals and remote patient care, not variable technology. There are agents that are also propagating a cultural shift in how conventional drugs and therapies are formulated and delivered. If I remember correctly, 2017 saw the first FDA approved pill that was packaged sensor tracking patient usage. Now that was a dramatic change in how patient care can be done. The other question is the major impact of cybersecurity challenges in the healthcare sector. The healthcare sector is going where the IoT devices are going and where the patient care is going. While IoT has opened up the door for innovation or innovative new services across industry, the adoption of the IoT system within the healthcare sector is crank. And that’s why the numbers are huge.
The other risk is that the cybersecurity risk is now among the sectors most targeted by illegal markets globally. The predicted health information is more than what you create. Now, I think the question is why, and it’s due to its immutability, the state of not changing the information exists to help data breaches of particular interests or cyber criminals because your blood type doesn’t change for your personal health information contained in your medical file along with insurance and help provide information that is not going to change. There is a higher motivation for cyber criminals to target medical databases. If you look at the most recent research in the past few years, 83% of the medical imaging devices are running on unsupported operating systems. I guess the question is why. And the answer is because healthcare is always about saving patient’s lives.
Maria Palombini
It is amazing how much data these devices can generate. And we thought the human genomes could generate that much data, but we seem to have quite a bit of a proliferation of data. But I think it’s a very important fact that you highlight, because I think people often miss is that health data is so rich with immutability that it becomes so much more appetizing for cyber criminals. It’s definitely true that a credit card, you take it, it gets stolen. You call your credit card company and they erase it and get you a new one. It’s all fixed, but who do you call to say, you know, my blood types have been breached. Like there’s just no ID help desk here. So I think it’s a very important fact. And you know, many have argued that regulators should be doing more from a point of view of requiring the developers of the hardware, the software, and connected devices with regards to building in more security and protecting those vulnerabilities from an engineering perspective. How do you perceive the problem being most effectively addressed?
Ashish Mahajan
Very good question, Maria. I recall giving a presentation in 2018 where I talked about that everyone has a role to play from enforcing security to devices, to understanding the basic security advice. And I’m talking from regulators enforcing security controls that enable security in IoT devices to organization and practice, they choose to make a conscious choice of that using those IoT devices. Most regulators have just started to consider recommendations in this fast evolving setting and are moving slowly. Manufacturers are creating an incredible variety and volume of IoT devices. 5G devices should be prioritizing security by design, especially considering the potential detrimental consequences of a breach. We are stepping in the right direction and I’m going to take a couple of examples. Here is the California IoT law, that requires manufacturers to equip the devices with reasonable security features, regulators shouldn’t force what needs to go bare minimum in the main IoT devices as part of their implementation. Consumers should be able to make a conscious choice. Should they be using the IoT devices without risk management? For organizations also, do you want to use the IoT device? Should we be using the IoT device? What is the consequence of using this IoT device? What if the breach happened? I think those sorts of questions must be asked. The responsibility starts from regulators. They need to enforce. Then it goes to manufacturers. From manufacturers it goes to practitioners, and practitioners could be consumers also.
Maria Palombini
Very interesting. I think it is an all hands-on effort. One of the interesting aspects is we all want to know what’s going around the globe. Do you find that what you see in Australia differentiate from other geographic regions towards addressing this issue of the need for cybersecurity and the use of IoT and these mobile health apps and wellness applications?
Ashish Mahajan
Today, consumers across the globe are taking an increasingly proactive approach to manage their health. And technology is playing an important role. One in six Australians use mobile apps and variable technology to track nutrition, exercise, sleep patterns, energy levels, and even stress. And with that number of connected wearable devices worldwide expect to grow over 1.1 billion by 2022. From a health care practitioner’s point of view. They’re now adopting these technologies for patient monitoring and to drive improved health outcomes. Not just in Australia, it’s probably the trend that we see across the globe.
Maria Palombini
Obviously Australia was one of the first regions of the world to come out with a contract tracing application for COVID-19. We know that COVID-19 disrupted many of our norms and introduced new ideas. Some were great. And some maybe not so great. I know that contract tracing apps globally did not do well. There were a lot of concerns with them, but were there some concerns specifically in Australia, citizens about privacy and data security? Did you see any special way of addressing and mitigating it that you would like to share with our global community from that point of view?
Ashish Mahajan
To answer that question, I’m probably going to talk about why aren’t COVID tracing up more widely used. As you know, we’re in the flood of coronavirus apps that were launched in the first half of 2020 across the globe to quarantine the infected individuals. That was the intent of that. And the true promise benefits of these contract tracing apps have not been realized to the full potential anywhere in the world, but the Australian government launched the COVID CFR. And there were clear concerns by citizens regarding trust, transparency, security, and privacy. Among that, user acceptance was the biggest challenge for many reasons. And if we consider from a technology point of view, there were concerns about the battery consumption now from a security and privacy. There have been serious concerns around user data. The COVID apps used to ask our users for their name, phone number, postcode, and the age range before they can register with the app.
Ashish Mahajan
The question was how well the application was tested in the way that data is stored? And the next question is the reliability and effectiveness of that. There is no rule for testing or approving the accuracy and reliability and effectiveness of contact tracing apps. And at the same time, I don’t think that there’s anyone to be blamed. We are facing an unfortunate global pandemic and everyone did what they could do. Some things worked and some didn’t. The one that didn’t work for us, we should take that as a learning for us.
Maria Palombini
Any final thoughts you would like to share with our audience?
Ashish Mahajan
Security is everyone’s responsibility. And I would like everyone when they are going out in the market and buying not just the IoT device, but any device. They should understand some basics of security to make sure our community is safe and secure.
Maria Palombini
I want to thank you for joining us today and sharing this wonderful insight, and I will thank you, the audience, for tuning in. I just want to share with you all that many of the concepts in our conversation with Ashish today are addressed in not only the IoT ecosystem security industry connections program, but we have many different industry connections programs within the healthcare life science practice. Our work in telehealth connects to the accessibility and security for all. And obviously the work we’re doing in decentralized clinical trials, as well as the work we are doing in cybersecurity. And this podcast, season two is going side by side with a full year virtual workshop series we’re doing on global connected healthcare cybersecurity. Both information on that opportunity is at ieeesa.io/cyber2021. If you want to learn more about the Healthcare and Life Science practice, get involved in any of these programs we talked about today, or you would like to instantiate a potential program, please reach out to us at, ieeesa.io/rethink. And with that, I want to wish you all to continue to stay safe and healthy and look forward to you joining us next time.
Episode 3
Securing Greater Public Trust in Health through Risk Mitigation – A North America Perspective
Listen to our discussion with T.R. Kane, Cybersecurity, Privacy & Forensics Partner, at one of the world’s top 5 consultancies, PwC [PricewaterhouseCoopers], as he explains how we need to better strategize planning and response to cyber vulnerabilities in the healthcare ecosystem. Tune in for insights on some of the best lifeline strategies for managing organizational and patient risk in this rapidly emerging domain.
Speaker
T.R. Kane
T.R. Kane is a Cybersecurity, Privacy & Forensics Partner at PwC who leads the Strategy, Risk and Compliance business and is also the firm’s Global Third Party Risk Leader. Based out of Cleveland, Ohio, T.R. has specialized in the area of operational and systems risk management, with a concentration in data privacy and cybersecurity, since joining PwC in 1996.
He has been actively involved in assisting clients throughout the United States, South America, Canada, Africa, Middle East, Asia Pacific, and Europe in developing, maintaining, and assessing their overall Privacy and Cybersecurity risk profiles.
T.R. has a deep IT risk management background which he blends with his technical cybersecurity and data protection knowledge. His wide range of technical security experience includes state and federal regulatory security compliance, security strategy development, Incident Response, Data Loss Prevention, and cloud computing. His focus has included leading global strategic engagements for Fortune 500 organizations, as well as 3rd party suppliers, vendors, and contractors on behalf of his clients.
Follow T.R Kane on LinkedIn.
Full Transcript
Maria Palombini
Hello everyone, and welcome to the Rethink Health Podcast. I’m your host, Maria Palombini and I lead the IEEE Standards Association Healthcare and Life Sciences Practice. The practice is a platform for multi-disciplinary stakeholders from around the globe, who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security, protection, and universal access to quality of care for all individuals. And with that, I would like to welcome TR Kane from PricewaterhouseCoopers to the podcast today. He’s been working in the area of patient privacy to address the risks of the cyber world across a technical discipline. Currently, his role is Cybersecurity and Forensics Partner, Global Third Party Risk Leader, US Strategy and Transformation Leader at PricewaterhouseCoopers. So TR, can you share with our audience a little bit about the great work you’ve been doing at PwC? And some of the things that you’re seeing like trends and global challenges from where you’re sitting right now?
T.R. Kane
Yeah, you bet Maria. So I’m seeing a number of trends facing healthcare, with first being really the increased use of third parties. If you think of healthcare organizations, whether you’re talking pharma, providers, or even the payers, you have this ecosystem of data and trust, that continues to expand from organizations directly controlling it, to really placing more reliance on contractors, the cloud, suppliers, business partners, and vendors that have effectively become the key components of those healthcare organizations processing, storing, manipulating, transferring, regulated patient and even employee data. I think the second thing that I’m really seeing and where I spend a bulk of my time, is really the need for tying business and cyber risk. It’s greater than ever, from medical devices to technical platforms, expanding platforms within healthcare to patient care platforms as examples, that all must be managed, they need to be monitored, and they need to be reported upon effectively. So I’m getting a lot of demands and asks for calls and even at the board levels around how we get cyber risk aligned to patient safety and business outcomes.
Maria Palombini
So what we’ve seen in the world of cybersecurity has been this focus on prevention, like how do we stop the problem before it happens. That’s what we think is the best solution. However, we’re seeing more of a trend, and you mentioned this earlier, towards risk mitigation, this concept of forensics in the whole episode when these breaches in this quote unquote warfare starts to happen. So maybe you can explain some of these concepts to our audience and why they’re just as important or more important, rather than just working on the prevention, the vaccine for the problem and how we’re actually looking at preventing the risk in that situation. And maybe what you see companies doing better or not so great in embracing this concept, in better managing risk overall in a connected healthcare system.
T.R Kane
First and foremost, connected healthcare platforms are really increasingly touching patients and expanding across the healthcare industry. So one of the things not just from a risk perspective, but from a trust perspective, it’s becoming the core of the focus coupled with the mechanisms to manage risk that lends itself to establishing that very trust. As platforms are rolled out, even risk management oversight, technical forensic investigative capabilities, and other detective technologies, the industry really is starting to look at more independent organizations to help edify the trust gap. So things like tie trust, getting those independent outputs, but also having a strong cyber and privacy set of embedded controls around their patient and clinical healthcare platforms. And what I mean by that is, we can’t just simply rely on an independent third party to check the box. It’s really how we embed new products, medical devices, the rollout of technology, even acquiring. There’s a lot of M&A activity within healthcare right now. How do we ensure that we have the right governance and the right processes to really embed the controls to protect the very data that we need to protect, i.e. privacy and the mechanisms being security. And it’s really striking that right balance between the patient and doctor experience, compliance, risk reduction, while also managing costs in concert.
Additionally, more and more healthcare companies are starting to use endpoint detection and response. So different EDR solutions to help gather data from endpoints. But I think this is the key, while it is still reactive in nature, it does help begin to mitigate risk once an attack has been identified. However, it’s not a proxy for overarching cyber risk management, and the alignment to organizational risk and business outcomes. It’s reframing cyber risk as a business risk and not taking that legacy view that cyber is just a technology risk. I think the last thing that’s also very important as we’re seeing organizations, as I think about risk, mitigation and detective capabilities, is aligning specific playbooks around incident response and resiliency. So playbooks around what we do with medical devices for each? How do we handle phishing? How do we handle ransomware? That to me this is very important because you’re cross threading all the different organizational constituents that need to be part of those business risks, not just treating it solely as that cyber responsibility to respond, handle, and mitigate, because it’s not.
Maria Palombini
We see an emergency and companies start throwing money, quote unquote, at the problem investment. There’re figures ranging from 100 million US dollars plus to be invested in the next five years to 15% increase in cybersecurity measures. It’s not just about throwing money at the problem, right? What is it that would be the most effective way to invest this money so that these organizations can get the best return on investment for the money that they’re putting into the problem?
T.R. Kane
I’ll tell you this is probably the number one set of discussions around this topic that I’m having with executives. And what we’re really seeing is the need for cyber risk quantification. It’s the trend we’re seeing grow exponentially. So directly aligning risk and controls to prescriptive calculations of associated dollars for those risk controls or quantifying the risk of not doing something. I.e., what’s the cost of a record for a breach times the number of records a provider maintains, equals a specific dollar value, plus compliance penalties? CIOs and CISOs alike are really starting to learn that their boards and specifically CFOs really want a better articulation of why am I spending this percentage of my organizational dollar on specific initiatives. They want alignment of the cost, the risk, and the business outcome versus hearing. We have X amount of tools, we scan X amount of endpoint devices every month, and we have anomalies detected in our environment. That is unquantifiable. And it’s not actionable for a board or even an audit committee. So CISOs and CIOs alike are really pivoting their agendas, to be risk based and risk quantified to directly align to their business stakeholder expected outcomes.
Maria Palombini
One of the concerns we keep hearing about similarly is, hopefully this money is going to be used in a way that’s going to deliver. So let’s see how that goes. We have this constant debate that regulators should do more or should require developers and software engineers to do more. I guess the question is sitting from your perspective, do you have a similar perspective where regulators need to step up and start making these mandates in, or do you think this is more a market driven approach incentivizing these technologists to embrace this concept to start delivering on this idea of more security and more protection of privacy?
T.R. Kane
Specifically around medical devices, net new products that are emerging into the healthcare industry. They’re just simply not enough regulatory protocols, controls, and oversight, like you may see from the OCC and the FFIEC and financial services. So I think there’s a greater need for regulatory monitoring and enforcement. And those are both important. Because monitoring doesn’t necessarily mean tickets are being written, I think you need to have real enforcement and look at the clear difference between financial services and the enforcement of their regulations. There is a clear difference in response and reaction when systems or products have been exposed due to a breach in financial services versus healthcare. So I think if you’re gonna move the needle, you need to have healthcare regulatory bodies set standards, but I think it needs to be in cohort with medical doctors and the broader medical community, but also with the manufacturers to align on those standards. It shouldn’t just be at the policy level, I think it needs to go a level down at a technical security level, and not just be a guideline, not be a recommendation, but be a federal mandate with defined penalties for non compliance that are tracked, reported and enforced on an ongoing basis.
Maria Palombini
What do you see as the greatest cyber threat and consequence in the healthcare system that maybe others are not fully migrated to, or maybe it’s just not gotten the whole exposure like we think it has been?
T.R. Kane
The attack surface has grown exponentially across healthcare organizations. And when I say exponentially, it is moving at a velocity faster than healthcare organizations budget to keep up with them. So if you think of healthcare interconnected ecosystems around biomedical devices, mobile phones and devices, laptops, mobile workstations within hospitals, all the way third parties are being leveraged for outsourcing data and data handling, the greatest threat becomes the lack of clarity around where my data is, how my networks are segmented, how I’m effectively monitoring third party risks, and the emergence of cloud based solutions, which really has enabled business leaders to pursue digital solutions without always interacting with or betting cybersecurity until it’s post contract. And I think that’s when you start to see data risk exposure, when you haven’t kind of taken a step back to look at, are we programmatically thinking about how we’re going to have a business outcome, with the right level of control, protecting both patient health safety, as well as patient data safety.
We’re at a revolutionary point. And I know that sounds bold, but we are at a revolutionary point in history with respect to access to data, enter connectivity options, use of medical devices, and how those medical devices connect to other devices. And this increasing attack surface that malicious actors are preying on and the velocity by which emerging healthcare treatments are being introduced and performed, as well as the mechanisms by which data is stored, and by whom is continuing to increase with use of the cloud. Knowing that the health care organizations, the government, and independent firms alike are trying to move at a similar pace is important for folks to know. The threats are known. The velocity by which medical providers and technologists and independent assessors and consultants are trying to attack it, it’s not quite there, but I think folks are really doubling down. So my recommendation, you know, for the audience would be kind of in the meantime be safe, stay healthy, and look out for one another and know that your clinical and technical teams are really doubling down to protect you.
Maria Palombini
You have shared so many great insights today and I want to thank you for joining the conversation and being with us. And many of the concepts TR mentioned today are just in various activities that we have at the IEEE Standard Association Healthcare and life Sciences Practice. And most notably, we are doing a five part virtual workshop series on global connected healthcare cybersecurity, I invite you to visit ieeesa.io/cyber2021 to learn more about the series, so if you want to get involved in any of our work, I invite you all to visit our website at ieeesa.io/rethink, and we look forward you to joining us in our next episode until next time.
Episode 4
Uncovering the Great Risk in Security and Privacy of Health Data in Latin America and Beyond
Listen to our eye-opening conversation with a cutting-edge cybersecurity forensic technologist, Andrés Velázquez, Founder and President of MaTTica, based in Mexico, who highlights common global challenges and inherent obstacles in the emerging Latin American region.
Speaker
Andrés Velázquez
Andrés Velázquez is the Founder and President of MaTTica, a strategic cybersecurity company that has the first computer forensic lab in Latin America in the private sector. He has over 20 years of experience in cybersecurity specialized in computer forensics, digital investigations, crisis management, and incident response. He has been a co-author of several books on presenting digital evidence in Latin America and on Data Privacy Laws. Considered an opinion leader on media, he is a columnist in Forbes México and participates constantly in the media explaining cybersecurity and the elements linked with digital crimes.
Andrés is committed to fighting against child abuse on the Internet, participating with different organizations training law enforcement agents, judges, and DA’s on digital evidence and crimes. The Mexican business magazine “Expansión” named him one of the 30 youngsters in their 30s to lead the change in Mexico.
Full Transcript
Maria Palombini
Hello everyone, and welcome to Season Two of the IEEE SA Rethink Health Podcast Series. I’m your host, Maria Palombini and I lead the IEEE Standards Association Health and Life Sciences Practice. The practice is a platform for multidisciplinary stakeholders from around the globe who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security protection and universal access to quality of care for all individuals.
We know cybersecurity, which is our ultimate goal – how do we protect the connected healthcare system? It is evolving constantly from increasing policy to a changing threat landscape where there’re still considered many risks and attempts to proactively combat this challenge as it’s happening in real time, anywhere throughout the globe. This season, we’ll bring you experts to share with you what they’re seeing globally, and as well at the regional level.
And with that, I would like to introduce Andrés Velázquez from MaTTica to our podcast today. Andrés it’s going to share some really great information with us. He has a very deep experience, more than 20 years in cybersecurity, cyber crime, computer forensics, and digital investigations. These are all the things that we need to know in a connected healthcare world. But before we get to his expertise, I’m going to ask Andrés to share a little bit about what he does at Manteca and what actually inspires his passion to go into this space.
Andrés Velázquez
Thank you very much Maria. MaTTica has been evolving for the last 15 years. I actually created MaTTica back in the days, because I saw that there was no computer forensic company in Latin America. The need for digital evidence or to find digital evidence to present it to court and to different processes was at that time something that made me make a decision. I was trained by the US Secret Service at some point. One of the things that I have been doing is helping a lot of organizations internationally against child abuse. So these are some of the things that we’re doing. We actually are the crisis management team for the IT on some of the biggest hackings and narrations into some companies here in Latin America. So I think that will help to understand what we have been doing, and how I got into this field? I always loved computers. At some point, I decided that cybersecurity will be the thing that will lead my way in this life.
Maria Palombini
It’s fascinating. Every time I talk to you I always learn something new about you. I didn’t know about the secret service thing. There was an interesting thing on your LinkedIn profile. You had mentioned that you are an incident response enthusiast. It’s the first time I’ve seen it. Maybe it might be out there somewhere else, but maybe you could just share a little bit of light exactly what came to mind when you said that this is something that you want to say about yourself?
Andrés Velázquez
It’s kind of interesting how everything has changed in the last 20 years when I started doing cybersecurity. Everything was about firewalls, anti-malware; that time was about antivirus. Then I started into policies and all the documents that you have to have, and everything started to move into forensics. As I mentioned, the part of computer forensics led me to digital investigations and digital investigation led me to get into something that I really like. It is how you can do incident response and crisis management in clients. Most of the clients that we have are in the financial sector. So it’s kind of weird how I’m going to say this, but I love the adrenaline that I get when I was called to solve an issue of a client or a company that could get very messy.
Maria Palombini
No, I wouldn’t call it weird. We call it passion. And we have many volunteers like you in our different programs who share a similar passion. The idea to find a solution, to do something, to make something that was bad better, or find a good outcome for it. That was one of the things that I found most exciting about our initial conversation. When we were talking, I noticed that you were very tactful in not using the term cybersecurity. And you even mentioned to me that cybersecurity is a technology engineering term, but what we need to focus on is risk mitigation and response. So we’re seeing more companies such as yourself, like MaTTica, who are getting into this sort of area and really proposing this concept of risk mitigation, risk quantification, proactive response, forensics, and that kind of thing. So maybe you can explain some of these concepts on this approach and why you believe in the world of connected healthcare is because that’s where we’re more and more moving towards. It’s really important to incorporate this sort of approach into your strategy system.
Andrés Velázquez
Everything started because I have been training a lot of board of directors from different kinds of companies in Latin America. When we talk about cybersecurity with them, they think it’s something very technical that you have to know how to program, or you have to know what distributed service is. And the best way I have learned to talk to them is to talk about risk. It’s very interesting because this can be applied to pretty much everybody else, even on the personal side, if you listen to these past podcasts and you start listening to some terms like buffer overflow, or the WAF, and all those terms. We’re very used to talking like that with acronyms, because I’m a very technical guy. Well, you won’t understand. So getting into the risk approach is better.
We are used to reacting to risks. Businesses are used to understanding that they have to do something about risk that could be implemented, control, transfer the risk, or accept the risk. When we can link the risk to something that could affect the company in their reputation, loss of the operation, or an incident that they could lose money by a lawsuit and find the cost of getting back to operations. Then they will understand the value of considering cybersecurity on their plans. This is something that is interesting also because we, on the personal side, are dealing with risk all the time. The only thing is we understand what the risk is. Let’s talk about the pandemic situation that we’re facing right now. I was in San Francisco when everything started, the news was very critical and the way that they were explaining what was happening, but at the end, or at that time, they weren’t really clear on what were the risks.
I remember all the things that I did on my flight back to Mexico. I don’t think they were wrong, they were in the right things to do at that point. So cybersecurity is not about installing anti-malware and a firewall, as I mentioned, it’s about creating a strategy. Now, how can I link this to the healthcare perspective? Well, first of all, we need to understand that technology and cybersecurity are cousins, but they’re not brothers. There’s a gap in between them. Innovations, in most of the cases, have a lack of cybersecurity leaving a lot of risk on the table. The research and development teams are trying to create the most amazing devices, but in the end, those devices could have their own vulnerabilities. They can run in networks that have not been secured. And the users of the technology are not aware of the risk when they have them. It’s very interesting the way you presented these questions, because no, the companies in general are not embracing this concept. They’re still hiring people that will do cybersecurity as something that will go on the operation side, not really on the strategic side of it.
Maria Palombini
Interesting that risk is one element. And I think one of the things that sort of gets lost is the concept of privacy. We think about secure breaches, but what really we’re even not focusing on is patient privacy. And you mentioned something very interesting to me that I found so profoundly insightful when you said that there’s a fight between being comfortable versus being secure. And you said it in the scope of, there’s a balance with the medical devices we use in hospitals versus consumer devices utilized in the home and in the concept of overall risk. Do you want to explain a little bit more what you mean by this fight? Like what you have observed or what you’re seeing as trends from that point of view?
Andrés Velázquez
It’s something that at least in this field we discuss a lot. We always want to have the most secure infrastructure from the internet of things and points servers and networks. Let’s say that the information is stored in our colleagues’ computers and is very confidential and we want to control as much in how the user moves information. So the person responsible for protecting the information will block everything. It’s more secure, but the user cannot do their job. So we can not lose all the controls because that will risk the confidentiality of the information. We need to find a way that it’s secure, but it’s usable. It’s pretty much on how we can balance those two concepts.
Maria Palombini
It’s very interesting because it’s always sort of the question – comfort or quality versus uncomfortable but more secure. This is just a question in life we all see. This is the balance that we have in everything that we do. One of the reasons why I invited you on this is because you bring the Latin America perspective. And when we were talking in Europe, they have GDPR where there is a consensus of governments who are following GDPR policy around privacy, but then when it comes to Latin America, you said there are some countries who may be a little more robust and others that are not. Are you getting a sense that those who are not are starting to embrace this concept of looking at regulation or protocols to sort of give more security? We know connected healthcare will be moving more and more into the Latin American region. Just try to get your perspective and maybe some insight on what you see going around.
Andrés Velázquez
We have some data privacy laws in Latin America. Some of them are actually very similar to what was created in Spain a few years ago. Those laws protect sensitive data, like the ones used in the healthcare industry. Pretty much the difference in the way that I can see in Latin America is the way they enforce it. And in some cases the law has just been approved. So we’re in the process of implementing the challenge in most of the cases, I think it’s in the public sector. That is the biggest sector or the biggest area that has healthcare systems. Actually, I was a co-author in a book published by the Mexican data privacy authorities on the law where I explained the biggest risk about data privacy in the public sector. Pretty much what I stated is that the local entities will not have the same budget, the skills or time to implement the same systems and protection as the federal government.
This applies to all the public hospitals and the way they are storing the patient information. Some of them only have the information on paper. They do not transfer that information to other hospitals or other entities. Some of them have their own systems, but they could be connected or not to others. Some of them pretty much outsource the processing and the managing of the medical records. And we have had a huge issue here in Mexico a couple of years ago. A person in Ukraine was spending his nights, looking for databases that will be published without a password. And he was able to find a database with 1.3 million medical records from Mexico. He contacted me and I helped him to figure out where it was from. That information was from one specific state in Mexico. Doing some investigation, I was able to find that they were trying to find a database administrator for probably six or seven months, but at the same time, they actually got a contract with the government where they have to store and process and manage the medical records of these patients in Mexico. All their information was available on the internet without a password. So yes, they probably decided to transfer the risk to another entity. But at the end, that entity was not able to secure that information. We actually brought down the information. We were sure that nobody saw it. We tried to contact that company. They said that they didn’t have anything to do with that, but the company a week later disappeared. We actually gave all the information we had to the local data privacy authority. And they actually tried to find them. They were not able to find it anymore, so it pretty much disappeared. So we have a law that will protect the sensitive data like these medical records, but now that their information of all these patients was affected. Now we can not do anything to bring it back as it was before. Yes. It’s going to be a penalty to this company, but in the end, the data remained on the internet for some time.
Maria Palombini
That’s 1.3 million patients that we’re talking about being exposed. So that’s very insightful. You have a technology background, and obviously you have to intersect with policy and regulators and with industry demand and boards of directors. And I asked this to all my guests – there’s always this debate that regulators and policy makers need to do more to require the engineers and developers of hardware and software, these connected medical devices and building more security features. Do you share a similar perspective that you feel policy and regulators need to step up more, or do you think maybe there needs to be more technologists to come together and collaborate and develop technology standards to address the problem? I’d like to hear your perspective since you intersected all these different domains as you go through this process.
Andrés Velázquez
It’s very interesting. Because I have been doing the forensic side of my company for a while. And one of the biggest challenges that I have been facing and working with with a lot of entities out there, like the Council of Europe or the United Nations, is that technology brings a different way of understanding how things work. If I have a case where someone actually accesses these medical records from another country around the world, at the end on the technical side it’s just a click. I don’t know if they are in another country that doesn’t have the law around cyber crime or not. So if I bring these to answer your question, there’s a huge thing that we have to consider and it is called jurisdiction.
I had to spend probably two years trying to understand jurisdiction in the way the lawyers understand it based on what I just mentioned. So when we’re talking about creating law around technology, you’re talking about controlling something in a jurisdiction. In the States, we have the HIPAA to address cybersecurity in the health system, but we don’t have that in Latin America. We just have these data privacy laws. So how we can interact in a world that is now connected, the information that data from these medical records was in a server, or at least some servers in the United States, not really in Mexico or in Latin America. Now we’re talking about globalization, it could be in any country in the world. If we’re gonna talk about law, we’re gonna be blind folded because that will only apply to some countries. Therefore, I prefer to talk about standards or best practices in some cases if we’re not able to carry standards, and then try to be able to adopt those standards globally, that we don’t care if there’s a law or not, we will be able to solve most of the issues that we’re facing.
Maria Palombini
That’s really interesting. And I’m so delighted that you brought up this point because often when we talk about healthcare without borders, being able to say “I can take my data and go into this other country, they’ll have my whole history and be able to take care of me.” And we’re also worried about the technologies in doing so, or the data taxonomies or the languages. But you brought up an important point, which is there is no harmonization of policy around healthcare data. So although we may have technology means we still have the challenge of policy. And as well, as you mentioned, just in general, the technology standards and data standards around all those things. So I’m delighted that you brought that point up because I tend to hear these debates on this whole arena quite a bit.
I thought this was very interesting coming from the US when you said to me we need the CIA for cyber vulnerabilities and anything from connected health in anything we do. Naturally I was thinking of the Central Intelligence Agency in the United States, but you are referring to those three letters or something else. So I would just want you to share with our audience what you were talking about when you said CIA and exactly what in reference to how this can be applied to this growing challenge.
Andrés Velázquez
The CIA is not really my vision. It’s something that we have to learn when we are starting cybersecurity. I need this called the CIA triad. That is a concept that focuses on the balance between financial reality, integrity and availability under the protection of an information security program. So when I tried to link it into the health sector, the settlements are very important. Confidentiality – that only the persons or the devices or systems that the law allows are the ones that are looking at the information integrity, or talking about that the information or the data is not changed without any record control or that it has to be changed. And I will really say pretty much that you can have information or data when you need it. Normally I mention two examples. The first one is about our bank accounts. I don’t want my bank account to be public. So that’s why it needs confidentiality. I don’t want my bank account to show a wrong number of how much I have on it. Well, if it’s over what I used to have, I will be happy. But if I access my bank account and I see less than what I had, well, I don’t want that to happen. And the third thing is, if I need to use what it’s on my bank account, I know I need to be available to me. If I move it into the health sector, what happens with this medical record? What happens with this device that is attached to me that needs the information that has to be exact, and it cannot be manipulated.
So those three concepts, we normally talk about with the decision makers. We need to make them understand that this reconstitution is the vase of cybersecurity, and they need to be linked to the strategy of the company that processes that we want to secure. So I don’t want my medical record to be public, to be changed in their content that could have an allergy that I don’t have, or the other way, and I need that record to be available when I get to a position that I need it.
Maria Palombini
Very important. Based on what we talked about today and all your experience, perhaps you can share a final thought with our audience on one of the most important call to action for an individual or a patient to take, for the overall healthcare domain, or for any other stakeholder, like wearable developers and connected medical device developers to sort of take that action or take something into consideration to move the needle on this growing challenge?
Andrés Velázquez
We’ll get back to how we started, talking about risk. So yes, for a hospital or a facility, the information that you’re receiving from your patients, all the technologies, like they are researching and developing new devices, please consider cybersecurity because that will help to solve issues right now, instead of finding out that later. There’s going to be an issue with either data or information on how the device actually works about policy makers. We have to understand that we have to find ways to make this something that everybody could apply, meaning that there are maturity models and we have to cover security. Now, not everybody is going to be in the highest range or the lower range.
We have to figure out how we can implement cybersecurity in a very strategic way that could be improving, depending on how everybody is working. And at the end to the patients, that is pretty much you, me and everybody that is listening right now. There are some risks, and try to understand how the entity, the hospital, the wearable, the medical devices that you’re using could have a vulnerability and something that could affect you. I’m not trying to be fatalist. I’m trying to be kind of real. With what happened with the COVID, we had to understand the risk to decide which controls we have to apply. And I have been trying to understand how much we can get from the COVID reaction to cybersecurity. And yes, on cybersecurity, we’re going to be as secure as the less secure person is involved in what we’re doing. It is a chain. So I will like to end with a phrase that I loved from a cryptographer in the United States. His name is, uh, Bruce Mayer. He says that cybersecurity is not a problem about technology, it is a problem about how we use technology. So don’t blame the technology, how we’re using the technology and who are creating new technology.
Maria Palombini
That is a very profound final thought. You’ve shared really great insight and concepts with us, and a lot of the things you’re talking about, we are covering in the IEEE SA Healthcare Life Science Practice. Most notably to our audience, we want to share with you. We are hosting a five-part virtual workshop series on global connected healthcare. And we’re doing this in collaboration with the Northeast Big Data Innovation Hub based in the campus of Columbia University in New York. And the series is designed to bring anyone who is involved in technology, either in healthcare practice, clinical research, regulatory research, or in general engineers to openly listen to some of the great concepts and new technologies that are out there, and most importantly, work together to identify and develop a framework to moving towards solutions, whether it be in the design of the products themselves into practice, or in where we need policy to step up and help support the overall goal.
This series takes place live in February, April, June, September, November. All of them are recorded on demand. If you’re not able to get to one or all of them, you can register for free at ieeesa.io/cyber2021. We also cover this in many other incubator programs from our telehealth paradigm, security, privacy, accessibility, and continuity for all. We have the decentralized clinical trials program, and of course WAMIII, which is wearables, medical, interoperability, intelligence. All of our incubator groups are open and inclusive. We welcome anyone who wants to contribute towards moving the needle on the challenge. You can learn more about all of these activities at ieeesa.io/rethink. I want to thank Andrés for joining us and sharing all this great insight and you, the audience, for being with us and continuing to follow us. We look forward to you joining our next episode, but until then continue to stay safe and well.
Episode 5
Response and Prevention Strategy in Connected Health - A Perspective from Latin America
We sit down with Roque Juarez, Security Intelligence Specialist at IBM in Mexico, to get an understanding of how basic principles can be critical to cyber threat management in connected healthcare systems regardless of whether you are an emerging or established economy. If you think COVID-19 pandemic slowed down the rate of threat, think again.
Speaker
Roque Juárez
Roque Juárez is an information security professional with 19 years of experience in different roles and responsibilities focused on business development and commercial strategies execution, information security consultant and technical security solutions sales in Mexico and Latin America, such as Business Partner Sales Representative, Information Security Sales Manager for Mexico, Central America and Caribbean Region, Information Security Consultant, Consulting Manager, Information Security Senior Consultant, and Project Manager, helping diverse industries to adopt information security as part of their of way of doing business in the multi-dimensional landscape of threats.
Follow Roque Juárez on LinkedIn.
Full Transcript
Maria Palombini
Hello everyone, and welcome to season two of the IEEE SA rethink health podcast series. I’m your host, Maria Palombini and I lead the IEEE SA Healthcare and Life Sciences Practice. The HLS practice, as we like to call it, is a platform for multi disciplinary stakeholders from around the globe, who are seeking to develop solutions for driving responsible adoption of new technologies and applications into the domain. Hopefully, the end outcome will be more security, protection, and universal access to quality of care for all individuals. We know that cybersecurity is evolving constantly from increasing policy to a changing threat landscape. This season brings all these conversations from these experts on the growing epidemic of cyber warfare breaches as we see on health data and health technologies, and how they’re looking at it both at the regional level and the trends we’re seeing across the globe. Together, we’re hoping that with solving these problems and the benefits of these devices, we will reengineer the strategy to better patient privacy and overall security. So with that, I would like to welcome Roque Juárez from Mexico to our discussion.
Roque Juárez
Hello everybody. Thank you, Maria, for your introduction. And I’m going to share with your audience about this fascinating domain.
Maria Palombini
We can’t wait and I know you have a really diverse background in security intelligence. I know that you’re currently at IBM Mexico. So with that, why don’t you give us a little bit about yourself, some of your speciality, especially in your work in IT security, some of the things you’ve seen throughout the years, how they change or maybe gotten better, new developments, especially being in Mexico, you come with a different perspective, as all our experts from around the globe.
Roque Juárez
Of course, my pleasure, Maria. I have to say that I’ve been involved with information security, IP security, and now cybersecurity. Since I was at university, I perceived that this area was so fascinating since the first time I met some news regarding the historic hackers such as Captain Crunch and Kevin Mitnick. I thought, and I was sure that this area was going to be in the focus of so many industries, because all of them were getting support by it more and more. So I got engaged, and I couldn’t leave it. I think it will be the best part of my life for the rest of my life. It has been evolving so quickly. We can say that maybe if 15 or 20 years ago, cybersecurity or information security as the main and the holistic concept. It was not in the focus of many organizations or in the focus of many regulators. And we have to say that it is a natural evolution process. Especially in Latin America it is a challenging domain. Because sometimes, historically talking, cybersecurity has been perceived as a business blocker. For every control you decide to deploy, you’re going to blow up the business vision, mission, and main purposes.
But in current times, and due to this pandemic, we can see that all the organization’s no matter which is the sector of the industry they are in, they have to transform the core business. Most of this transformation is supported, at least enabled, by technology. Healthcare industry is one of these industry sectors that is being impacted with this accelerated evolution. Now, we can say that in Latin America and globally, industries have been engaged with IT and in cybersecurity issues sometimes before the healthcare industry.
For example, traditional industries such as financial services, insurance services, ecommerce, these industries have to be focused on cybersecurity and IP security, they developed a business with engaging customers and these business environments. Because the nature of the core processes are supported by IT. Some other industries as manufacturing or healthcare for example, IT is a standardized technology, so in this case now, healthcare is taking advantage of this standardized technology provided by the traditional IT to develop the new patterns in the core business. Now, we can see that healthcare industry, the core devices, the core apparatus, the industry uses to make the main objective of the industry, like laboratories, hospitals, and these kinds of organizations. Institutions are taking advantage of these IT standards and technology and devices. But now, these new industries that are taking this advantage are facing new challenges that they were not aware to handle. And it is not a critique. And now, the hacker has to develop to embrace different kinds of services and processes to make this transformation a tangible thing. I’m talking about business or core processes, but they have, for example, the patient support processes as registration as the following up about the patient status and things like that, and administrative and management processes. In this big picture, healthcare has to handle a lot of challenges due to this standardization of the technology that they are using for the core business.
Maria Palombini
I think you’re giving such a nice macro introduction. You know, I could sense from your passion right away that you’re into this. You’re already jumping into our next segment, the core. You already started to preface this that you know, healthcare underwent a major digital transformation. We all know this, like anything else in the digital era. Obviously there wasn’t always or there is not so much a focus on cybersecurity or the cyber breaches and the vulnerabilities compared to other sectors that were more traditionally attacked, like banking, insurance, finance, e-commerce, that were first on the hit list. You mentioned there’s some real critical challenges that have emerged. Can you share exactly what you envision or your perspective on those challenges and how they’re impacting overall the healthcare industry?
Roque Juárez
Yes, of course. The first important thing to keep in mind is that, based on some cybersecurity industry reports that have been published at the beginning of the year, we can see in the IBM x-Force Threat Intelligence Report, this industry moved from place 10 in 2019, to place seven in 2020. The most common attack factors that we can see that the attackers used were around ransomware, data theft, and server access attacks, but we can see that these attacks are related to common IT standards or common IT technology used to support some other processes or services that were not the core processes. Based on what we mentioned about this digital transformation and this adoption, I can see three main challenges. The first one is that the healthcare industry is adopting its core technology. I mean, some years ago, IT was just a group of support services for administrative tasks and things like that. Although the new medical devices are running on common IT loggers, I mean, operating systems, networking applications, software engineering, things like that. So they are exposed to the vulnerabilities discovered reported on these IP assets. That’s the first main challenge. The second one, the numbers are not related to the priority. I think these three challengers have the same level of priority. Let’s see why.
The second one is privacy on personal info. And most of us can think that the privacy is just for the patients. We have to think about the privacy of the information collected from the collaborators or employees, it is at the same level of importance as the patients want. So the essence of this industry, the healthcare industry, requires that the data from people have to be collected and exchanged because of its process nature. This data is considered in most of the laws and regulations all around the world, as personnel and sensitive, the most important sensitive information. All the organizations that collect or change this information, that’s to protect it at the same level of risk as the most valuable information. If you are like most people, and you identify or classify your processes and business information as relevant and confidential, the personal and sensitive information that you have, it doesn’t matter if it is from your collaborators, employees or patients, it has to be ranked or classified at the same level. So the level of protection that you have to deploy on this info is crucial. And it can represent investment and efforts to protect. That’s the second main challenge.
And the third one, since all the research and all the investigations and collaborations around the vaccines, especially because of the COVID-19 pandemic, specifically talking, there’s a new confirmed challenge related to hacking the infrastructure with these researchers, or investigations are done. This could affect the integrity, availability and confidentiality of the results of the research and investigation. But what is more that we have to think about, is that some attackers make phishing campaigns against common and end users or common people as you and me where they distribute emails or some advice around the internet, which turn people or to access information or some advantage around vaccines. They are trying to steal the information or personal bank accounts and things like that. We cannot lose the idea that the protection of the information around research and investigation plus two components. I think all the organizations in the healthcare industry have to pay attention to that, because the integrity and the reputation of the brand the organization can jeopardize.
Maria Palombini
That’s fascinating. We’ve had many of our expert guests pinpoint the fact that they need to embrace just in general, the situation with these vulnerabilities as organizational risk, not just a product risk. So I see that you as well share that same point of view. We’ve had different research and I’ve had some of my guests say that the Latin American region is a little bit behind In creating strategies for response or anticipating these kind of breaches in connected health applications as they continue to gain speed within the region, and given your work there and being from the inside, is there anything that you’re seeing in trends that seem to be that there’s more attentiveness to the challenge? Are you seeing some new ideas, either from government or from just industry, the area, trying to address some of that growing challenge that’s happening not only in Latin America, but this is a global challenge, but perhaps bird’s eye view from where you are, see what’s going on?
Roque Juárez
That’s an interesting point, because healthcare organizations in Latin America are making big efforts to close the gap. Maybe the starting point of these challenges for these organizations is not easy. It’s not easy for anyone. But in this part of the journey, they have not been trying to address the problem, but just investing in technology.
Right now, and I think it is a global symptom, all the organizations are swimming in a pool of tools and technological platforms, trying to reduce or mitigate the risk associated with this changing threat landscape. They are trying to address the challenge with a wider view, which is positive in my perspective, because they are trying to share the concerns with the C level, they are wanting to drive this challenge as a corporate a challenge, not just IT or technological approach, they are trying to move the needle around holistic effort: people, technology and processes. This is a group of premises that they are trying to work and develop. What is more, currently, they are not trying to acquire more technology, or replace all the hardware and software that they invested in previously, what they are trying to do is to develop capabilities around these three premises I mentioned. It’s not easy, because right now there’s a lack of resources due to the pandemic and the economic situations, it is not easy to get all the resources the organizations need to address and to show the challenge. But they are trying to make a clear association between business needs, and not just the regulator requirements. They are trying to add customers and business environment requirements to these benefits and risks associated with the technology, and IT technology-supported core processes in the healthcare industry. Latin America is making progress. I think it is not as fast as required. But we are not doing nothing.
Maria Palombini
One of the things that I’ve been reading more in the headlines, and it’s unfortunate because we’re in the middle of a public health pandemic, and we’re worried about obviously saving lives, opening data to help research. But yet we’ve seen this increase of attacks on general healthcare institutions and COVID-19 specific research institutions. Can you share your perspective on what’s driving this increased appetite for these hackers? Like what’s their motivation? Or are they getting access to something that they weren’t gaining access to, before that? What’s really fueling this rage?
Roque Juárez
It is a question without an easy answer. Because I think that mostly people have associated all the cybersecurity issues as a teenager driven event in the past. And nowadays, I got to say that when we read the newspaper, or we read on the internet, or somewhere else, that an attack was successful, maybe we are associating an image with a teenager in underwear in the parents’ house, playing games with computers. This is not any more like that. These cyber crimes are at the same level as organized crime. We have to stop thinking that this is a teenager’s matter, these are relevant and cooperated industry matters. Based on that, we can see that the fuel for these hackers could be to sell in black markets, all the information they can get from these investigations or research. It can be associated or classified as an act of vandalism. The other component of this equation could be, as I said before, to get personal and sensitive information that can be sold again, in digital black markets. If we can check in different reports around the amount of money that black markets related to cyber crimes is generating, we can get the answer to these questions.
Maria Palombini
Absolutely, just another level of complexity to deal with in the midst of this challenging time. So I asked this of all my guests: from a point of view, we hear debate that this is a we need more policy to address the issue of cyber vulnerabilities in the connected healthcare system. We hear others who say that it should be market driven, engineers, and technologists need to step up for the benefit of the service they provide to customers. So we’re hearing all these different things. From your perspective, what do you think? Or what’s your perspective on where we need to start pushing more of these opportunities, whether it’s policy, whether it’s development of technical standards, whether it’s incentivizing industry to sort of step up and start addressing these kinds of issues at the foundational layer?
Roque Juárez
You work up an important and relevant actor in this play. I’d have to say that the work that regulators are doing is essential, but it is our starting point, it is not the destination. When you are working just for the regulator to be compliant with the regulator, you are not doing things right. I mean, to be compliant with the regulator has to be a natural symptom that your IT and cybersecurity operation is aligned with the business requirements and the regulatory requirements. But most of the time, what happens is that an audit by the regulator is going to be executed next week, so I’m going to be prepared. You are not doing anything to change your current threat landscape, your current vulnerability landscape, not in the benefit of your business, just to be compliant. So that’s what I said that it is a starting point, you are going to have some indications to be compliant with but the challenge for the administrators, the cybersecurity responsibility in the organization is to understand these regulations, and to translate the business environment to the business context. So you are going to be aligned and you are going to be compliant. It is a starting point, in my perspective. Another important thing you mentioned, when you work in an industry, you can make such progress as developing standards as sharing concerns or lessons learned. It is not an issue that is not a problem we are going to fix alone, to collaborate, to embrace we need to enhance all these efforts that regulators and organizations or standards organizations are doing too. How? Most of the times when a law or some regulations are going to be published or standards are going to be published. There’s a period where you can contribute, share your concerns, or share your experience and this can be used to develop a link. So this is a way. I mean there’s not a silver bullet. There is no procedure to follow. But I think it is a good starting point, right?
Maria Palombini
Yes. You covered so many great things and you know, some of the points that I’ve just picked up really quickly are common themes that we’ve talked with other guests from around the globe that you hit on just the same. First of all, cybercrime is an organized crime that is no longer a teenager thing or something just as happens because someone has nothing better to do. And at the same time, that cybercrime is an organizational risk, and we’ve heard this recurring theme as well. I think an important point that you also brought up just as a note to everybody, we do have a common theme where we say policy needs to step up a policy is definitely not the end game. I think you reinforce that point as well. The third part is, we hear a lot of investment going into technologies and how you know, we can deal with the issue of cybercrime and cyber breaches. But the question is that, it’s not just about investing in the technology, like you said, it’s trying to fix the problem. We have to try to get to the problem. The sad part is that usually when we move up higher on the level on a scale, we think it is usually a good thing. But the fact that healthcare is moving up as an appetizing place to be breached, is not such a good thing. So this is something for our audience to keep in mind. You brought up so many great insights, common threads, what do you think is the most important call to action in the healthcare domain? You know, we’re talking a wide risk of hospitals, facilities, pharmaceutical companies, technologists, regulators, patient advocates, patients themselves, there’s a lot of people and entities in the mix. What do you think is a really important call to action?
Roque Juárez
Again, it is a complex situation, as you were describing. But what I would say is that the first big step is to bring these new risks to the table with the sea level in the health care organizations. I think this could be a big step for the industry. In the meanwhile, we can reinforce some more tactical and operational actions to make this change. It is not an easy problem, but how do you eat an elephant? A piece at a time right? So, to make progress based on legal changes or legal efforts, but not to stop the airport, I could say that let me share a general call to action. Secondly, to integrate the filter technology cybersecurity risk in the organizational risk. When you are managing your organization or corporate risk, healthcare cybersecurity risk has to be there. Third one, to manage all the vulnerabilities and monitoring of the healthcare technology stack, as part of the corporate program will their abilities management program, put to work with manufacturers and service providers to define security and operations requirements as part of the design. This is an important thing. We mentioned that sometimes this cybersecurity is not considered in the beginning. This is why, because when you are designing, you are not taking cybersecurity in mind. So if we push these actions with the manufacturers and service providers, the landscape is going to change. And finally, last but not least, to train people in cybersecurity as part of the daily activities. It is not just your employees, your customers, your administrators, your operators. As I said before, one of the premises is based on people. It doesn’t matter how much you invest in cybersecurity, if you have people who is not trained in cybersecurity, or people who is not changing his or her passwords, just to put an example, because you’re not going to tell him or her to change the password, they are going to change the way they perceive and interact with cybersecurity. So I can say that could be the main group of actions to execute and to have in mind.
Maria Palombini
That says a very important call to action. And I think that something for our audience to think about, that this cyber challenge is like a large elephant in our way, and we can attack it all at once we have to do a little bit at a time. Roque brought up many great concepts today that we are currently addressing in various activities in the healthcare and life science practice. I want to share with you all that we are hosting a five-part virtual workshop series in 2021, called Global Connected Healthcare Cybersecurity. And we’re presenting it in collaboration with the Northeast Big Data Innovation Hub, out of the campus of Columbia University in New York. This workshop series is designed to really produce pragmatic outcomes, and build the framework for these much needed solutions to response to prevention, to preparing strategy and everything in between. And if you’re interested in attending and being part of the open collaboration to develop these solutions, you can see them on demand, just register free and you can see them anytime at IEEESA.IO/CYBER2021. And just let you know, we have many different incubator programs where we incubate ideas for standards or best practices in telehealth we have them in decentralized clinical trials, a mobile health app certifications, obviously, and WAMIII, which is Wearables and Medical IoT Interoperability Intelligence. So if you would like to engage in conversation about what you heard today about overall what’s going on in the industry, please be sure to check out our IEEE WAMIII channel. And you can learn more about all of our activities at IEEESA.IO/RETHINK. Thank you audience for joining us today and tuning in. And we wish you to continue to stay safe and well until next time.
Episode 6
Cybersecurity, Trust, and Privacy in Connected Mental Health – A Perspective from Europe
Are we approaching a time when doctors prescribe mobile apps, games for adolescents, or Virtual Reality to treat social anxiety and/or treat mental ill-health rather than medication or talk sessions? If YES, then managing cybersecurity and privacy risks must be top of the agenda.
Speaker
Dr. Becky Inkster
Cambridge University, UK
The Alan Turing Institute, UK
Lancet Digital Health, International Advisory Board Member
Self-Employed Neuroscientist
I am a clinical neuroscientist, seeking innovative ways to improve our understanding and treatment of mental health in the digital age. I apply measured optimism when working across artificial intelligence-enhanced mental healthcare, neuroscience, and digital-, clinical-, and music-based interventions. I am passionate about patient data privacy, cybersecurity, ethics, governance, and protecting vulnerable populations. I provide cross-sectorial guidance and leadership to numerous institutions and companies (e.g., academia, technology, human rights, mental healthcare, and government).
Follow Dr. Becky Inkster on LinkedIn.
Full Transcript
Maria Palombini
Hello everyone. And welcome to season two of the IEEE SA Rethink Health Podcast Series. I’m your host, Maria Palombini, and I lead the IEEE SA Healthcare and Life Sciences Practice. The practice is a platform for multidisciplinary stakeholders from around the globe who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security protection and universal access to quality of care for all individuals. We all know cyber security is hot right now. There’s a lot of discussion about the challenges we’re seeing from breaches to organizational individual risk. And it’s constantly evolving from policy getting involved to technologists and engineers, trying to develop these solutions. As quick as the challenges come at us, this season features conversations with experts on this growing challenge on cyber warfare, the breaches, the use of the technologies that are out there helping us to improve our healthcare, but making our data vulnerable at the same time.
So with that, I would like to introduce you to Dr. Becky Inkster, who is our guest today. A little bit about Becky, she’s a neuroscientist. She’s passionate about everything from cell phones to genes, to jewelry, hip hop, you name it. Becky likes things to like it all. And she integrates it somehow into all of her work, very seamlessly. She researches artificial intelligence, machine learning and mental healthcare, computational creativity, ethics, and governance, digital clinical music based interventions. So you’re going to find that this conversation is going to be very, very enthusiastic, but also very different than what we’ve traditionally had in our other episodes. So before we get to the core of the work you’re doing, maybe you want to tell us a little bit about your work around cybersecurity, especially your passion for doing things around mental health, including both children and adults.
Becky Inkster
Absolutely. Just to build on the context that you’ve kindly set for me, I am really passionate about digital mental health, and I work very closely with a lot of different digital mental health and wellbeing providers. There’s a lot of support being offered across a wide range of age groups. So working with VR and pediatrics, tangible interfaces and toys to support emotional development and kids youth peer, peer mental health support networks, one-to-one, tele-psychiatry psychotherapy virtual companionship for the elderly to reduce loneliness. And it just goes on and on. Those are a couple examples just across the different age ranges, but with this diversity in tech innovation, this explosion in mental health accelerated by COVID, there’s a lot of diverse challenges from a cybersecurity perspective. So even hacking into a VR headset is very different from a cyber criminal, trying to attack patient records that are fire compliance.
We have to think of all these different surfaces that are very vulnerable, especially when we work with some of the most vulnerable people. And so given the sort of the surge in the supply and demand of digital mental health and wellbeing, I argue that cybersecurity needs to go straight to the top, it has to be one of the highest priorities, privacy by design, and a lot of other issues actually. The World Economic Forum recently released a white paper and the word cybersecurity was only mentioned once in 71 pages, which is around 26,000 words. I think that kind of sums up where digital mental health is in terms of thinking about cybersecurity. I really do want to make this a trend in our industry really, and the trends that I’ve noticed as you’ve mentioned, Maria, the sort of difficult times for healthcare where breaches are at an all-time high.
I read one report that was showing almost 900 million data records were compromised worldwide in January, 2021 alone. And that’s more than the entire year 2017. I recognize that mental health data falls within the category of health. We absolutely want a parody of esteem, which means that we want to value mental health equally with physical health. I argue that from a cybersecurity perspective, mental health data needs extra attention and extra scrutiny as it’s extremely sensitive in ways that perhaps people haven’t really fully thought about. Even just a crude example here in no country is cancer illegal. But attempting suicide is a crime, a criminal act or prison offense in certain countries and even disclosures of sexual orientation or gender identity could put people at risk or in danger. And the reason I mentioned mental health and sexual orientation and suicide just as one example, there was a groundbreaking report by the Trevor project involving over 30,000 young people between 13 to 24 years old.
They found that 40% of those who identify as LGBTQ plus have seriously considered a suicide in the past year when they were surveyed in 2018. So a lot of these issues are very personal and they spread beyond what you might normally think of as being a mental health concern. And another trend that I’ve noticed. Many people have noticed that cyber crime has evolved beyond just encrypting data to essentially blackmail or extortion of especially vulnerable people. A lot of people know the example of Vestavia, but for those who don’t, this was Finland’s largest psychotherapy provider that went bankrupt. They treated tens of thousands of patients across multiple centers in Finland. And they experienced data breaches where confidential client therapy session notes were stolen.This includes other personal information too. And when the cyber criminals went for the provider and they refused to pay the criminal started to blackmail victims and this included children.
So we’re seeing this shift or a potential trend really going directly at the vulnerable people and disclosures of this type of sensitive information could really endanger victims and others. For example, there’s often an emergency contact or details of another person or someone named during the therapy session. They might have abused the individual or somehow been connected and information disclosed about them too. And things such as previous suicide, thoughts and attempts, or if someone who’s approached when they’re vulnerable to pay a ransom, this could trigger issues if they already had experienced financial hardships or debt, and it really goes on and on. So, it could be naming sex abuse, victims, abusers, et cetera. So generally speaking mental health globally, there’s still a huge amount of stigma. And extorting vulnerable people could have a really harmful impact that could be life or death, or really trigger very serious instant consequences.
And then just to kind of tie up two other trends that I’ve noticed here that don’t necessarily directly relate to mental health yet, but I want to bring awareness to this is a possible trend relating to cybersecurity insurance. So, AXA, they’re no longer covering ransomware payment reimbursements. They’ve changed their policies in France. In digital mental health, we have to be very aware of such trends. Often in our fields, we are small and medium sized businesses, which could be deemed as soft targets. Many of the providers are vendors to large enterprises that are just starting on their journey. I also wonder whether trends will move from being solely motivated for financial gain but hacktivism and other types of targeted efforts. For example, hospitals being forced to release a patient or cyber criminals targeting human rights organizations, or what I’m trying to say is really I wonder whether the motivations for cyber attacks might become more complex rather than just financially motivated.
But that’s just my own personal concern coming from mental health. And you mentioned new approaches, what new approaches am I looking at and areas of research? So for me, I found a very successful approach was to bring providers together to have that conversation and that conversation could be anything from cybersecurity to collecting data. So not too long ago, I brought together over 50 providers in the digital mental health and wellbeing space. And together they gather data insights from millions of people around the world to show the impact of COVID on mental health and wellbeing. And that really got me thinking that I should launch a cyber security project because safety is a non-competitive issue. We’ve created this project. We’re at the beginning of this journey, but we want it to be a huge opportunity for providers to be proactive and to examine the current state of cybersecurity in the digital mental health space, and that it can help towards creating coordinated standards and responses to cybersecurity threats and attacks within our industry.
I’ve started working with ethical hacker Alyssa Knight to examine API vulnerabilities in digital mental health. And then I’m also working with XRSI, which is X reality safety initiative and just supporting the development of standards for safety and security in XR environments. And one last thing just to mention new areas of research that I’m really keen to map out is to look at not just how to fix the systems, how to address these threats and attacks, but how breaches map to clinical and psychological outcomes. So what is the impact on individuals of interruptions to mental health service provision on these outcomes for victims, or even just service users of the platform who may not have been affected as well. So just really trying to explore these clinical outcomes. And we’ve seen in previous research in cases of a heart attack, the clinical outcomes were worsened after the data breach. So I just think it’s really important to see what happens to risks of self-harm suicide, substance abuse, and how can we mitigate these risks, by having victim support centers, ready to address any issues of continuity of care after a breach,
Maria Palombini
That was a very powerful and insightful opening. And I think now you all know why I enjoy talking to Becky so much because she just gives you a lot of great information. I can sense it. I’m sure our listeners can sense it, but you have a very deep enthusiasm and passion and motivation for your work. Maybe just to share with our audience a little bit about what inspires you, motivates you to look at these new things and pursue all the research and try to take it to the next level?
Becky Inkster
I really like trying to make connections that are either extremely far apart and then link them all together. But for me, it starts with identifying a huge blind spot. So also being able to take a step back and not rushing into developing technology, and just seeing the horizon of the risks, what could potentially be ahead for the longer term future. I find that very inspiring. Also it occurred to me that I’m really motivated by working with digital mental health and wellbeing providers and combining this with cybersecurity experts, because both of these groups are really focused on safety, safety of data, safety of care. When you combine these two groups together, as I’ve just started to experience, it’s unbelievable how you can really start to get exponential output from combining those.
Maria Palombini
As many of you have noticed, Becky touched on this when it comes to mental health, we’re starting to see now more and more focused attention. Like we saw with telemedicine on the issue of mental health, you know, as a result of the consequences of the COVID-19 pandemic, you know, people in isolation or just the post-traumatic stress disorder of something of this kind, you know, still going on, we’re not over it yet, but at this point, and we’re seeing that these issues of mental health are coming more to the forefront. And this is from children through adults, 30 to 40 years old, all the way up to the older generation. So with that, you know, we actually even saw the US FDA put out some digital health enforcement guidelines around treating the psychiatric disorders during the coronavirus year, 2019 using these remote health devices. So what are some of the concerns as it relates to the security or the vulnerabilities and the patient’s privacy when it comes to use of these technologies, when we’re talking about, as you mentioned a very vulnerable population right now?
Becky Inkster
I think what you’ve just identified, which I can elaborate on, is a serious imbalance.We’ve seen the positive side about this surge in demand and supply with digital mental health providers, which is excellent, but with the FDA regulatory change in April of 2020, we see that many providers, it’s spurred them to move a lot faster than they had planned. And a lot of providers wanted to take advantage of this wide open door, which had never been opened, or it was even tricky to get your foot in the door. I think this created a really big imbalance and the world economic forum to quote them said it really nicely that this imbalance was between time to market and time to security. It really does create this enormous attack surface filled with just endless vulnerabilities for cyber criminals to explore even then, especially API vulnerabilities.
I personally have witnessed this firsthand where providers would get very excited about accelerating their technology and their products and their services, but not thinking further into the future about things like what would be their appropriate breach responses. Have they mapped out their responsible disclosures, have they considered budgets and thought about victim support safety, have they considered GDPR and having to report breaches and all these types of things. Quite a few, to my knowledge, really haven’t considered this at all, or let alone have a budget for cybersecurity to begin with when it comes to security and patient privacy, we’re really at the beginning of that conversation and digital mental health. That’s why it’s so important to bring in cybersecurity experts to help us with this. But again, we also have to feed back and explain just how sensitive this information is, a separate point on not cybersecurity per se, but related to data, grabbing on a historical scale and the loss of patient privacy.
When you mentioned security, the NHS recently announced that it was going to create a database with 55 million patients’ medical histories to be shared with third parties to improve research and planning. Now obviously that’s not an attack. I would never say that, but there are some elements that fit feel similar. Patients, including myself in the UK have a very short window to try and control the privacy of our data. And we have to opt out, by printing a piece of paper and sending it to our GP and many people still aren’t even aware of this issue, that it’s involuntary sharing of their data and in the past not perspective, but other past data. It’s a big issue here, and it’s not cybersecurity, but it’s still unclear who will use this data and for what purpose. So it kind of resonates in this, in this strange way, and it certainly feels like an invasion of privacy taking data without consent or transparency or public debate, especially when it includes private sensitive data like criminal records, mental health episodes, smoking, drinking habits. It really is everything diagnosis of disease, dated instances of domestic violence, abortion, sexual orientation. So I think while it’s a very different scenario, there are a lot of similarities to these issues.
Maria Palombini
Absolutely. So for all of you out there, I guess many of you are thinking, well, we’re talking about cybersecurity for people who have access, right? But really at this point I want to get to here with Becky, and I think it’s really important. It is assumed that technologies and these remote tools and models are for hard to reach patients in need of mental health treatment. While also watching these patients often emphasize that through the use of these technologies, the healthcare industry is supposed to be doing more by promoting the concept of self care and democratizing patient health data. So Becky, in your research, you find this to be true, or do you see that this only relates to certain areas of populations like established versus emerging economies or the connected versus unconnected? Are you seeing any sort of sparks or lack of sparks in this kind of area?
Becky Inkster
I’m seeing a lot. I’m seeing almost every type of combination and variant here. So I work with the extremes with people who are severely unwell with mental health illness right across the wellbeing spectrum. And similarly people who don’t have access maybe through financial hardships or other reasons they’ve left prison to reenter the community. There’s a lot of different groups that I work with. I’ve seen tech fail for very sick people. I’ve seen unconnected people be excluded from things that could probably really help them. People becoming more occupied or, or overburdened by self care responsibilities. So I think you just, you see every possible angle, but I really do believe that there’s nowhere near enough support for the hard to reach communities, from a technology perspective.
And when we do, it’s quite linked with depression, anxiety and some of the more common mental health conditions, and we need to go deeper and reach people who are unable to access technology, unable to use technology. And we just need to understand how we help people who are experiencing homelessness. For example, it’s not going to be the same solution, and it’s not as simple as just handing someone a phone someone who has drug dependencies. It really isn’t that simple, I should say on the flip side though, because I don’t want to just always see things from, from one lens for eating disorder group therapy, there was some research showing that digital was actually, it was just as good if not slightly better. Sometimes if you are able to access it by just having the comfort of your own space and not having to go to a physical place, maybe you don’t want your body on display or to be judged in a physical space. Or perhaps if you’d been crying after a session, you don’t want to have to leave a physical space. So there’s a lot of benefits to it just to kind of balance that out.
Maria Palombini
Interesting. So it’s not a sort of one size fits all approach. We have to definitely look at where some things are working and maybe there’s some learning cases, right? Like what seems to be working for this group can be sort of amplified and maybe potentially help another group. I mean, that’s the beauty of the research.
Becky Inkster
Yep.
Maria Palombini
Our focus obviously is on privacy and protection of all individuals from children to older adults in using these digital health toolkits and technologies remotely of that nature. But when it comes to pediatrics or the role of guardianship or the role of a caregiver with these new technologies, there always feels like there’s a little throw, a little kink into the chain. There always seems to be some sort of challenge that we have to sort of figure out. I think one of the big things is around children, a parent or clinician. We know the end to end encryption of anonymization in the data chain. So a parent or clinician might want to wish to access the content from a young adult’s digital mood diary per se, right. Just to, you know, for safeguarding, you know, does the duty of care override privacy rights does that, and then does that negatively impact the treatment’s effectiveness? So I’d love to hear your perspective on this.
Becky Inkster
I could go on for a long time about this and it’s a huge area of focus that I care deeply about. So it’s an excellent set of questions. And I think the simple answer should be duty of care, should override privacy. If someone has harmed themselves or threatens to harm themselves or others, this needs to be reported and confidentiality needs to be broken, but in digital spaces, it’s just not always that clear cut. And it’s not as easy to protect someone, especially in anonymous settings. So obviously parents can do things like making sure they’re aware of passwords and these types of things. And I should say parental monitoring is a very good protective factor for mental health outcomes in a young people’s development of mental health problems in later life.
So it’s extremely important for parents to be involved, but increased privacy doesn’t always equal increased protection. And there’s this strange juxtaposition that we need to start teasing apart. And I’ll give an example here in the UK. One of Britain’s most prolific pedophiles would not have been brought to justice without using social media data according to the national crime agency here. So now Facebook is planning to potentially implement end to end encryption in its messaging services. And this has caused a lot of concern for police and their ability to identify predators who would be abusing children and making it easier and safer for predators and making children even more isolated. The role of parents, the role of clinicians to make sure they’re very aware of these issues, it’s extremely important. Especially when predators are pretending to be someone else, especially in a position of trust and especially on a digital mental health and well-being platform or space, where there’s already such a very real risk about the young people talking about their vulnerable state, potentially risk disclosing information that the predator could offsite them or take advantage of.
So I think that this juxtaposition between cybersecurity encryption, keeping everyone safe, there’s a huge issue that we need to tackle because if we keep young children, young people vulnerable to predators, these adverse childhood events, which we call ACEs in mental health and psychiatry, there are huge predictor of poor mental health outcomes later in life. We have to be so careful about how providers, how end to end encryption is rolled out in digital mental health settings. If it’s ruled out, this juxtaposition between preventing cyber attacks and keeping data secure, we have to balance that with the potential harm of not monitoring signs of abuse and it’s unrelated to mental health, but in the news right now, one of the headlines is that WhatsApp announced that they’re taking the Indian government to court over a controversial new law that will increase the government’s ability to monitor online activity. So, the law would require Facebook to remove encryption so that messages could be pulled into a database and monitored for illegal activity. So you could see mental health fitting into that, but that’s an ongoing issue where Facebook said that they won’t store user data in this way. They’ve launched a legal challenge on that basis. So it’s a really big issue. But in mental health, in particular, we’ve got to figure out how to balance that.
Maria Palombini
You know, I often hear about responsible data use when we’re talking about any kind of medical technology. So I think from, based on your research, and I know with mental health care, we have to be extra sensitive on how we define responsible use of the data coming out of these devices and the use of these devices. So I guess based on your research, is there some sort of industry defined standard as to what would constitute, responsible data use, you know, security, privacy, in developing or testing new technologies for mental health care.
Becky Inkster
This is just my lone voice, and this is why I want to work with so many different providers. But as I mentioned, I’m trying to gather these providers together to get their views on this as well, but I’m also a co-founder of a mental health and wellbeing venture. Through that startup journey or the inside perspective, I personally don’t feel that there’s a strong sense of support in terms of how we follow industry defined standards, or quite often, we make very strong, ethical judgments on our own because we want to be ethical, not just following legal or industry defined standards, but it becomes very difficult. And I think that’s part of the reason why I wanted to gather all of these providers together to almost create our own set of standards or discoveries that could then be embedded into something bigger significance.
There’s this tricky trade-off where it’s data minimization. You don’t want to collect anything that you don’t need, and you don’t want to keep it, just make sure you’re churning through your data if you’re not using it, just get rid of it versus collecting enough to be able to tell a full, valid truth about someone’s experiences or mental health status. It really is this tricky balance of trying to support someone on their journey, but not run into issues with false positives or making predictions, inaccurately and things. I worry a lot about responsible data use again, when looking out at the provider space not too long ago, I was approached by a whistleblower making extremely serious allegations involving a data coverup. So this was within a digital mental health wellbeing space. Being responsible with data and, and looking to, to these standards or these industry defined standards, I think standards get you so far, but the way people decide to act within their provision, that’s a very separate issue that I think we need to cover more. So I really do actually worry a lot about responsible data use and I know standards can get us to a certain level, but I think that’s why it’s so important for providers to come together and to share their issues, to link the standards to something that is real worlds practicing the front line of digital mental health.
Maria Palombini
Absolutely. We are approaching a time when doctors prescribed mobile apps games for adolescents or virtual reality kits to treat social anxiety or mental health rather than medication or talk sessions. Yes or no?
Becky Inkster
No, and now I’ll explain. Yeah, we have to tread very carefully with this type of discussion. That question just reminds me of when I was interviewed by a media outlet and they were talking about this hip hop therapy paper that we published and the media wanted to use the headline to stop taking your medication and just listen to hip hop. And we were horrified. We obviously didn’t let them go ahead with that headline. We didn’t acknowledge that, that we said that we just completely parted ways, but abruptly stopping medication can have such serious consequences. So we’d have to steer away from people thinking that this one thing can really do it for us and nothing else really matters. Obviously there’s a lot of increasing numbers of treatment options that’s becoming available. But we have to remember that with mental health.
You can see this from a biological perspective, psychological perspective, or sociological perspective. All these different factors, each person’s needs are different and their treatment plan or how they’re supported, will differ as a result. While all these different treatments are emerging, they’re very exciting gamification and all sorts of really interesting tech innovation. We just have to acknowledge that each option has its own important way of contributing, but we have to fit the right pieces for each person differently. I think my first point that I’d want to make is, medication is still a very important option for patients. They can benefit from this, those who choose to go down this route. Medication adherence has always been an issue in mental health. But we’re starting to see some tech innovation like Digi meds, trying to help improve outcomes and adhere to medication to help them feel better.
And within medicine, again, there are other emerging alternative drug industry trends. We’re still seeing the psychedelic drugs being used to treat phase three trials to treat mental illness and combining talk therapy with medication and leading to positive outcomes as well. I think that there’s still a lot of great work being done in that sort of space. Where I’m excited about is the evolving concept of talk therapy. So making it more informal through talk sessions or chatting about your mental health while gaming with others, it can be very therapeutic and less prescriptive. It can open conversations with peers and really open dialogues about mental health or how chatbots can just be there to listen while someone tapes or speaks a very intense expression about how they feel so talk or chat therapy. I think it’s really evolving, but it shows a lot of promise there.
And an extension of that, an area that I’m interested in is music therapy. I think that this is really gonna start to do great things when you combine it with technology, allowing people to express themselves in non-prescriptive ways. And yeah, a lot of interesting things asking people how they feel, but more on their terms, it might make things a little bit more accessible, especially for hard to reach groups. We can’t always use prescriptive approaches or clinical approaches because I think things like even the dark web people will want to be as far away from clinical spaces as possible so that they can seek support if they were wanting to find a suicidal partner. For example, I just really think that people go where they want to go when they’re seeking support and that we just have to make sure that all of these options are available and we try to keep people as safe as possible because we’ve seen this kind of a surge in the supply and demand of the more well-being side of things or the mild to moderate mental health. It’s made me sort of curious about whether in coming years, we might see a stronger push away from medical treatments or attempts to blend and then taper medication or reduce side effects and reduce medication treatments from treatment plans, and then try to add other options into, kind of the talk therapy, the physiological measurement. But yeah, that’s just one thing that I’m curious to see how that space gets bigger and bigger, what happens.
Maria Palombini
So Becky touched on this in your introduction remarks, how much time from a point of development and design is being put towards cybersecurity and privacy risks. Do you find that developers have this at the top of their agenda, or is it more about ease of use for the patient or extending the battery life or making it more accessible or that kind of thing? We see a lot more, you know, function on human factors or on usability, but sometimes we feel like the attention is not so much on the cybersecurity and protection of data side. Do you find that this is more the same in digital health and you’re in health technologies or are you seeing it that you’re finding more of the developers are more focused on the privacy and protection side? Is that top of agenda? Point of view?
Becky Inkster
Yeah, I really wish I could say we were. But no, I think it’s, it’s exactly those issues that you said in healthcare more broadly. If anything, I’m a little bit worried that we are lagging behind a lot more in considering cybersecurity and privacy risks. Even when I work with mental health providers who have 10 plus years experience and a lot of data that needs protecting there are still serious issues and concerns because the threats and the attack surface is constantly evolving. But at the same time, I think the journey of that 10 plus year provider can be very beneficial for providers who are just starting that journey. I think it’s important to work with both extremes, especially those who are just starting the journey, because that’s exactly when we can start to build in a cybersecurity culture and really get them thinking about all the different issues in that space. And this whole privacy by design, or just really thinking about that from the beginning, gives us an opportunity to go from way behind to right at the forefront.
Maria Palombini
Absolutely. So I asked this of all my guests, because there’s always so much diversity in this answer. Many have argued that the regulators, the policymakers should do more to require the developers, the technologists for software and these connected health technologies to do more in building these security features from an either privacy by design perspective or just an engineering perspective. So my question to you is do you think that this is more like policy needs to stand up or require it? Do you think it’s more like a combination of everything? Like we need more standards, we need policy to set it up and we also need the industry to step up and come together and help address the problem, like where’s your perspective on this kind of thing?
Becky Inkster
My disappointing answer is that it’s everyone’s problem. But I will say again, as you’ve noticed, I’m really coming at this from a provider perspective and I think providers are at the heart of it all. And they’re the ones that are on the front line, they’re facing the real issues, they’re making decisions. And yet in my field, a lot of these decisions or discoveries are not being captured and either fed up to the powers that be, or, you know, embedded in various decision-making processes. So my answer to this is just that we have to start listening to providers more because they’ve really got a lot to say that could help us with these issues. And then one group that wasn’t mentioned in the examples that you gave is especially for mental health, the importance of lived experience, it’s extremely important and in cybersecurity and there’s research showing that there’s increased mental health challenges and burnout. It might be very interesting to look at the dual expertise like experiential mental health and wellbeing knowledge, as well as the professional knowledge, this crossover between cybersecurity experts and especially those who face mental health problems. I think that is also another really important source where we can learn a great deal about what’s working. What’s not, how do we roll this out? So those are two of my angles that I always like to think of, but of course it’s everyone’s problem.
Maria Palombini
What would you find or say is the most important call to action? Either for the healthcare professional, the hospitals facilities, the clinicians, or the engineers, or the policy makers or patients themselves, what’s the most important action you can impart to them to start mitigating this risk in the use of these technologies?
Becky Inkster
I don’t have an answer yet, but this is exactly the question that I want to ask at my summer conference. We’re going to be discussing that exact issue and trying to figure out how we rank the vulnerabilities and how do we come up with decisive actions? So we’re very fortunate to have experts like Alyssa Knight who can really help us, but the conference that I run is digital innovation in mental health. And normally it’s in the precincts of Westminster Abbey, but we’re obviously virtual at the moment. This is the main thing that I want to cover at the conference, how to make impact, especially from a cybersecurity perspective, but equally looking at the online child protection issues and balancing those together. So while I don’t have anything to say just yet, that is really what we’re trying to tackle in the coming months and at the summer conference. I’m hoping that people now are really appreciating the importance and the extra sensitive nature of mental health. We should have the highest standards and we should have the most support. So we’ve got to come from the back of the queue and get to the front somehow.
Maria Palombini
Excellent. So for everyone listening, just click on to read the blog post and the link to this upcoming conference in August, IEEE SA is gonna also be participating in it because this is an important initiative for our work here in the healthcare life science practice. But for all of you who may want to attend there, just get involved. Please take a look at that blog post for the link to the conference. Becky has shared with us many great concepts, and a lot of the different points are covered in different activities. We have here in the IEEE SA healthcare life science practice activities. We do virtual workshops because we’re all virtual. We have incubator programs, we have standards, development projects. We’re doing as many of you may have heard from our previous episodes. We have a global connected healthcare cybersecurity virtual workshop in which Becky did participate in our last one as a facilitator in one of our virtual breakout sessions we’ve, those are the ones that are on demand from February and April and June.
The live ones are going to be in September and November as a five-part series. So hopefully you can find out and join us in listening to those. Plus we have plenty of incubator programs around wearables and medical IoT, interoperability, and intelligence, decentralized clinical trials, and obviously tele health security, privacy, and accessibility for all. So we’re covering many different areas that Becky touched on at some point in our conversation. And if you want to learn about all of these activities, you can visit IEEESA.IO/CYBER2021, but we hope you come and check out. And if you have an idea or want to get involved in any of these activities, the best way to do it is to express your interests and tell us so that we can make sure you can bring your expertise and time to finding a solution for everyone. So with that, I want to thank Becky for joining this conversation today and your time. And with that, I want to wish everyone to continue to stay safe and well until next time.
Listen On The Go
About the Host
Maria Palombini
Director, IEEE SA Healthcare & Life Sciences
As the leader of IEEE SA Healthcare & Life Sciences, Maria works with a global community of multi-disciplinary stakeholder volunteers who are committed to establishing trust and validation in tools and technologies that will change the approach from supply-driven to patient-driven quality of care for all. Her work advocates for a patient-centered healthcare system focused on targeted research, accurate diagnosis, and efficacious delivery of care to realize the promise of precision medicine.
Get Involved
If you would like to participate as a guest, underwrite the series, or share topic ideas, please email Maria Palombini.
Receive Updates
Stay up-to-date on new releases and related activities by subscribing to IEEE SA Healthcare & Life Sciences.
IEEE does not endorse or financially support any of the products or services mentioned by or affiliated with our guest experts in this podcast.