On the dark web, health records are worth literally forty to fifty times more than credit card data. While you may be able to change your social security or fiscal identity number with significant amounts of effort or cancel your credit cards, you cannot change the genetic data, health conditions, biometric data that’s stored in your health record. Your genetic and health data is immutable. Once compromised or breached, you bear lifelong consequences.
Because every point in the healthcare journey – wearables, electronic health records, telehealth experiences, mobile health apps, and more – is vulnerable to being hacked, security remains the highest priority in expanding the use of connected health.
The majority of connected devices are designed to remotely monitor patient behaviors, therapeutic responses, and/or disease progression. These devices hold stockpiles of sensitive and highly valuable patient data creating significant levels of vulnerability from source (device) through to consumption (healthcare ecosystem). This data, in a highly secure and validated environment, serves as a treasure trove of data that can be applied towards clinical research study design and patient recruitment, accurate diagnosis, or even precision medicine.
To transform this device data to a more utilitarian role, the data needs to be validated. Data validation requires many complex elements, including security. We must eliminate the question of whether data was breached – at source (device), the communication highway, or in storage.
The Challenge of Security in Connected Health Explained
During the connected health experience, multiple systems and platforms work together to generate, exchange, collect and store patient health data. A device generates the data, transmits it to another device, then gets distributed to potentially more than one receiver (a data aggregator and/or data consumer), and then stored in a repository. In this journey, there are various communication highways used with different levels of security systems at each endpoint with multiple layers of security vulnerabilities throughout the process.
The explosive growth of health wearables, IoMTs, biosensors, and others came at a high price: deprioritizing the security of the device perimeter and the patient data journey. These devices focus on fast, real-time, autonomous, and “as close to accurate” monitoring. When someone purchases a consumer wellness or health wearable or their doctor prescribes a clinical monitoring wearable, the main questions typically include “How accurate is the device?” and “Will give it the information I need?” Security and privacy are not top of mind.
However, as the healthcare industry expands – regardless whether it is called mobile health, connected health, or telehealth – the need to protect the privacy of the patient and validate the data will become more pertinent to the conversation. If the security of the data is in question, providers will not have the confidence in the verification or validation of the data for the next step, especially in terms of clinical interventions.
Moving Towards Secure Connected Health with Standards
The answer to securing connected health does not lie in a single technology, application, or regulatory policy. In the world of healthcare, there is both a focus on prevention (stopping cyber attack) and treatments (eliminating symptoms and impact). While cybersecurity focuses on prevention, currently available tools can minimize or eliminate the impact of the data breach. The first step is to look at what tools we have today to address the problem, even if it only addresses a portion of the problem. Next, we must consider where technical and/or data standards, developed with consensus, can help the industry accept and adopt the solution on a global scale.
Take an example of current potential treatments to minimize the impact of connected health data breaches. AI (artificial intelligence) can consume billions of data to recognize threats 50 to 60 times faster than any researcher. Combined with deep learning technologies, such as machine learning, AI may even predict the threat risk before it happens.
At the same time, blockchain/distributed ledger technologies (DLTs) allow data collection from various sources and encrypts hashes of the data in a transaction audit log. This enables the accountability and transparency of data at the time of data exchange. The consensus of replicated, shared, and synchronized digital data distributed across the chain offers immutable verification of chronological stamp of the data.
In both tools, there is a capability to immediately identify the breach, minimize the impact and identify the source of the breach. The next logical step would be to bring the technologists and key industry stakeholders together to openly collaborate and evaluate what is impeding wider adoption of these tools and what may be the potential solution. By thinking of these types of questions, the process can begin to determine whether a new standard may present a solution that is both seamless and trusted by the end user (i.e. patients, clinicians, etc).
Various standards projects and published standards address securing various elements of connected medical devices throughout the healthcare experience.
To name a few:
- IEEE P2933™ Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS
- IEEE 11073-40101™-2020 – IEEE Standard – Health informatics–Device Interoperability Part 40101: Foundational–Cybersecurity–Processes for Vulnerability Assessment
- IEEE P2418.6™ – Standard for the Framework of Distributed Ledger Technology (DLT) Use in Healthcare and the Life and Social Sciences
Standards aim to solve challenges in adoption and trust of technologies and applications. This happens by building consensus among the stakeholders who will be impacted by the adoption of the standard. Standards developed in an open and neutral environment provide credibility to the end-users – clinicians and patients – in the use of the technology while creating a springboard for innovation.
If the vulnerabilities in these devices and the overall connected healthcare ecosystem continue to increase, then how do we imagine the future of mobilized care where the need for a seamless, connected, secure and private bioinformatics highway is required? By developing standards, we can open doors to innovation by overcoming roadblocks at the foundation.
Cybersecurity for Connected Healthcare: A Global Challenge – Where and How Do We Start?
To make actionable improvements, we need a diverse and progressive group of global experts in clinical and healthcare systems, medical device manufacturers, data aggregators, technologists, patient advocates, and regulators. IEEE SA Healthcare & Life Science Practice in collaboration with the Northeast Big Data Innovation Hub, is hosting the Global Connected Healthcare Cybersecurity Virtual Workshop Series to bring these experts together and accelerate the knowledge sharing and idea maturation for much-needed solutions. The 2021 series of virtual workshops will be interactive with a focus on creating actionable outcomes, such as gap assessments and identification of the needs for additional standards.
- Workshop 1 (24 February 2021): Global Connected Healthcare Cybersecurity Risks and Roadmap – Attendees will identify the most important threat vectors, how they are changing, and the technology, policy, and process recommendations to address them.
- Workshop 2 (28 April 2021): Privacy, Ethics & Trust in Connected Healthcare – This workshop brings together stakeholders from the research, business, manufacturers, healthcare providers, regulators, and payors involved in the design and development of connected health and IoT based systems.
- Workshop 3 (16 June 2021): Data & Device Identity, Validation & Interoperability in Connected Healthcare – The workshop focuses on Interoperability and Validation of Patient Data, patients, providers, patient advocates, devices, processes.
- Workshop 4 (22 September 2021): Connected Healthcare Integrated Systems Design – The goal of this session is to develop clear approaches and standards for safe and secure interoperability of devices and data at an integrated system design level.
- Workshop 5 (17 November 2021): Connected Healthcare Technology and Policy Considerations – Participants discuss the use of clinical IoTs in patient care, such as ethics, confidentiality, privacy of patient data, and interoperability/validation of patient data.
If you are interested in attending one or all of the upcoming live workshops, check out the Global Connected Healthcare Cybersecurity Virtual Workshop Series webpage for more information on speakers and free registration details. If you want more on this topic then tune in for Season 2 of the Re-Think Health Podcast Series, Cybersecurity for Connected Healthcare Ecosystems: A Global Perspective, which airs in May 2021. Join the interest list to stay up to date on our latest podcasts and related activities.
About the IEEE SA Healthcare and Life Sciences Practice
The IEEE Standards Association (IEEE SA) Healthcare & Life Science Practice is a global platform of excellence bringing together committed volunteer stakeholders to evaluate, validate, and develop solutions for establishing trust in new technology applications to improve societal outcomes. The practice is focused on three main priority areas – clinical health, bio/pharmaceutical, and global wellness – designed to address the obstacles throughout the health wellness value chain to enable access to universal level of care, safety and privacy, quality nutrition, and overall wellness for all.