CYBER SECURITY and DIGITAL HEALTH

Cybersecurity in digital health refers to the protection of sensitive information, such as personal health information (PHI), stored and transmitted through digital technology in the healthcare industry. With the increasing adoption of digital health technology, such as electronic health records (EHRs), telemedicine, and wearable devices, the amount of PHI being stored and transmitted electronically has grown significantly.

The current state of digital health technology has brought many benefits to the healthcare industry, such as improved patient care and efficient data sharing between healthcare providers. However, it has also introduced new risks, such as data breaches, hacking, and unauthorized access to PHI. These risks can lead to serious consequences, including identity theft and harm to an individual’s reputation and well-being.

Additionally, there are also concerns about the security of medical devices connected to the internet, known as the Internet of Medical Things (IoMT), which can be vulnerable to cyber-attacks and can put patient safety at risk if not properly secured.

As much as that digital health technology has brought many benefits to the healthcare industry, it has also introduced new risks and challenges for protecting sensitive information. Cybersecurity in digital health aims to ensure the confidentiality, integrity, and availability of PHI and other sensitive information stored and transmitted through digital technology in the healthcare industry.

History of Digital Health

The development of digital health technology has been ongoing for several decades, with early examples dating back to the 1970s with the introduction of electronic health records (EHRs) and computerized physician order entry (CPOE) systems. The widespread adoption of digital health technology, such as EHRs, telemedicine, and wearable devices, has been accelerated in recent years with the advancement of technology and the need for efficient and cost-effective healthcare delivery.

Concerns about cybersecurity in digital health have also been present since the early days of digital health technology. In the past, concerns were primarily focused on the security of data stored in EHRs and CPOE systems, as well as the potential for unauthorized access to PHI. However, with the increasing adoption of digital health technology and the growing number of connected devices, the scope and complexity of cyber security risks have grown significantly.

Laws pertaining to Cyber Security in Digital Health

There are several laws and regulations that pertain to cybersecurity in digital health. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets standards for protecting the privacy and security of PHI. The HIPAA Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic PHI. Additionally, the Federal Drug Administration (FDA) has also issued guidance on the cybersecurity of medical devices. In Europe, the General Data Protection Regulation (GDPR) applies to the protection of personal data, including PHI, and applies to organizations that handle personal data of EU residents, regardless of where the organization is located. The GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data from unauthorized access and data breaches.

Types of cyber threats

There are several specific types of cyber threats that target digital health systems. Some examples include:

1. Ransomware: This type of threat involves malware that encrypts data and demands a ransom payment in exchange for the decryption key. Ransomware attacks can cause significant disruption to healthcare delivery, as well as compromise the confidentiality, integrity, and availability of PHI.

2. Phishing: This type of threat involves the use of email or other forms of communication to trick individuals into providing sensitive information or clicking on a malicious link. Phishing can lead to the compromise of login credentials, as well as the spread of malware.

3. Insider threats: This type of threat involves individuals with authorized access to digital health systems who use that access to steal or corrupt data. Insider threats can lead to the loss of PHI, as well as the disruption of healthcare delivery.

4. Medical Device Hacking: These types of threat target the Medical Devices that are connected to the Internet, and can be vulnerable to cyber-attacks, it can lead to serious consequences such as the manipulation of device settings, unauthorized access to device data, and disruption of the device's intended operation.

5. Advanced Persistent Threats (APTs): This type of threat involves the use of sophisticated methods to gain and maintain unauthorized access to digital health systems over an extended period. APTs can lead to the exfiltration of large amounts of PHI, as well as the disruption of healthcare delivery.

The potential consequences of these threats can be severe, including the loss of PHI, identity theft, harm to an individual’s reputation, and the disruption of healthcare delivery. Data breaches can also result in significant financial losses, as well as damage to an organization’s reputation. Additionally, in the case of medical device hacking, it can put patient’s safety at risk. Cybersecurity threats to digital health systems are a growing concern, and organizations need to be vigilant in their efforts to protect against them.

There have been several high-profile incidents of cyber threats to digital health systems in recent years. Some examples include:

1. The WannaCry ransomware attack in May 2017: This attack affected over 200,000 computers in 150 countries, including several hospitals in the UK. The attack caused widespread disruption to healthcare delivery, as well as the compromise of PHI.

2. The Anthem data breach in February 2015: This breach exposed the personal information, including Social Security numbers, of 78.8 million individuals. Anthem, one of the largest health insurance companies in the US, was targeted by cyber attackers who gained unauthorized access to its IT systems.

3. The UCLA Health System data breach in July 2015: This breach exposed the personal information of 4.5 million individuals, including names, addresses, dates of birth, and Social Security numbers. The attack was a result of a phishing email sent to an employee of UCLA Health System, which resulted in the compromise of login credentials.

4. The Medtronic Insulin Pumps hack: In 2017, the FDA issued a warning about the potential hacking of the Medtronic insulin pumps, which can be used to change the dosage of insulin delivered to patients.

5. The Blackbaud data breach in 2020: A cyber-attack on the software company Blackbaud exposed the personal information of millions of individuals, including patients and donors of healthcare organizations. The attack resulted in the compromise of PHI, including Social Security numbers, addresses, and financial information.

These examples demonstrate the various ways in which digital health systems can be targeted by cyber threats, and the potential consequences of these threats. It’s important to note that these are just a few examples and there are many more similar cases happening daily around the world. It highlights the importance of organizations in the healthcare industry to be vigilant in their efforts to protect against cyber threats and to comply with laws and regulations regarding the protection of PHI.

Current challenges and future perspectives

Measures that healthcare organizations can take to protect against cyber threats.

There are a variety of measures that healthcare organizations can take to protect against cyber threats, including:

Regular software updates: Keeping all software, including operating systems, applications, and security tools, up-to-date can help patch known vulnerabilities and prevent hackers from exploiting them.

Firewalls: Firewalls can help protect against unauthorized access to a network by controlling incoming and outgoing traffic based on a set of rules. Intrusion detection systems: These systems can help detect and alert organizations to suspicious activity on their networks. Employee training: Regularly training employees on cybersecurity best practices, such as how to spot phishing emails, can help reduce the risk of a successful attack.

Two-factor authentication: Use two-factor authentication to protect sensitive data and systems, such as EHRs, by requiring an additional form of identification, such as a fingerprint or a one-time code sent via text message.

Encryption: Encrypting sensitive data, both at rest and in transit, can help protect it from unauthorized access in the event of a security breach. Regularly testing and monitoring: Regularly testing and monitoring networks, systems, and applications for vulnerabilities can help identify and address potential security issues.

Risk Management: Health care organizations should have a risk management plan in place to identify, evaluate and mitigate potential risks. Incident Response Plan: Having a clear incident response plan in place in case of a security breach can help minimize damage and get operations back to normal as quickly as possible.

FUTURE DEVELOPMENTS

There are several potential developments in digital health technology that could have an impact on cyber security. The increasing use of artificial intelligence (AI) in healthcare could lead to new vulnerabilities in medical devices and systems. As AI becomes more integrated into healthcare technology, it may become a target for cyberattacks. The Internet of Things (IoT) is being increasingly used in healthcare, and this could also lead to new security risks. As more medical devices and equipment become connected to the internet, they may become vulnerable to hacking and other cyber threats. The use of telemedicine and remote monitoring systems is also increasing, which could lead to new security risks. As these systems become more prevalent, they may become a target for cybercriminals looking to access sensitive patient information. The use of blockchain technology in healthcare could help to improve security and privacy, but it also presents new challenges. As more medical data is stored on blockchain platforms, it becomes increasingly important to ensure that these platforms are secure and protected from cyberattacks.

Conclusion:

It is likely that cybersecurity will continue to be a major concern for healthcare organizations in the future. As the healthcare sector becomes increasingly digitized, the number and complexity of cybersecurity threats is likely to increase. Maintaining strong cybersecurity in healthcare is critical for protecting patient privacy, maintaining the organization’s reputation, preventing financial losses, protecting patient safety, and complying with legal requirements.

Sources

1. A. Strielkina, O. Illiashenko, M. Zhydenko and D. Uzun, “Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment,” 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, UKraine, 2018, pp. 67-73, doi: 10.1109/DESSERT.2018.8409101.

2. Nifakos, S.; Chandramouli, K.; Nikolaou, C.K.; Papachristou, P.; Koch, S.; Panaousis, E.; Bonacina, S. Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review. Sensors 2021, 21, 5119. https://doi.org/10.3390/s21155119

3. Langer, S.G. Cyber-Security Issues in Healthcare Information Technology. J Digit Imaging 30, 117–125 (2017). https://doi.org/10.1007/s10278-016-9913-x

4. K. Abu Ali and S. Alyounis, “CyberSecurity in Healthcare Industry,” 2021 International Conference on Information Technology (ICIT), Amman, Jordan, 2021, pp. 695-701, doi: 10.1109/ICIT52682.2021.9491669.