How risky is technology when it comes to your health data?

The Covid-19 pandemic has certainly accelerated the practice of telemedicine worldwide. In countries where medical associations were fighting to bar remote patient care based on the dangers of incomplete clinical diagnosis, the need for social distance and the fear attending clinics and hospitals were the last straw to bring down that barrier.

This movement has quickly consolidated some basic technological tools, such as electronic medicine and exams prescriptions – validated by digital certificates and a wide connection with pharmaceutical and laboratory systems –, and the remote collection of physiological data, by means of several types of devices, including fitness wearables.

The latter, by the way, is growing fast. A Pew Research Center survey conducted in 2020 indicated that nearly 21% of Americans use a smartwatch or specific fitness device. It is a global market with a CAGR of 15.4% estimated by Fortune Business Insights to reach USD 114 billion by 2028.

In recent months, medical specialists who used to talk to their patients by phone and electronic messaging tools have been able to benefit from vital data collection and video call systems and start billing the consultation as if it were face-to-face, differentiating their live service from those performed by audio, text, or with a unilateral push of images and videos.

Unusual technology applications exemplify that there are no limits to the practical use of sensors, cameras, and different processing models to carry out diagnoses. Researchers at Duke University in the US, for example, have developed an AI system attached to the plumbing of toilets to identify gastrointestinal problems. When you flush the toilet, the system photographs the contents and sends the images to a remote analysis system, which can identify acute or chronic problems in the digestive system.

From a technological perspective, there are numerous advantages to remotely monitoring the physical conditions of patients with chronic diseases, including the use of AI to make predictions about the evolution of critical states, infections proliferation, and the spread of diseases. In addition, data collected from healthy patients also helps in studying the behaviour of viruses and bacteria, analysing the potential of vaccines, creating new drugs, scheduling diets, and physical training. Even digital twins, first developed during the Apollo 13 programme and widely disseminated in the manufacturing industry, are already a reality in healthcare settings.

Privacy is an issue

The issue that now presents itself, however, is that when it comes time to see a doctor, patients generally don’t think twice before sharing their vital data, images, videos and whatever else is needed to close a diagnosis and assess an appropriate treatment. However, when having to share this same private information with an institution, the doubts start to appear.

The collection devices, their transmission systems and the reception and storage endpoints need to have security layers that prevent data leakage, invasions and, worse, remote control of these devices.

The cases involving hacking pipelines, water distribution and power systems that we have witnessed in recent months can give an idea of the potential of destruction that something like this would cause to a network of monitored patients who rely on electronic devices to measure heart rate, temperature, oxygenation and even determine medication dosages.

According to Forbes, a patient’s electronic medical record could be worth a few hundred or even thousands of dollars on the black market. This collection of personal information can contain a person’s entire medical history, from their visits to specialists and test results to all demographic, professional, and banking data that can cause immeasurable damage to the patient if falling into the wrong hands even their family. The theft of a credit card number can be mitigated by canceling the card, the theft of an identification number can be fixed by issuing a new document, but possession of a person’s vital data can cause far more permanent damage.

In 2018 Under Armour disclosed that it had suffered a hack, which exposed the data of 150 million users of the app MyFitnessPal. In the same year, another hack exposed information collected by fitness app Strava, which revealed the location of US military personnel on secret bases. A report by Bitglass indicates that health data breaches in the US rose by 55% in 2020, and the cost per stolen record rose by 16.3%. Also according to the dossier, it can take an average of 236 days for a company to recover after such security breaches. The lack of care is widespread and the list of leaks we know about is small compared to the many others that remain unknown.

How to increase security?

The security of operational technologies can be compromised by several factors, including the devices’ lifespan, the existence of proprietary embedded software without updating mechanisms, the evolution of network protocols, and even the possibility of re-engineering. In particular, some widespread medical devices have vulnerabilities intrinsic to their construction, such as remotely controlled infusion and insulin pumps, and implantable cardiac devices such as pacemakers.

Therefore, security management needs to be aware and implement one or more frameworks among some already widely published and validated, such as the NIST Cyber Security Framework, ISO 27000, EU Cybersecurity Act, or the Controls recommended by the Center for Internet Security.

The CIS Controls framework in its version 8 involves 18 items that give us a good idea of what needs to be covered in a healthy strategy:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email Web Browser and Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

According to HIPAA and other regulations such as GDPR, hospital environments, medical clinics, laboratories, the pharmaceutical industry and also all companies that provide services and sell electronic products in this market need to have these frameworks implemented to ensure minimum security, not only for their devices, but mainly to protect patients’ personal data.

Technological evolution and miniaturisation nowadays even allow monitoring chips to be installed inside patients’ bodies, some even being able to draw energy from the body itself, without the need for batteries. This may soon become commonplace, giving way to micro-robots performing autonomous work to help the body get rid of diseases. And the risks of exposure will get higher and higher.

Many researchers attest that any healthcare equipment can be hacked. Reality shows that the list of healthcare providers hit by hackers keeps growing. But while science fiction is full of stories of manipulating medical devices to cause personal harm, we have yet to experience this in real life. This is not to say that it’s impossible. That’s why it’s important to have a system in place for continuous monitoring and vulnerability detection, with pre-programmed response activities so that they are executed quickly, protecting the data and lives of the patients involved.

The broad benefits brought by the use of technology in healthcare, especially those of remote use, can overcome the risks to privacy and the fear of exposure to diseases in clinical and hospital environments. Even if sometimes the severity of the situation does not allow for a detailed choice of provider, equipment or even a doctor, we need to be confident that the industry is protecting our data as well as our lives.