Kevin Curran, IEEE senior member and professor of cyber security at Ulster University, discusses the delivery of an effective cyber security strategy within healthcare
Just a few months ago, the UK Government announced a new NHS England app that will enable patients to book appointments directly with their General Practitioners (GPs), as well as repeat prescriptions and view their own personal medical files. Most healthcare organisations have been trying to digitise their services for years in order to reduce the administrative workload and improve overall patient care. The benefits of such a move are plain to see, with the internet of things (IoT) being able to influence several areas including clinical operations, in-patient monitoring, medication management and workflow management.
Whilst this is a step in the right direction, moving health records online will of course raise some concerns, as it’s not uncommon for phones to be taken or lost. Some people might, therefore, be able to gain access to sensitive information from within the app. However, the main concern here is the back-end system which provides the application programming interface, or data, to the outside world. Any systems which provide externally facing data must be bulletproof in their authentication mechanisms and have a myriad of protections in place to limit the security risks of web-based applications.
Going forward, there are a number of cyber security challenges that the healthcare sector needs to overcome as part of its digital transformation plan, the most obvious being the sheer size and diversity of its ecosystem. A vast number and variety of devices – computers, tablets, MRI scanners, heart-rate monitors, even staff’s own personal devices – all of which will have access to the network, will need to be connected to a central server. Having such a large array of devices connected to the network will mean that there will be countless internet connected endpoints in each hospital. Without complete network visibility, each endpoint could be exploited by cyber criminals.
IT departments also realise that no system is fool proof. The cyber security skills gap is well publicised, and more education is needed. Employees continue to open suspicious emails or weblinks, exposing organisations to a whole range of threats. The healthcare system is no different, and IT teams will need to address this if the sector is to continue with its digital transformation plan. Cyber security skills will need to be added to any initial training programs, especially given the rise in ransomware attacks on healthcare organisations recently. If employees are still using default or weak passwords and clicking links in phishing emails, digital transformation will only leave the healthcare system more exposed.
Whilst data transformation offers obvious benefits, it is not without its risks. The move to an online an app does seem like a natural progression, however there is a difference between having computerised records within our healthcare IT infrastructure and having those records reside on a public facing server. Having records inhouse limits the range and type of access. Whilst there are still breaches, its far more difficult for remote hackers.
Put simply, unprotected databases are very easy to find. There are techniques that healthcare organisations can use to reduce the risk of future data breaches. One way is to make it ‘opt in’, so patients have the choice to decide whether their medical information is moved to a public facing service so that they can access it. However, those who do not opt in or download the app and instead use it should, by default, should have their records hosted in a non-public-facing cloud service. This way, if a data breach does occur, those who never used the app, or not wanted to, will not have had their details released.
That being said, developing a secure and robust web application is incredibly hard. Whilst developers are aware of secure coding, they need to understand how to encrypt databases, or prevent SQL injection attacks, and even be aware of third-party library vulnerabilities. Teams need to ensure passwords are hashed, while implementing multi-factor authentication, and that no resources are enumerable in the public Application Programming Interface (API). Developers need to complete client-side input validation, know how to configure cloud services, and use HTTP Strict Transport Security (HSTS) or Intrusion Detection Systems (IDSs) to restrict ports and ensure minimal access privileges. After all, hackers only need to find one flaw which grants them access. Healthcare systems administrators must ensure every known vulnerability is patched.
Another option is to use a form of Fully Homomorphic Encryption, which supports computations over data in encrypted form, including Searchable Encryption (SSE). However, Fully Homomorphic Encryption remains someway off. In a cloud environment, cryptography is typically utilised for two purposes – security while data is at rest, and security while data is in transit. Unfortunately, this does not guarantee the security of data during processing as the current limitations of cryptography prevent data from being processed in encrypted form. Given the fact that data is processed in unencrypted form, it is quite common for attackers to target data in use, rather than targeting data which is encrypted during storage and transit. That is where modern techniques such as Fully Homomorphic Encryption or Searchable Encryption could be considered.
Of course, the teams involved in this transformation will be aiming to deliver a secure and reliable service, of that there can be no question. However, the cyber security strategy will need to be extensive. Penetration testing is common for probing systems, but unfortunately not all threats can be identified. Given the size of the system and the sheer quantity of public and confidential data involved, everything will need to be considered including all vulnerabilities and all potential threats.