Achieving proper security in industries like life sciences and healthcare, where web-based systems and internal networks are late in coming, may seem a daunting task. But it shouldn't be, writes Dr. JeffR. Livingstone.
Over the past year, hacks on healthcare organizations have made for some significant headlines. But this recent surge of cybercrime is unsurprising. Advanced security services and protocols have difficulty making headway in industries like life sciences and healthcare where web-based systems and internal networks are late in coming. The rate of security adoption in these organizations lags in comparison to industries such as retail and finance.
The Unisys Security Index, which gauges the attitudes of consumers on a wide range of security-related issues, found that security concerns regarding identity theft and bankcard fraud top the list among consumers worldwide - even outpacing national security issues such as war and terrorism.
Fears about identity theft and card fraud affect all members of the life sciences and healthcare ecosystem, from pharmaceutical firms to medical device companies to hospital systems. Each of these players has access to tremendous amounts of personal health information. As such from a member and patient perspective, robust security is not an option, it is a necessity.
The average pharmaceutical or biotechnology company tends to have very strong internal security relating to their R&D intellectual property. However, this information is often shared with external agencies such as contract research organizations (CROs). In many cases, the level of security within the CRO is not on par with that of the pharmaceutical company. For that reason, pharma and biotech firms need to ensure not only the security of their own internal systems, but must also carry out due diligence with the CROs they interact with to ensure that appropriate security is maintained in all places at all times.
Medical device manufacturers have also been slow to incorporate security and privacy protocols in their devices and operating systems. As recently as three years ago, privacy and security concerns were addressed during the last stage of product development phase-gate processes. Effectively, the device was designed in full, then tossed over the wall to the regulatory department to determine what rules the device should comply with. Security provisions and protections in the hardware and software subsequently were added to meet necessary standards and laws.
If security is not engineered into a device all through the development process, then adding it on the backend can require substantial retooling. It can also result in less than optimal security in operation and effect, since it was not an intrinsic part of the design from inception. The fact remains that a substantial subset of the medical devices used today are either unprotected or have less-than-optimal security provisions in place. As hospitals connect these devices to their networks, they are often unknowingly introducing vulnerabilities into their systems.
Unsecured medical devices are the Achilles’ heel for hospitals and healthcare systems. Globally, some 10 to 20 percent of medical devices in most hospitals are connected, and that number is growing rapidly. Unfortunately, as noted above, many connected devices older than two or three years have little to no device security. Even devices with protections are often not configured appropriately within the hospital network to actually insure security.
Hackers are exploiting this vulnerability ruthlessly. Ransomware is costing hospitals millions, while stolen data is damaging hospital reputations and patient trust worldwide. Nor is that the only cost to hospitals: being hacked ultimately can generate millions of dollars in fines and penalties from regulators.
Achieving proper security may seem a daunting task, but it is not. A medical device management system that incorporates microsegmentation and data encryption fulfills security issues both by supporting and enhancing the security inherent within each medical device (whether wearable or on-site), and by protecting connected devices that lack any security features of their own.
Such a system allows the creation of communities of interest within the hospital or healthcare organization so that only those people assigned to a community can access that data. Other personnel – and, most importantly, hackers – would be unable to “see” the device, and could not gain any visibility into the device or its data. As hospitals and healthcare organizations implement these types of robust protocols, they will retain consumer trust and prove to their constituents their personal data is safe and secure.
Looking to the future, healthcare security will likely become more complex. Consumers are taking significantly greater control of their healthcare today than they did a generation ago. In the future, the patient will largely define the rules and control access to their own data. Life sciences and healthcare organizations need leading-edge security today to prepare for this even more complex role of security tomorrow.
Jeff R. Livingstone, Ph.D. (jeff.livingstone@unisys.com) is the vice president and global head, Life Sciences and Healthcare, for Unisys.