Healthcare technology has seen a significant evolution in recent years. The rise of machine learning and other forms of artificial intelligence is transforming how we diagnose and treat disease. Telemedicine networks connect patients to doctors and specialists across the country, and nanomedicine has the potential to revolutionize treatments for cancer, diabetes, and many other conditions. However, these new technologies bring new security risks that organizations must address to protect patient data and maintain compliance with privacy regulations.
Organizations must sufficiently prepare for the new wave of technology to avoid security risks.
3rd party risks are of growing concern to healthcare organizations, and when considering the adoption of new or cutting-edge technology, even more so. Before adopting the technology, organizations should seek to understand the risk to their patients, staff, and business posed by the use of the technology. This includes understanding from the manufacturer the safeguards that it put in place during the design, development, manufacture, deployment, and ongoing operation of the technology to protect the confidentiality, integrity, and availability of information processed as well as the physical safety of users and others exposed to the technology. Depending on the level of risk, including the potential impact, organizations might also consider requiring that the manufacturer produce reports of independent testing of the technology or, even better, be allowed to test it independently.
As the speed and scale of positive impact increases with new technology, so does the potential harm.
Healthcare Information Security recently covered a new threat brief from The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center regarding the security risks of some of the most promising emerging technologies impacting healthcare, and they allowed me to contribute my thoughts on the threat brief. On the list of emerging technology, HHS HC3 included artificial intelligence, 5G cellular, nanomedicine, smart hospitals, and quantum computing and cryptography.
Since the invention of the club, all technology can be used for good or evil. Today’s technology is no different, except the speed and scale of potential harm are generally increasing. We are particularly concerned whenever technology is used in such a way that a vulnerability within that technology may ultimately result in loss of life. All the technologies listed in the HHS HC3 threat brief potentially fall into that category.
From a scale and potential financial impact, quantum computing is particularly troublesome, and I think of it like the Y2K bug except worse. In Y2K, we had to look at all our applications to ensure that the program accounted for years beyond 1999 and, if not, remediate it before January 1, 2000. With quantum, it may be much worse. Imagine a race to identify and replace all the encryption algorithms currently in use in systems across the globe before hackers exploit them with quantum hacking tools. Organizations struggle today to keep up with updates in their encryption protocols, let alone find and replace all of them. Of course, this assumes that existing or new cryptographic algorithms are sufficient to protect against the threat with which they can replace them.
While the technical vulnerabilities that can be exploited will vary with new technology, the higher-level issues are the same.
When dealing with information technology, organizations should consider what happens if the information processed by the technology is accessed or exposed through human error, negligence, or unauthorized access. What if the technology becomes unavailable or the data is corrupted? Organizations should ask:
- How do we know it’s been exposed, and can we determine how?
- What if the integrity is compromised? How do we know what was changed?
- How will we understand the implications, and how do we fix them?
- What if the technology goes down? Can we function without it?
- What is the impact, how do we manage until we get it back online, how do we get it back online, and how fast do we need to do it?
- Are people at physical risk from the use of this technology?
- Do the benefits outweigh the cost?
- What is our obligation to inform of the risk?
We tend to get caught up in the hype associated with new technology. It’s exciting to think of the possibilities, but every technology also comes with risks we must understand and manage before they become a reality.
Establishing a strong vendor or 3rd party risk management program helps organizations develop standards and controls to measure their vendors and partners against. A strong vendor risk management program today enables organizations to adopt emerging technology in the future while protecting systems and data in the process.