A Look at Emerging Healthcare Technology & Associated Security Risks

Healthcare technology has seen a significant evolution in recent years. The rise of machine learning and other forms of artificial intelligence is transforming how we diagnose and treat disease. Telemedicine networks connect patients to doctors and specialists across the country, and nanomedicine has the potential to revolutionize treatments for cancer, diabetes, and many other conditions. However, these new technologies bring new security risks that organizations must address to protect patient data and maintain compliance with privacy regulations.

Organizations must sufficiently prepare for the new wave of technology to avoid security risks.

3rd party risks are of growing concern to healthcare organizations, and when considering the adoption of new or cutting-edge technology, even more so. Before adopting the technology, organizations should seek to understand the risk to their patients, staff, and business posed by the use of the technology. This includes understanding from the manufacturer the safeguards that it put in place during the design, development, manufacture, deployment, and ongoing operation of the technology to protect the confidentiality, integrity, and availability of information processed as well as the physical safety of users and others exposed to the technology. Depending on the level of risk, including the potential impact, organizations might also consider requiring that the manufacturer produce reports of independent testing of the technology or, even better, be allowed to test it independently.

As the speed and scale of positive impact increases with new technology, so does the potential harm.

Healthcare Information Security recently covered a new threat brief from The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center regarding the security risks of some of the most promising emerging technologies impacting healthcare, and they allowed me to contribute my thoughts on the threat brief. On the list of emerging technology, HHS HC3 included artificial intelligence, 5G cellular, nanomedicine, smart hospitals, and quantum computing and cryptography.

Since the invention of the club, all technology can be used for good or evil. Today’s technology is no different, except the speed and scale of potential harm are generally increasing. We are particularly concerned whenever technology is used in such a way that a vulnerability within that technology may ultimately result in loss of life. All the technologies listed in the HHS HC3 threat brief potentially fall into that category.

From a scale and potential financial impact, quantum computing is particularly troublesome, and I think of it like the Y2K bug except worse. In Y2K, we had to look at all our applications to ensure that the program accounted for years beyond 1999 and, if not, remediate it before January 1, 2000. With quantum, it may be much worse. Imagine a race to identify and replace all the encryption algorithms currently in use in systems across the globe before hackers exploit them with quantum hacking tools. Organizations struggle today to keep up with updates in their encryption protocols, let alone find and replace all of them. Of course, this assumes that existing or new cryptographic algorithms are sufficient to protect against the threat with which they can replace them.

While the technical vulnerabilities that can be exploited will vary with new technology, the higher-level issues are the same.

When dealing with information technology, organizations should consider what happens if the information processed by the technology is accessed or exposed through human error, negligence, or unauthorized access. What if the technology becomes unavailable or the data is corrupted? Organizations should ask:

  • How do we know it’s been exposed, and can we determine how?
  • What if the integrity is compromised? How do we know what was changed?
  • How will we understand the implications, and how do we fix them?
  • What if the technology goes down? Can we function without it?
  • What is the impact, how do we manage until we get it back online, how do we get it back online, and how fast do we need to do it?
  • Are people at physical risk from the use of this technology?
  • Do the benefits outweigh the cost?
  • What is our obligation to inform of the risk?

We tend to get caught up in the hype associated with new technology. It’s exciting to think of the possibilities, but every technology also comes with risks we must understand and manage before they become a reality.

Establishing a strong vendor or 3rd party risk management program helps organizations develop standards and controls to measure their vendors and partners against. A strong vendor risk management program today enables organizations to adopt emerging technology in the future while protecting systems and data in the process.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time. As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?
Assumed Breach Simulation: Lateral Movement Explained

Assumed Breach Simulation: Lateral Movement Explained

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
No results found.

Connect
With Us