The Covid 19 pandemic has brought on many changes. It is estimated that the number of teleworkers increased from a little over 4% of the work force to almost half with about 80% of employers allowing at least some teleworkers. This is especially true for healthcare.
The need for healthcare to continue joined with the need to stay away from any potential infectious environment has put a special emphasis on remote delivery of services. This trend is likely to continue. According to the consulting firm McKinsey “COVID-19 has caused a massive acceleration in the use of telehealth. Consumer adoption has skyrocketed, from 11 percent of US consumers using telehealth in 2019 to 46 percent of consumers now using telehealth to replace cancelled healthcare visits.” This could eventually translate into “$250 billion of current US healthcare spend (which) could potentially be virtualized.” Assuming it works.
Telemedicine is a technology originally created for NASA. In the early days of space flight, NASA realized that astronauts might become sick far from any possibility of seeing a physician assuming they could even get an appointment. NASA further developed the concept in the early eighties with a tele-I.C.U. for astronauts on Space Station Freedom.
Telemedicine is not just one technology. It can refer to many including video conferencing, wireless technologies, data monitoring, internet-based technologies, smartphone apps, interactive voice response technology and even fax and landlines. The issue is that many of these technologies were not designed to keep patient information, physician and even lawyer communications confidential.
Part of the trouble is that many developers of today’s technologies live by Facebook founder Mark Zuckerberg’s now-famous motto: “Move fast and break things.” To start the industry average is 15 and 50 bugs per 1,000 lines of code. This amount can go up drastically with the complexity of the project. Ideally developers should use the software development life cycle (SDLC) process to formalize and document secure coding methodologies. More often the need for speed obviates the process.
This has created headaches for two of the most important telemedicine technologies: mobile health apps and internet connected surveillance cameras. Both of these technologies have recently been found to be accessible by hackers, who have been able to steal health care information. This is a predicament. Health care information is required to be kept private under HIPAA (48 CFA §164.502). It is also one of the most valuable types of information available on the internet.
The problem with mobile apps is partially due to apps themselves. Unlike programs, apps need other programs to do what they do. In the ‘old days’ (10 years ago) you would access information through a browser, which would query a company’s servers to complete a transaction. Now you use an API (Application Programming Interface), a company app on your cell phone, designed to gather information from various sources and use the cell phone’s computing power to provide the answer to the request.
APIs have been compared to a waiter getting your order and bringing you the food. Sadly, the waiter can be mugged on the way to the kitchen. New technologies are rarely free from cyber security issues. They just have different issues. According to Gartner, the world’s leading tech research company, APIs calls now account for 83% of web traffic and by next year will account for 90% of the attack surface and the most common attack vector.
You can lock down an API like you protect your home computer. You are careful with authentication. You implement lockout policies. You limit exposure of sensitive data like ePHI. The difficulty with API authentication is that these problems are harder to find, but they are just as exploitable.
A recent study showed that of the 30 apps tested, all were vulnerable to attack, allowing access to healthcare information that should have been protected. It took researchers less than a minute to discover one of the most common vulnerabilities. Half of the apps could be used to reveal clinical, pathology, and radiology reports.
Another obstacle has to do with internet connected surveillance cameras. There are an estimated 1 billion of these cameras in use around the world. A company whose surveillance cameras are used inside hospitals, companies, police departments, prisons and schools were hacked. Two companies whose images were shared online were Tesla and Cloudflare. Last year the Chinese manufacturers, who manufacture the bulk of CCTV cameras, were prohibited from U.S. government contracts and applications deemed to have national security restrictions for vulnerabilities.
The point of all of these issues is that before a health care provider, law firm or any company interested in keeping its information private adopts a new technology, they have to go through a change management process that looks deep into the strength of the technology’s security. Just because it is new, does not mean it is better. Usually the reverse.
– William Gamble, Member of The Florida Bar, Consultant IT Governance USA