Friday, October 23, 2020

Facing the challenge of protecting health data from abuse (Cybersecurity Awareness Month, Day 23)

On this, the 23rd day of Cybersecurity Awareness Month, it's time to acknowledge something this is both sad and true: cybersecurity awareness sometimes means accepting that some of the things that we enjoy a lot may not do us a lot of good. It's a bit like pumpkin spice lattes: I really enjoy drinking them, but doing so is not particularly good for me, and the science strongly suggests that drinking a lot of them is bad for me. 

Likewise, I really enjoy sharing information about myself, but I need to do so carefully in order to minimize certain risks. For example, I should probably think twice about sharing on social media the fact that I really like using the Acme Patient Portal App for Android; and maybe think three times if I've also been sharing lots of pictures of our new cat Nadia while using her name as my password on that portal, and all my other accounts. 

In yesterday's blog post I talked about how serious the threats to health information have become now that so much of it is stored on, processed by, and communicated between, digital devices, things that now range from wearable tracking devices to mainframe computers and huge server farms "in the cloud." 

While most people would argue that this massive digitization of medical data is not wrong in itself, criminologists like myself would argue that abuse of this new reality for selfish ends is inevitable, particularly if the data is not protected at all times by "effective guardians" (a term we talked about on Day 7). 

Unfortunately, the mass digitization of medical data has been occurring at the same time as an explosion in the number of points at which "bad actors" can attack the systems processing the data, the so-called attack vectors that I referred to on Day 9 (The Internet of Things to Get Smart About). The rapid adoption of everything from tablets to smartphones to connected watches and health trackers is expanding the attack surface, the amount of digital territory that needs to be monitored and defended. 

Some years ago I started diagramming this for folks in healthcare, and while it's not the prettiest picture I've ever drawn, I think this one does convey how complex all of these develops have made the task of maintaining cybersecurity:  

Diagram of the attack surface for medical data, from smartwatch to clinic

To carry on being a bit technical, I should point out one more thing that makes cybersecurity so difficult in the healthcare sector: the required level of granularity and multiplicity in the sharing and not-sharing of medical data. Think of all the entities that might be in the data sharing mix, requiring some of your medical details, sometimes in a hurry, but without exposing all of those details to criminals or the public:
your doctor; that doctor's colleagues, nurses, and assistants; any specialists you see and staff at the places to which you are referred; your pharmacy; the accounting and administrative departments for all of these; the same again for any insurance companies involved, plus their claims assessors and adjudicators; your employer, who may be paying for all or part of your insurance; and your government, that might be funding, researching, or otherwise tracking some or all of the medical services you need.
Yet, challenging as cybersecurity is when it comes to healthcare, there are always things you can do to reduce the odds of your medical data being abused. Thanks to the National Cybersecurity Alliance, four of these things have been put into is a handy infographic (full version downloadable here).

You might find this graphic helpful if you are working on raising the cybersecurity awareness of others, perhaps in your office, church, social group, or household. Here is a link to a short video that might also help (I'd say loop it on the monitors in the company cafeteria, but I'm not sure how many people are in company cafeterias these days).

If you are trying to reach management with the urgency of this topic, please urge them to watch this interview with an expert that I respect a lot, Joshua Corman, titled Cybersecurity Advice for the COVID-19 Era. For more on dealing with things at an organizational level in healthcare, see this article: Putting People at the Center: Three Ways the Healthcare Industry Can Proactively Prevent Cyberattacks


No comments: