In the first of our two-part series, we covered the unhygienic security practices and the impact of the modern healthcare ecosystem. This final installment digs deeper and provides useful recommendations for alleviating those risks.

Privacy Enigma

However, containing the said issues or implementing privacy and security controls is challenging and not short of pitfalls. Fundamentally, privacy is a complex issue that jurisdictionally falls into different areas. There is no clear sense of the definition of “privacy.” What constitutes a privacy violation, who is responsible or accountable among the involved stakeholders in the event of a breach and so forth.

Also, the notion of “privacy paradox” is disconcerting and undermines the efforts to manage security and privacy. Privacy paradox implies that people’s privacy concerns and expectations are diverse and contradictory in terms of theory and outcomes and that despite people’s clearly expressed concerns about their privacy, there is a simultaneous lack of appropriate secure behavior (for instance sharing of sensitive information on social media).

Moreover, healthcare providers tend to prioritize health care utility and safety while manufacturers prioritize intended device features over security and privacy. The shortage of quality technical resources and the sheer difficulty in managing third-party environments such as the cloud or social networking healthcare promotion sites also hinder their efforts to create a sufficient cross-functional privacy and security team. Compliance is also expensive and IoT device constraints (limited power and resources) mean that privacy controls can slow down medical devices and reduce the usable battery life. In some medical devices such as pacemakers, critical functionalities cannot be updated immediately if a patch is available. These limitations further deter manufacturers from producing products with enhanced security and privacy features and manage them through the lifecycle of the product.

Nonetheless, it is inherently difficult to track the flow of PII/PHI data. Data may be collected and used in many systems throughout an organization and across the continuum of the healthcare industry, in hospitals, rehabilitation centers, insurance agencies, and so forth. The more places the data exists, the more systems an organization has to track, maintain, and protect. Even privacy-preserving mechanisms have their shortcomings. There is an inherent trade-off between information loss and confidentiality protection because the reduction in granularity results in diminished accuracy and utility of the data.

Conclusion

Regardless of the issues, regulations such as the FDA, HIPAA, the HITECH Act, GDPR, etc. are making inroads in preserving individual privacy and security. In addition to the existing principles as recommended by the regulations, we recommend the following practices that can help alleviate the risks:

  • Privacy by Design – all applications (mobile apps, software, etc.) and devices whether they are “clearly” for medical purposes or “indented” for medical purposes must follow privacy by design principles. This also involves restricting the overcollection of data and employing privacy-preserving mechanisms on data stores.
  • Privacy Policy Notices – must be simple, yet distinctly elaborate on the types of data collected, its intended usage, and the stakeholders involved. Doing so will provide consumers the opportunity to be aware of how their information will be used and by whom, in turn, helping them make an informed choice regarding the product.
  • Accountability – Clearly defining data ownership and the responsibilities of the involved stakeholders in the event of a breach might help deter the unethical motives.
  • Awareness Programs – consumers need to be educated on their rights, and how to make use of technology-assisted healthcare without undermining their privacy.
  • Periodic Risk Analysis – this includes the “covered entities” (as defined by HIPPA) regularly reviewing their records to track access to PHI and evaluating the effectiveness of security measures put in place from risks such as unauthorized access, destruction, modification, or disclosure of data.
  • End-of-Life Management – in recent times, several breaches have been attributed to poorly discarded medical devices that store PHI. Device manufacturers and healthcare providers must uphold procedures and policies that address issues that arise as a result of devices reaching their end of life.
  • Third-party audits – medical devices must be tested for security and privacy issues by an independent third party and include provisions in the management cycle to address issues unfound during the audits. All such reports, if made public, can help healthcare providers make an informed choice and not rely on public databases that are strewn with vague information.
  • Expanding the definition of “covered entities” – HIPAA only regulates the healthcare industry, and thus only applies to what the law considers “covered entities” and their “business associates.”. If the medical information is disclosed to anyone else, HIPAA would not apply. For instance, any information provided to a social networking site, or one’s employer, or a wellness app will often not be protected by the existing medical privacy regulations.

 

Vishruta Rudresh

Vishruta Rudresh

Senior Cybersecurity Researcher at Kudelski Security
Vishruta Rudresh is a Senior Cybersecurity Researcher at Kudelski Security focusing on fundamental new approaches to IoT and OT environment security, including but not limited to machine learning, edge device decision making, and low power environment security.She has been working in the Information Technology industry since 2011 specializing in IoT security, malware reverse engineering, system and application administration, incident response, digital forensics and mobile security and has a masters degree in Information Technology-Information Security from Carnegie Mellon University.
Vishruta Rudresh