By Dan Lyon, principal consultant at Cigital
In this article, Dan Lyon or Cigital takes a deeper look into the cybersecurity issues surrounding the vulnerability of apps used on a daily basis in healthcare environments and discusses how organisations such as the NHS can ensure data remains secure while still providing patients and medical professionals with secure, connected access to digitised services
Advancements in technology will drive significant changes in the way health services are delivered.
Hospitals and their technologies are being increasingly targeted due to the rich amount of data they have in their possession and there have been reports of cyber security flaws in hospital systems
Earlier this year, the Government announced an £4.2billion investment in NHS technology. DigitalHealth.London has even recently launched a new accelerator programme designed to help SMEs develop digital healthcare systems and technologies, and offering the opportunity to showcase this technology to the NHS.
But how will this affect cybersecurity in the NHS?
Hospitals and their technologies are being increasingly targeted due to the rich amount of data they have in their possession and there have been reports of cyber security flaws in hospital systems.
Two important security concerns arise with new medical technology, and healthcare technology firms are not well suited to tackle them. First is patient data security. With so much free flow of information, medical data can be harnessed in novel ways to identify treatments, diseases, and trends in healthcare. The industry, however, has few controls on how medical data moves around.
Secondly, technology must be reliable enough that lives are not at risk. The slapdash world of the Internet of Things (IoT) is incompatible with the kind of rigor and reliability needed in medical technology.
Users think little of security when downloading apps and sharing personal information. They are also given little or no guidance on the risks and rewards of using medical apps or sharing medical data.
In medicine we talk about ‘informed consent’, where doctors and patients collaborate to weigh the risk and benefits of treatment. In technology, neither doctors nor patients have sufficient knowledge to make informed choices about installing apps, sharing data, or trusting technology.
When it comes to evaluating the security of a technology – for example a mobile app or a technological diagnostic tool - medical professionals have no greater insight into the privacy and security than the rest of us.
According to a recent Skycure report, 80% of doctors use their mobile devices to assist in their day-to-day practice, with 28% storing patient information on these devices. Subsequently, a study into the data security of NHS apps revealed that many leak private data about doctors and patients, with many also failing to encrypt patient information before it is sent over the internet.
The slapdash world of the Internet of Things is incompatible with the kind of rigor and reliability needed in medical technology
Providers of healthcare apps make claims about software security; but doctors, administrators, and healthcare facilities often lack the knowledge and resources to evaluate the claims that manufacturers make.
According to a report from Arxan Technologies, 80% of apps formerly approved by the NHS were vulnerable to at least two of the Open Web Application Security Project (OWASP) top 10 mobile risks. Research has also shown that, even without experiencing cyberattacks on their apps, around 80% of health app users would change providers if their apps were known to be vulnerable.
Interestingly, more than 75% of mobile health app providers also believed users would change providers if they knew their apps were insecure, or if a similar provider offered a more-secure version. Patients and healthcare professionals are not in a position to evaluate apps and technologies directly, though, so there is little chance they will actually change.
In May 2016, antivirus technology interrupted a blood monitoring workstation during a patient procedure. Luckily no-one was harmed, but technology must be robust when patient lives are at stake. Consumer technology for buying merchandise and sharing photos can rapidly evolve and have weekly bug fixes and patches. Technology in the medical industry must be substantially more tested and cannot sustain unpredictable, rapid evolution that might work in other industries.
So what can the NHS and mobile app providers do?
There are ways in which the NHS and mobile app providers can work together to provide secure app environments for their users. These include:
The future of healthcare is no doubt digital, but in order for it to be secure, robust mobile app security is not only a wise technology process and investment, but also a smart business one
The future of healthcare is no doubt digital, but in order for it to be secure, robust mobile app security is not only a wise technology process and investment, but also a smart business one.