Dan Munro says that the potential for losing our privacy on the road to digital health makes trust even more important—and potentially lifesaving.
As a writer ‒ I'm a sucker for a great question as a way to connect my thoughts to a keyboard and to explore great healthcare topics in more depth. It's one of the reasons that I'm often asked to answer questions under the Medicine and Health topics over on Quora (where I'm also a Top Writer).
I tweaked the question a little, but the one in the headline here was actually posed by fellow writer and nuviun colleague John Nosta. Since John and I follow each other across different social channels, it appeared innocuously enough in my Facebook feed recently. Hat tip to John for a great question.
First up, there's an annoying little technical rule to every question—which is that almost all of them can be swiftly dismissed with one word—no. But that's an abrupt ending—and for this question, I would answer unequivocally yes— cybersecurity is THE elephant in the digital health room. Here's why.
By now, most people are aware of the mega data breach that happened earlier this week at the Blue Cross Blue Shield giant known as Anthem. As one of 37 Blue Cross Blue Shield organizations around the U.S., Anthem is one of the largest and I wrote about the huge data breach on Forbes with this headline.
At this point the technical details are still emerging and we don't know much about how it happened. We likely never will. When a data breach reaches critical infrastructure (a legal designation for U.S. healthcare), the FBI dives in and the forensics of the breach are conducted under legally binding terms of non‒disclosure.
In fact, this breach may have started as early as December 10 of last year and the FBI was likely engaged soon after. It makes reasonable sense, because no one wants to publicly disclose an effective vulnerability outside of a community that needs to know.
The public debate surrounding all high‒profile breaches (regardless of size) occurs quickly and openly within the cyber community and it starts with what's known simply as attribution. Who did it? Like all wars (cyber or physical) there's always lots of speculation, ambiguity and debate around who did what to whom—and when.
Another example of this is the Sony data breach in December (which also included sensitive health data on employees and their dependents) which resulted in a fierce and ongoing debate on the very question of attribution. It's critical in the sense of trying to track down and punish the perpetrators with criminal justice, of course, but in this new era of cyberthreats, the attackers are often nation states—and that's a very different kind of threat—and war.
The FBI suggests that there is strong evidence to implicate North Korea. Like others, I'm not entirely convinced and I wrote about some of the reasons for my skepticism during that debate. Cyber wars have similar properties to physical wars in that the first casualty is often the truth.
To get a sense of the scope and scale of this cyber war playing out globally ‒ point your browser to the Norse sensor network dashboard and watch the attacks fly—in real time. Warning—it can be a tad mesmerizing and it's definitely eye‒opening.
Fading into the distant memory of the emerging healthcare threat in this new war is the CHS health data breach that occurred last August.
In the case of CHS, the FBI also labeled this as a sophisticated attack by an Advanced Persistent Threat (APT) group—likely out of China. The cyberwars are no longer kids in basements, but nation states pursuing a host of national, technical and political agendas.
Over the last few years, the number of stolen health records has been slowly creeping up and 2015 (with the mega‒breach at Anthem) is well on its way to shattering all previous years—combined—just for the U.S.
So what's the personal risk associated with breached health data—also known as medical identity theft? The Ponemon Institute summarized the results of their analysis in 2013 this way:
- 15% of respondents experienced a misdiagnosis
- 13% of respondents experienced a mistreatment
- 14% of respondents experienced a delay in treatment
- 11% of respondents were prescribed the wrong pharmaceutical
- 50% of respondents have done nothing to resolve the incident
The personal threat also goes well beyond personal data associated with electronic health records.
Using the same cybercriminal skills to steal data, hactivist's have a different agenda. Their intent isn't to monetize stolen records, but to effectively disrupt an enterprise in pursuit of a political agenda. How does that apply in healthcare? The case of Boston Children's Hospital last year offers a chilling example.
In April of last year, Boston Children’s Hospital was attacked by a “hacker collective” known as Anonymous. While the attack was classified as “hacktivism” (motivations revolved around a high-profile pediatric case) the “group” issued direct threats prior to launching a sizable distributed denial‒of‒service (DDoS) attack on the hospital. The attack was short lived (about a week) but escalated quickly and did have an impact on critical communications ‒ including email services for the entire hospital. Here's the graphical representation of the DDoS attack.
At its peak ‒ the primary internet pipe into and out of Boston Children's hospital was being flooded with almost 28 gigabits‒per‒second of traffic. The attack also included the release of personal information on both the judge and the doctor presiding over the pediatric case in question.
The cyberattack against BCH earlier this year did take us by surprise and we reacted quickly in ways that did control the threat, but that also required a disruption in normal IT services like email. If there’s any real message here it’s that you can’t schedule these kinds of attacks so it’s critical to have cyberthreats as a key part of IT budget and planning. In our case, we don’t think the motivation was financial, but the attack was as sophisticated as many that are. Dr. Daniel Nigrin ‒ CIO Boston Children’s Hospital
Cyberthreats also extended last year to include—perhaps for the first time— medical device manufacturers.
The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, [an inside source] said. Hackers break into networks of 3 big medical device makers – SFGate (February, 2014)
All of which—in combination—prompted me to write this headline at the end of last year:
It's not the sheer number of attacks that's important in determining success or failure against cyberthreats—it’s the fact that the attackers only have to find one vulnerability—one time. Defenders, on the other hand, have to protect against all vulnerabilities—all the time.
Given the reality of that equation, it's easy to see how the attackers have gained the upper‒hand and how the gap between attackers and defenders will only continue to widen. The pursuit of multiple agendas by attackers—both criminal and political—are simply too tempting and too rewarding. Most of these are for monetary gain, of course, but it's not exclusive to simply selling breached data and it's definitely not exclusive to the U.S. alone.
Of course there's a popular argument that tries to minimize the effect of all this by boldly proclaiming "privacy is dead," and to a large extent that's true— technically.
Most of us reached alarm‒fatigue long ago and we've given up on the idea that our data is truly secure anywhere. The sheer volume of data being stolen (or collected) and sold is staggering—and it's very difficult (if not impossible) for individuals to effectively control any of our data without going completely "off‒the‒grid." If 80 million is the final number of breached records by Anthem, that's effectively 25% of the total U.S. population.
The challenge for healthcare, however, is broader and more critical for reasons that go well beyond monetary or identity risk. We'll have to find ways to live with those, but in the context of digital health and health IT, the fact that personal privacy is dead isn't all that relevant. We easily concede that point even if we don't like it, but the value equation in healthcare quickly transcends privacy altogether and goes to the heart of a much larger attribute—trust— and that most certainly isn't dead.
When providers diagnose us with any number of horrendous medical conditions, we entrust our very lives to their clinical expertise and training. That trust is critical in establishing an effective and potentially lifesaving team with each of us as patients at the very center.
Cyberthreats and cybersecurity are now a truly global phenomenon—and the threat is absolutely growing. For me cybersecurity is absolutely THE 800 pound elephant in the digital health room. Not just here in the U.S., but around the world. We may have lost our privacy on the road to digital health, but that makes trust even more important—and potentially lifesaving.