The Future of Cyber Security in Healthcare

Innovative technology is changing healthcare for the better. However, with the ever-evolving nature of technology and the new General Data Protection Regulation being enforced next year, cyber security has never been more important, especially for healthcare data.

Below we have highlighted the key trends that will inform cyber security processes in the immediate future.

The previous decade has witnessed a multitude of high-profile cyber-attacks, affecting aspects of both personal and corporate systems and data. The most recent example of a large-scale cyber-attack was the May 2017 “WannaCry” ransomware attack which affected more than 200,000 computers across 150 countries, and almost brought some of our public services such as the NHS to a complete halt. The media coverage this attack received represents the important shift in public perception towards cyber safety, which puts organisations under greater pressure to adequately secure their systems and protect data. To reinforce this, the introduction of the new General Data Protection Regulation (GDPR) in May 2018 will implement greater accountability for those that suffer a data breach due to inadequate consideration when protecting their data.

15658478208_5a1f9da3cf_b.jpg

The implications are significant when it comes to healthcare, with more of the population employing Technology Enabled Care (TEC) to monitor their health. TEC has has transformed health care over the past few years with the growing use of remote monitoring, telecare and telehealth services, and a surge in the uptake of self management apps via smartphones and tablets. Yet with the benefits of TEC comes a need for more rigorous data protection methods.

Dr Simon Parkinson, a lecturer in computer science at the University of Huddersfield outlines the key trends that will inform cyber security processes in the future:

Changing nature of healthcare data

Healthcare data is some of the most sensitive type of data as it is rich with personal information. Personal details, previous healthcare issues, daily routines and location information can be accessed by the newest healthcare technology. Higher volumes of in depth data could transform health and care delivery for the better, but mean that data protection is more crucial than ever. For example, consider the implications of a service such as the Electronic Prescription Service (EPS) being tampered with, which in this instance allows prescriptions to be sent direct to pharmacies through IT systems. There is potential for life threatening consequences should an attacker be able to adjust a patient’s medicine without anyone knowing.

Greater connectivity brings increasing challenges

Increased connectivity resulting from improved infrastructure and the ever expanding ‘Internet of Things’ (IoT) has meant that we are more vulnerable to remote attacks because our connected devices create more access points. Although it is challenging to completely mitigate against cyber-attacks, effort should be taken in the design stage of any healthcare technology to improve security and minimise the chance of attack. For example, safeguards such as biometrics and two-step authentication are vital for increasing system security and preventing unintended access to both system functionality and data sources.

The fast pace at which technology is evolving means that innovators may be tempted to skip integrating security mechanisms into the product design in order to bring the product to market faster. This is not a viable approach as security is not a feature to be added later, but an integral component of a product's design.

The increasing use of IOT devices create more access points and leave us more vulnerable to attack.

The increasing use of IOT devices create more access points and leave us more vulnerable to attack.

Improved trust through GDPR

The new General Data Protection Regulation (GDPR) is being introduced in May 2018 to replace the longstanding Data Protection Act (1998). GDPR increases the protection of personal data within the EU, and also its exportation outside of the EU.

Some of the changes GDPR will bring about include:

  • Widening the scope of what is defined by ‘personal data’.

  • Requiring explicit consent to collect personal data.

  • Enforcing a “privacy by design” paradigm where systems must take security into account during the design phase.

If an organisation does not comply with  GDPR, they can be fined up to €20m or 4% annual global turnover, depending which is higher. It is therefore imperative for organisations of all size to adhere to GDPR.

Although the introduction of GDPR has faced resistance by businesses already financially burdened by policies, the public perception is positive and builds trust as end-users are pleased to see legislation developed to better protect their personal data, including how it is used and how long it is stored. This is particularly important in healthcare, where a recent high-profile investigation by the Information Commissioner’s Office determined that the Royal Free NHS Trust received inadequate consent to share 1.6 million patient records with Google’s DeepMind.

Future innovation in database management

Brute force attacks that use powerful computers create an opportunity for organisations to establish innovative and impermeable new systems. Choosing algorithms that are the most difficult to hack is a good starting point, such as the AES256 which has revolutionised the computing industry over the past decade. However, advancements in new areas such as quantum computing that has the potential to break AES in minutes is a very real consideration for the future that will call for stronger encryption algorithms.

Uncertainty over future threats means sharing and applying understanding of what results in strong and robust system design is essential. An example of this is the ‘block chain system’ which is currently being employed by the tech community allowing digital information to be distributed but not copied, with no centralised location for a hacker to corrupt. Databases of this nature are particularly interesting in the healthcare sector, whereby the provenance of patient data needs to be guaranteed.