How Safe is the IoT?

We look at the recent situation at Abbott, and get a comment from new kids on the block, Tridentify AB (www.tridentify.se) –  Sweden.

At a time when Abbott Laboratories have been the subject of a stinging criticism from the US FDA, for  failing to properly investigate and resolve risks related to its implanted heart devices, including cybersecurity threats and a battery malfunction linked to two patient deaths – it’s important to take a measured view, and ask; are all devices that contain a battery, and can send info  – likely to run into these same problems.

Not according to new Tracer developers,  Tridentify. Based in Stockholm and Gothenburg, their CIO Leif Sandvik.  It all depends on whether you have actual patient data. Simple tracking of info and pure functionality, should not be an issue. This is what he says and how Tridentify solve these aspects:

“It is correct that we use AES-128 for all communication in QTA Tracer System, but the most important is that we do not use any patient data in the system for the moment. This mean that we actually do “not have any” data to protect even if we do it.😬

If a battery should fail, the tracer will reset and the red LED will flash. If the battery is drained no LED will flash and according to the manual the product should be handled as expired.”

But Johan Snis,  former Abbott Marketing Manager and new Commercial Director at Tridentify – goes further:he says there will always be some element of risk – but this is manageable;

“I would say that secure data is an important topic when entering IoT or IoMT as med tech has their own abbrevation.
Hospitals was one of the last “industries” to internetify themselfes and still they are a bit behind in knowledge and technology, including security. But patientdata is now, in most countries, in digital format on databases accesible from interhospital networks. So if healthcare already has accepted that evolution they cannot void themselfs against IoT. And they shouldn’t, since this is the most prominent way to personalize healthcare and keeping patient at home or specialist clinichans on remote locations.

However, data security is important. All data transfered to and from QTA is done using AES-128, Advanced Encryption Standard. The encryption uses a 128 bit key and it gives 3,4×10^18 possible key combinations.
If we would use the fastest supercomputer in the world it would take it approx 1 billion billion years to crack the encryption. The universe is 13.75 billion years old as we speak.
If we assumes that every person on the earth has 10 computer each and all of them would be used to crack the encryption it would take 77,000,000,000,000,000,000,000,000 years.

So data transfer can be secure. The above argument doesn’t say that it cannot be broken but that it will be tough. On the other hand it is possible to break into a hospital, it is possible to disguise as a doctor and give poison to a patient. Paper journals are possible to steal and forge…and so on.

For me the discussion has to be open minded. Yes it is very important to have secure future system! On the otherhand, the system used today are not foolproof or “pentagon” secure.”


 

 

Focus on the Internet of Things

How IoT may be the worst of all options.

The idea that we can boil our kettle at home while flooring it down the motorway prior to arrival – has long been the stuff of geek dreams. It’s beauty is in its simple and home craft image, how nice and unthreatening is this. If IoT is all about kettles and making cups of tea, well, what’s wrong with that.
And it goes on, at a much deeper level, into how whole “cities” are now becoming Smart Cities. This is an energy conserved Utopia, at a corporate level, if you will, as opposed to a personal level. Whole new divisions are being created at some of the world’s leading IT Consulting houses, as to how they can deliver, using our love and total dependence on mobile and internet connectivity, a world where we are In Control – from anywhere.
In the UK and other parts of Europe, we can moderate our central heating using our mobile phone, and thus goes the argument, we can modify, ie, reduce, our heating bills, to cope with sudden sunny days and so forth.
My friend has a new car where, in the frozen climes she inhabits, – she can switch on the heated seats in her car some twenty minutes before she gets in. And whilst i am jealous and actually impressed, the question is however – do we actually want all this? Or just how useful and time and money saving, will all these facilities give us, or much as extra competences will be gained?
I ask this because for a start, I rarely change my central heating settings from one year to the next, let alone day by day. And judging from the number of times I receive rogue emails in one day, do I really want some central wifi being involved in my domestic life, however useful this might appear for the greater good? Because, if current life is anything to go by, if the Internet is involved, then our lives can be hacked.
We are not alone in voicing these shortcomings. Oren Dvoskin at Sasa Software says it like this:
“The IoT is definitely creating a buzz as a perceived weakness when relating to cyber security.  Attackers constantly look for the easiest way into organizations, and unprotected devices are a potential point of entry. The most common scenario is scanning the internet for devices with default (or no) security credentials.

This was the case with the massive DDoS attack on Dyn’s servers in October – millions of devices were hijacked, then controlled remotely.

Another concern is attacking equipment with outdated security measures, or legacy operating systems.  Sophisticated equipment, such as medical devices, often cannot be properly secured, due to manufacturer warranties.  It could potentially be a nightmare, with hackers demanding ransom when they’ve sabotaged a hospital’s ventilation system (or a patient’s pacemaker).

What can be done?

As always, it’s the basics.   Ensure that devices have updated security credentials, and when possible, that they receive ongoing updates.  Sensitive equipment, and equipment in sensitive organizations should never have unrestricted access to the internet. ”

And this includes you and I at home. The kettle controlled wifi to make our cup of tea, will also let intruders in by the front door. And that, is what I would call a nightmare.

Time to take healthcare security seriously.

We look at the rapid rise of Sasa  Software, and ask; has their time come?

The image of Oren Dvoskin, Commercial Manager at Sasa Software, sitting in his nondescript office, black t-shirt and headphones, looks Californian, as he spells out the pessimism of his profession.

“There are two types of hospital” – he says; “those that have been hacked and know it; and those that have been hacked, but don’t know it.”

Oren’s office is nowhere near Orange County. It is on the border of Israel and Lebanon. If anyone knows about pessimism, it is he. As Sasa Software prepare to face its growing and exponential market at HIMSS 2017 – it surely does not get any more black than this.

Cyber hacking and ransomware, is growing to the point where it cannot be ignored and assumed it is for someone else. But its growth is not the most alarming feature. It is that, for hospitals, any cyber attack would have to be pre-meditated and unique and specifically tailored to find the weak spot, the easiest point of entry, into that particular hospital.

What is worse is – because health records (which are the prime target) are deeply personal and full of personal ID info – any attack is inevitably immediately visible. Unlike say a Bank etc, a Hospital cannot pretend it has not happened and just pay the money.

This is no simple phishing attack.

What that means is, and why Sasa Software believe that this 2017 will be our most “challenging”, i.e. most concerted and worrying – is that Hospitals are still not waking up to this important threat, despite the evidence that 75% have suffered some sort of breach – and that is just those that are publicly noted.

The answer, according to Oren – is to have a mix of baseline protection, the sort that all of us have on our PCs and office servers and Cloud access. This stops the initial and simplest access. But to combat the precise and targeted attack mentioned above, Sasa take the view that every incoming email, data request, every file transfer – is a threat of some sort. Their range of solutions is designed to neutralise any incoming malware or suspicious entry, at source.

But it is also a realisation that files we take for granted – the DICOM image, the voice recording – that we regularly append to our EHR records, are the new source of threat. Viewing images online across the globe, that holy grail of Clinical Consultant interoperability – may be the one area that is the chiles heel for the modern Hospital.

If there is a light at the end of the tunnel, it is not in the fingers crossed hope that that things can get better,. It is the realisation that you can do something about it. Oren is a philosopher with a positive view of human nature, despite the nature of his profession and the market he develops.

The cost of your sorting out a cyber attack ranges from $230.00 – $400.00 per patient record. Sasa Software will be addressing both the Pharma and Clinical markets at HIMSS. Worth having a serious chat.

NEW SOLUTION TO COMBAT THREATS TO PATIENT PRIVACY AND EHR TRUST

We talk with Protenus CEO, Robert Lord, about the danger of complacency in an easy-access interoperable world.
Like all things in life, there are good days, and bad; rainy days and silver linings. With healthcare, the drivers that we have been pushing as we motor down the cloud based highway have lead many to believe that patient record accessibility and interoperability is healthcare’s lone nirvana, its Holy Grail. In the same way that we all focus on paperless hospitals, we assume that, well, total access is a Good Thing.
And we would be wrong. Not that “interoperability” itself is a bad thing – but in a modern and real world, we need to be equally aware of the value of our patient data, and how vulnerable it is to both external and internal threats to patient data.
How so?
Because – if we consider that we would never make our Credit Card PIN available to anybody or that we would stand naked to probably only five people on the world; then our Doctor would certainly be one of them. Our personal patient medical record is private, and Hospitals have a duty of care to keep it so. This is not easy, and Hospitals need to take action.
Protenus is rising as one of the stars of HIMSS 2017. Protenus’ founders, Nick Culbertson and Robert Lord, met in medical school, but previously had careers in intelligence and finance , respectively. They now apply their backgrounds in these fields to the protection of electronic health records.
Robert Lord, CEO of Protenus, told us, when we caught up with him – that this is a matter of trust between you and your hospital. You need to feel secure that your personal data will remain personal to you and not be stolen or hacked. Interestingly, Robert told us that the biggest threat to our data comes from inside, the internal hacking of patient data.

Protenus has developed a platform that monitors access to patient data from employees, affiliates and business associates and ensures that every access is appropriate. Through using machine learning and rich clinical context, their system is highly accurate, and vastly improves the efficiency of privacy teams.
Robert is due to speak on this issue, alongside the CMIO of Johns Hopkins, Dr. Peter Greene, at HIMSS itself. What he said to us is: “We see a continuing transformation in the market – we believe that 2017 will be the year of insider threat awareness. While the challenges of inappropriate access and privacy violations have consistently plagued health systems, awareness of this issue has hit an important inflection point, with leaders throughout healthcare technology ready to change the way that we ensure trust in healthcare.”
The Protenus solution is enterprise software-as-a-service that can protect EHRs, HIEs, payors, and any other institution that stores and accesses patient data.