Dan Lyon, principal consultant, Cigital, discusses the danger hackers pose to healthcare and how the digital security of the NHS needs regular ‘Health Checks’
It’s no surprise that hospitals and medical technologies are increasingly targeted by hackers, given the vast amounts of data they hold. However, with advancements in technology and a £4.2b investment driving significant changes in the way health services are delivered, how will this affect NHS cybersecurity?
App security in the digital era
There is very little guidance available on the risks of using medical apps and sharing data and users think little of security when downloading these apps and sharing personal information.
Unfortunately, despite this era of ‘informed consent’, neither doctors nor patients have sufficient knowledge to make informed decisions about the apps they install or the data they share.
Patients rely on their medical care professionals to help them understand the risks, however when it comes to evaluating the security of a technology (e.g., a mobile app or a technological diagnostic tool) medical professionals have no greater insight into the privacy and security implications than the rest of us.
Providers of healthcare apps make claims about software security but their users often lack the knowledge and resources to evaluate these claims; according to a report from Arxan Technologies, 80% of apps formerly approved by the NHS were vulnerable to at least two of the Open Web Application Security Project (OWASP) top 10 mobile risks.
The problem here is that a recent Skycure report found that 80% of doctors use their mobile devices to assist in their day-to-day practice, with 28% storing patient information on these devices. The implication is that the doctor’s personal devices may or may not have adequate protections in place to safeguard their patient’s data.
In May 2016, antivirus technology interrupted a blood monitoring workstation during a patient procedure. Luckily no one was harmed, but technology must be robust when patient lives are at stake.
Consumer technology for buying merchandise and sharing photos can rapidly evolve and have weekly bug fixes and patches.
Technology in the medical industry requires much more rigorous testing to ensure patient safety and cannot sustain unpredictable, rapid evolution that might work in other industries.
NHS ‘health’ check
There are ways in which the NHS and mobile app providers can work together to provide secure app environments for their users:
- Aim for a level of security higher than required by regulatory bodies. Regulatory bodies often lag at the cutting edge of technology. The healthcare industry needs to view compliance with regulatory security recommendations or rules as necessary, but not sufficient.
- Evaluate security claims sceptically. App makers and technology companies will make vague claims like “we use industry-leading cryptography” and will exaggerate the importance of encryption. Those professionals responsible for assessing the security of systems need to take vague claims with a grain of salt. The OWASP Mobile Top Ten is a good framework to help someone sceptically evaluate security claims.
- Transparent security. Technology makers need to explain the security in language that is thorough, unambiguous and factual. Providing this transparency will help consumers identify where additional controls may be necessary.
- Align budget with risks. Many organisations neglect to allocate any budget to mobile security but spending should be proportionately allocated based on where there is risk.
The future of healthcare is no doubt digital but in order for it to be secure, robust mobile app security is not only a wise technology process and investment, but also a smart business one.