As the Internet of Medical Things (IoMT) gains traction in the UAE, healthcare operators must recognise the need for high-level security for patient data records and connected devices. Nader Henein, BlackBerry’s Regional Director for Advanced Cyber Resilience, explores this.

The Internet of Things (IoT) has truly revolutionised businesses across various sectors, including the healthcare industry that gave rise to the emergence of the Internet of Medical Things (IoMT). The benefits of interconnecting medical devices are easy to grasp; instead of test requisitions and reports sitting at the nurses’ station, physicians today conduct this entire transaction digitally, ensuring that patients receive a far better standard of care and are prioritized based on need rather than chronology. 

According to a report published by Deloitte , wider adoption of Technology Enabled Care (TEC) – where healthcare practitioners can undertake e-visits, write e-prescriptions, diagnose, and deliver treatment via remote digital monitoring – can result in direct cost savings and enhanced patient care. Hospitals have already started to increase use of connected devices, and operators feel that wider adoption in the healthcare sector can greatly reduce time spent on treatment and improve the doctor-patient relationship significantly.

The time spent collecting patient data at regular intervals costs hospitals a significant amount of time and resources. Automating these processes by using technology such as wearable devices that can track a patient’s vital statistics results in not only cost savings for the medical services, but also benefits patients by offering a more efficient method of data collection and enabling doctors to make a well-informed diagnosis. This is just a small example of how connected devices can revolutionise medicine in ways that were unimaginable before.

Wearables - revolutionizing healthcare

The National Health Service (NHS) in the UK has discussed how harnessing data through wearable devices, electronic patient records, and assistive technology can greatly benefit the healthcare sector.  According to Medicom Health, which develops evidence-based health and wellness software applications, the wearables can collect an array of critical information including activity levels, sleep, and heart rate. This is valuable information for providers dealing with patients with congestive heart failure, diabetes, and other chronic conditions. It is expected that wearables will also be able to collect additional biometric data like blood glucose levels and blood pressure through non-invasive sensors in real time which can be used to predict an increased risk of a potentially fatal health event, and alert healthcare providers in case an intervention is needed

While all connected devices from pacemakers and insulin pumps and x-ray machines have significant benefits, they also run a significant risk of being attacked. The Food and Drug Administration (FDA) confirmed earlier, following the death of a patient, that St. Jude Medical's implantable cardiac devices were in fact vulnerable and could be easily accessed via vulnerabilities they had disclosed the previous year .  The FDA announced that device manufacturers are at a significant risk of being hacked and issued a set of recommendations to secure medical devices that could jeopardise the safety and privacy of their users. This includes medical device manufacturers and health care facilities taking the right steps to ensure appropriate safeguards. The recommendations also state that device manufacturers should undertake appropriate measures to ensure proper device performance. Hospitals and health care facilities should also evaluate their network security and protect their hospital systems.

Protecting patient records

The Dubai Health Authority (DHA) has recently announced that 1.4 million patient records are now electronically available and a unified electronic medical system is live across a designated number of hospitals in Dubai under the ‘Salma’ initiative. Similarly, the government announced that it would launch the NABIDH program to digitise patient records.  Both of these initiatives are linked to the UAE’s wider vision of fostering innovative and integrated care models across the healthcare sector and using big data to develop evidence-based public health policies.

This is a bold move, and the DHA recognizes that technological advancements also bring with them risk: the risk of patient records and other sensitive data making its way into the wrong hands is a very real threat that hospital and healthcare operators run. According to the U.S. Department of Health and Human Services’ Office for Civil Rights, one in two Americans were affected over this last year by a data breach in healthcare. Furthermore, cyber liability insurers raised their premiums threefold for healthcare providers as this has been the most attacked industry two years running, surpassing the financial sector.

Last year, UK’s National Health Service’s Lincolnshire and Goole hospital cancelled all of its planned operations and diverted major trauma cases to neighbouring facilities following a targeted attack. Although the hospital didn’t divulge the kind of virus that infected its systems, it is likely an infestation of ransomware — a malware scourge whose purveyors have taken to targeting hospitals and healthcare facilities. Here in the UAE, a well-known private medical centre also faced a similar attack in 2016.

If hackers manage to lock and/or encrypt the health record of a patient needing immediate healthcare attention, the patient’s life will be in danger. Securing the network and medical devices therefore has become top priority for the healthcare industry, and now more than ever the healthcare sector must ensure that they put patient data confidentiality on par with patient care.

Operators therefore need to acknowledge that the data is as important as their patients. Given the reliance on connected healthcare devices and the data they provide, protecting this data and the devices that monitor and treat are in-line with protecting patient lives, hence the healthcare sector and medical device manufacturers need to understand that securing the Enterprise of Things is vital. The Enterprise of Things is a network of intelligent connections and end points within the enterprise – including a collection of devices that enable smart product development. For device manufacturers, the focus is still almost entirely on the function of the device rather than its capacity to be secured.

Securing medical devices and the network

There are some tools that can be employed to secure medical devices. Hospitals must teach staff how to identify and avoid phishing scams, ransomware attacks, and other email-based threats. They should also ensure that all staff use secure communications tools when texting, making or taking phone calls, or collaborating with staff or patients and even insist on multi-factor authentication on all their devices.

As far as securing their technology goes, healthcare providers should also put email solutions, collaboration tools, and other critical apps in containers to protect sensitive content. Laptops and desktop PCs, tablets and smartphones, wearables, and IoT devices can be protected with unified endpoint management solutions (such as BlackBerry UEM). Giving systems a security check-up to identify potential threats is also a good idea.

Implementing healthcare technology security standards like DTSec that promotes security from the ground up is also a good idea. Launched in May 2016, BlackBerry’s medical device cybersecurity standard DTSec is the most comprehensive security standard for medical devices. The standard is a holistic representation of best-practice medical device security, developed with input from a variety of industry experts, including university researchers and cyber security firms to nurses and medical manufacturers.

The healthcare sector must also use secure file-sharing solutions that allow them complete control over their information and the capacity to secure information safely within their borders. The healthcare industry, like other enterprises, should safeguard critical information the same way it safeguards a patient’s wellbeing.

Some organizations are especially vulnerable to ransomware attacks because they often have fewer IT resources than big companies. They may not be strictly following best practices or doing regular data backups of all critical servers. They may also have a harder time controlling their environment and ensuring employees follow their anti-phishing and other training to prevent such malware from taking root.

Healthcare systems must therefore secure their networks so they aren’t vulnerable to hackers. They must also write cybersecurity requirements into their procurement policies to force device, IT hardware, and software makers to build security into everything they sell. Finally, they need to ensure that any applications they install are user-friendly; otherwise staff will turn to less-secure shadow IT workarounds (like personal messaging, cloud storage, and other apps).

Healthcare workers must understand how mobile device policies secure Protected Health Information (PHI) and how using the healthcare organisation’s approved apps (that have been security tested) supports data security.

Device makers meanwhile must strengthen device security, including regularly patching operating systems and apps against vulnerabilities.

BlackBerry UEM software provides comprehensive, policy-based management of all the endpoint devices a healthcare organization can own. Through BlackBerry Workspaces, files such as medical records are encrypted and watermarked so that hackers cannot access them even if stolen. This allows hospitals and patients to avoid paying ransomware to attackers, and also more easily track down the hackers.

In conclusion, it can be said that enterprise technology gives healthcare providers a way to efficiently deliver the best quality medical services, but they need to develop a strong security framework to ensure the smooth functioning of their business without compromising on patient care.