Electronic Health Record Archives - InnoHEALTH magazine

The Vulnerability of Medical Institutions to Cyber Attacks

InnoHEALTH Magazine — Mon, 24 Jun 2019 10:39:58 +0000

McAfee’s researchers were able to modify the vital sign data in real-time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records’ database was subject to ransom ware cyber attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine-to-machine communications. It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices. However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that need urgent consideration. Just as financial data is loved by the cyber criminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems and there is no dedicated framework or surveillance on their own data.

Personally, identifiable data is an indicator of an individual, such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Several cyberattacks on medical institutions are initiated to extract the electronic health records (EHRs) of patients. These EHRs may contain their personal health information, medical history, diagnosis codes, billing information, etc., which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or exclusively sold on prescription.

Take this example. On 12 May 2017, a global ransomware attack, known as WannaCry affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) and further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computers being locked out, diversion of patients from accidents and emergency departments, etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHSmail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June, the Mahatma Gandhi Memorial (a trust-run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyberattacks may account to various reasons, such as outdated digital infrastructure, medical personnel unaware or untrained about cyberattacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking email or (e) phishing, etc. It is time that our healthcare providers upgrade their technologies, networks, and understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and cybersecurity processes and controls which help the medical institutions to mitigate cyber risks and vulnerabilities. In this article, we will be primarily focusing on various safeguards and standards put in place by the European Union and India to deal with such cyberattacks.

SCENARIO IN EUROPE

As a part of the EU cybersecurity strategy, the European Commission standards to ensure necessary adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and it came into force in August 2016. As the NIS Directive is an EU directive, every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (a) national capabilities, (b) crossborder collaborations and (c) national supervision of the critical sectors including health.

(a) National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g., it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).

(b) Cross Border Collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.

(c) National Supervision of Critical Sectors: As per the NIS Directive, every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (a) identification criteria of cyberattacks, (b) incident notification, (c) security requirements for Digital Signal Processors (DSPs), (d) mapping of operators of essential services (OES) security requirements for specific sectors including health and (e) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN, ETSI and CENELEC ensure protection of consumers, facilitate cross-border trade, ensure interoperability of goods/ products, encourage innovation and technological development, and include environmental protection and enable businesses to grow.

The General Data Protection Regulations (“GDPR”) specifically define ‘data concerning health’, ‘genetic data’ and ‘biometric data’ and regards them as ‘special category of data’. This means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

THE INDIAN SCENARIO

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cybersecurity when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cybersecurity incidents occurring in India and analysing information related to cybercrimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident.

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cybersecurity incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cybersecurity as may be prescribed.

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks, i.e. are ‘cyber resilient’. Being cyber resilient allows these institutions to effectively anticipate the various threats and figure out the mechanisms of dealing with the cyberattacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient.

Anticipate: Maintain a state of informed preparedness to forestall compromises of mission/ business functions from adversary attacks
Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyberattacks
Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
Evolve: To change missions/business functions and/or the supporting cyber capabilities, to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain rules. The rules require each and every corporate body including medical institutions who collect sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice, keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data, thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyberattacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as outdated Windows operating system patch, lack of proper antivirus or reasons such as phishing, lack of awareness among the people about cybersecurity, etc.

The EU, through GDPR has made data security an integral part of law and India is taking strong steps to set up a robust data protection and data security law. Various regulations, programmes, codes, standards, etc., discussed in this article are some key indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets, etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and must take steps to safeguard their networks and systems from such threats.

About the author:

Sharda Balaji is the founding partner of NovoJuris Legal, and along with being a qualified lawyer is also a company secretary and has been at the core of evolution of technology and IT laws in India.

Manas Ingle is a legal associate at NovoJuris Legal and works as a technology lawyer, where he deals with various legal projects relating

The post The Vulnerability of Medical Institutions to Cyber Attacks appeared first on InnoHEALTH magazine.

Indo-Danish Relationship in Healthcare

InnoHEALTH Magazine — Tue, 07 May 2019 10:12:36 +0000

Peter Taksøe-Jensen is the Danish Ambassador to India, Bhutan, Maldives, and Sri Lanka, Nepal since August 2015. Prior to this, he served as the Ambassador to the United States from 2010–2015. He has worked in various areas of ministry which include the Security Policy Department, Legal Service, and the European Union Law Department and on various government commissions. Taksøe-Jensen obtained his law degree from the University of Copenhagen. Dr. Jasmeet Kaur interviews him on his viewpoint on the current scenario in healthcare.

Q. What are the updates for 2019 regarding Indo-Danish relationship in Healthcare?

The relationship between India and Denmark is becoming better each day. In December 2018, the Foreign Ministers of both the countries met in New Delhi and relaunched the Indo-Danish Joint Commission, which provides the framework for all strategic sectors’ cooperation including healthcare. This breakthrough paved the way for the Danish Prime Minister’s visit to India in January this year. Among other things, he participated in Vibrant Gujarat spearheading a Danish business delegation, where he also met with Prime Minister Modi. The purpose of these visits was to strengthen political and economic ties between India and Denmark because both countries will benefit tremendously from increased interaction and business collaboration. In this regard, healthcare is a key focus area for 2019. This decision is based on the success of two large projects in 2018; one is focused on non-communicable diseases and the other on attaining the SDGs within healthcare. We were able to develop concrete grounds for working in a focused manner in this field and assist Danish companies looking to gain a footing in India. Several Danish companies are already established in the Indian market including Novo Nordisk, Widex, Coloplast, Fertin, Falck and many more are expressing their interest.

Q. The Danish Health System is incorporating changes for good in recent past with new hospitals and other delivery mechanisms, can you share your viewpoint on the relevance of them to India?

The Danish health system is a publicly funded scheme, which covers all Danish citizens. There is a lot Denmark can contribute to India in terms of know-how and sharing of best practices. Areas where Denmark can assist India to include:

Digitalization of some solutions to address the challenges that exist in the current healthcare system. Denmark is a leader when it comes to digital workflows and working with electronic health records. Like in India, there are multiple stakeholders within the healthcare system (doctors, patients, nurses, local and state authorities, pharmacies, etc.) that are bound to work together but at the same time operate as individual entities as well. Denmark managed to achieve a high level of efficiency by digitalizing processes and thus, improve efficiency.

Digitalization has helped Denmark save both time and money. These learnings can be adopted in India to bring down costs in public as well as private set-ups.

Empowered its patients allowing them to access all relevant information about their health and well-being. I believe that the Indian government’s launch of Ayushman Bharat Scheme is also a move in a similar direction and with the similar intent of providing better healthcare access to all. Therefore, I see a great scope of collaboration and partnership between the two countries.

Other areas where Denmark has done exceptionally well is the use of Telemedicine for connecting patients in remote locations and reduce time at the hospitals.

The Danish hospital system is undergoing unprecedented expansion and restructuring. Denmark has spent years of research and gathered experts from all over the world to develop 5 new national super hospitals and renovating 11 existing hospitals. India can leverage this knowledge while it is at a stage where there are still new hospitals getting on.

Q. What can India offer to Denmark, your opinion?

One of the common areas of work between Denmark and India is dealing with NCDs. It is a global challenge. Denmark is currently investing a lot in developing solutions to address this global multifaceted issue. Our research environments, universities, and companies are trying to create products that could be suitable not only for Denmark but across the globe. One of the very specific things Denmark could explore is:

India has a lot of data available and Denmark could collaborate with India to develop solutions and therapies.

India is a bigger country with a much bigger amount of data; this can be utilized to further make the Danish healthcare sector more effective.

Furthermore, private players dominate the Indian healthcare sector, which has created different incentives and quicker implementation time. Both learnings from private players and data from India can be beneficial to the Danish healthcare sector.

Q. Any message for the readers of InnoHEALTH Magazine that you want to share?

Healthcare is a global challenge, and we need global solutions to attain the Sustainable Development Goals. Having in mind that 17 percent of the world population lives in India, it is safe to say that if India fails, the world will not succeed. Therefore, the strategic sector cooperation between Denmark and India is very important.

The post Indo-Danish Relationship in Healthcare appeared first on InnoHEALTH magazine.

How Crucial is DISHA Act for Healthcare Industry?

InnoHEALTH Magazine — Mon, 17 Dec 2018 08:56:22 +0000

“A journey of a thousand miles begins with a single step.” The Digital Information Security in Healthcare Act (‘DISHA’) is that firm first step taken by the Indian Government in the long journey to secure the healthcare data of patients in India. The question we need to ask ourselves is that Why DISHA is the need of the hour? Why do we need to safeguard the electronic health record in hospitals?

The draft of the act was made public in November 2017 by Ministry of Health and Family Welfare. The word ‘Disha’ means direction, the GoI has taken the first step in the direction of safeguarding the digital health record. For this InnovatioCuris has also taken the first step towards having a concrete discussion about ‘Challenges in the implementation and opportunities for making health sector DISHA and data protection ready’. There were panelists from various renowned government, private hospitals, and healthcare IT firms.

The first session was about the ‘Challenges in the implementation of DISHA’. The panelists were happy that InnovatioCuris has taken an initiative to critically discuss the challenges a hospital will face once the act becomes the law. All the panelists agreed that the act lacks various aspects. Few concerns that bother the clinicians are, that who will give the consent if the patient is unconscious.

The ambulances have the capability that it sends the health records from the ambulance to hospital before the patient reaches the hospital for doctors to study the emergency cases. In this scenario, what should be done if a patient denies the consent for sharing the data at a later stage? Should the clinical establishments discard the already shared health record or should they handover the same to the owner (in this case, patient) or what should be done. There are no set protocols defined in the act for such cases.

A question was put forward, does the patient has the authority to edit their health record, or can they view, who have seen their health record. A healthy discussion took place where we got to know that citizens of Estonia have chip cards, where one can see their health record and can also see the logs of who has accessed their health record. This made us realize, that India as a nation state can use Aadhar card as a mechanism, where we can log in into a portal and get to see health records.

The third challenge that came forward was interoperability of health records. As the record lies with the custodian, not the patient, editing and viewing of it can be done by the clinical establishments. The health record can be shared by the clinical establishments to another, but there is no standard on how to transfer it. Data integrity is a point of concern, which is not mentioned in the act.

One of the challenges that came into light was according to ‘Clinical Establishment Act Standards for Hospital[2]’ the hospital has to keep health information and statistics in respect of national programmes, notifiable diseases, and emergencies/disasters/epidemics and furnish the same to the district authorities in the prescribed formats and frequency. The question is what if the patient does not give consent. The proposed act should have a provision where the clinical establishments are liable to take the health data.

As we have unstructured healthcare facilities in India, the act should also empower the clinical establishments by various means to keep the data safe. As of now the DISHA is a proposed act, not a law and has lots of loopholes. It also lacks in many aspects discussed earlier. This is just a start and the government should take necessary steps to improve it.

The second panel discussed on ‘Opportunities for making health sector DISHA and data protection ready’. The panelist consisted of CIO of path labs, owners of healthcare IT firms, who shared relevant thoughts and comments. The panel started the discussion on why do we need the act and what are the benefits of the act. Panelist were grateful to the government to bring the act. They told that the clinical establishments will take steps to increase the safety of the health record.

The gaps in the technology for generation, storage and transmission will be lowered down. Sectors such as banking, financing and insurance have structured their data, but this lacks in healthcare. Detailed scope of security features are missing from the act, this would help the companies to design the software from the ground up by using security as an important consideration.

The imminent threat is in the software which are already in place and have not been patched or the system has not been upgraded. The good news is that many have an audit trail in built in their system, which track any CRUD(creation, read, update, delete) of the records. The discussion contributed a fruitful thought: Data at rest is not encrypted. The question that arises is what is preventing the healthcare IT companies to encrypt the data at rest.

One of the challenge in the DISHA is that, the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health record within three days. But according to IBM report it takes on an average of 197 days to detect a breach[1]. How can the Healthcare IT companies safeguard the health record and let the owner know about the breach. The solution is to encrypt the tables in the database, but that might hamper the performance.

It is a huge opportunity for the stakeholder to bring standards in the act. DISHA might have only completed its first round of comments from the public and stakeholders, it can be expected that the revisions made based on the feedback will churn out a more refined version of the act. In any case, it is evident from the draft that the government has really pushed to provide additional security, privacy and confidentiality for individuals, with respect to their digital health record.

The post How Crucial is DISHA Act for Healthcare Industry? appeared first on InnoHEALTH magazine.

Artificial Intelligence Coming Big Way in Healthcare Sector

InnoHEALTH Magazine — Mon, 19 Nov 2018 10:13:51 +0000

Brig Arvind Lal, CMD of Dr Lal Path Labs, is a pioneer in bringing laboratory services in India at par with the western world. In 1977, he took charge of the medical diagnostics laboratory founded in 1949 by his late father. Under his expert guidance and leadership, the initiative has become one of the most reputed laboratories in Asia, having to its credit quality accreditations from various national and international bodies.

The critical care environment has undergone significant alterations in the past several years. This has happened because our lifestyles in the fast-paced lives of modern India are ensuring that most people, in the age group of 30-50 years are falling prey to life-threatening cardiac diseases and strokes, in addition to diabetes, hypertension, cancers, liver, kidney and lung diseases – these diseases being called Non-Communicable Diseases or NCDs. They are now responsible for killing more than 65% of our population says Dr Arvind Lal, known for his diagnostic labs across the country.

Flagging concerns on such trends, these patients need high-cost intensive care, be it for complications of heart attacks, strokes, diabetes, hypertension, cancer or lung diseases. This is where the importance of Point-of-care testing (POCT) comes in. It helps in almost diagnosing the patient instantly and improves the physician’s ability to take immediate corrective action and decreases hospital stay. One such test is Troponin – that has revolutionized cardiac care by diagnosing heart attacks or myocardial infarction.

This article is based on the keynote address on the occasion of 2nd Annual International InnoHEALTH Conference 2017 – ‘Transforming Healthcare Through Innovation’ in New Delhi, said there are numerous promising diagnostic technologies. The key message is that in a country where 70% of the population lives in rural surroundings, ‘it is our duty to rapidly adopt disruptive innovative affordable technologies including telemedicine. Thus, our underserved population would be able to avail of the best treatment possible and bring in massive visible change’. He said the importance of bringing quality healthcare needs no reminder and the time has come for India to change the direction of healthcare for the masses.

Healthcare is a right – and access to good healthcare should not depend on where one lives and how much he or she earns. But sadly, that is exactly what plagues India’s healthcare today, he lamented. India faces a severe shortage of both hard infrastructure and talent. With about one doctor and one functional bed per 1000 population, healthcare is truly underserved in India. Add to this the regional imbalances and variations in healthcare delivery. The healthcare infrastructure is skewed towards urban over rural India.

Although rural India accounts for about 70% of the population, it has less than one-third of the nation’s hospitals, doctors and beds, resulting in large disparities in health outcomes across urban and rural India. British Medical Journal (BMJ) has observed that there is a remarkable saving of lives in India if good healthcare facilities consisting of operation theatres, surgeons, anaesthetists, blood banks are available within 50 kilometres of the patient providing quality medical services within the ‘golden hour’.

Though there has been a sea change in the last five decades, India now needs to reinvent the field of diagnostics as laboratory tests are responsible for 70% of all clinical or medical decisions.

In today’s life where internet rules the roost, the patients have become very knowledgeable, thanks to the globalisation of healthcare, and are demanding very high-quality healthcare for themselves. They are insisting on a very wholesome and satisfying experience rather than being told that the ‘treatment is over’.

Soon, a time will come when the tests shall be ordered by the patients based on clinical history and clinical findings that shall be answered by an Artificial Intelligence (AI) application. Artificial intelligence has already found several areas in healthcare from the design of treatment plans to assist in repetitive jobs to medication management and drug designing. The most obvious application of artificial intelligence in healthcare is data management. Collecting it, storing it, normalizing it, tracing its lineage – it may well be the first step in revolutionizing the existing healthcare systems.

Recently, the AI research branch of the search giant, Google, launched its Google Deepmind Health project, which is used to mine the data of medical records in order to provide better and faster health services. The project is in its initial phase, and at present, they are working with Moorfields Eye Hospital of NHS Foundation Trust, UK to improve eye treatment.

Just a few years ago the patient after giving the sample used to come back in the evening to the lab to collect a physical copy of the test report. This was replaced by making the report available on the internet that could be downloaded by the patient in the comfort of his home. These days this has been further replaced by making available an App on his mobile phone wherein he can book an appointment for the sample to be collected at home and the report being later available on the same mobile App.

‘IBM Watson, whose headquarters I had the privilege of visiting a few months back in the Silicon Valley, is an AI-based engine that has launched its special program for oncologists to provide clinicians evidence-based treatment options. The program has an advanced ability to analyze the meaning and context of structured and unstructured data in clinical notes and reports in its encyclopedic memory that may be critical to selecting a treatment pathway’. IBM launched another algorithm called Medical Sieve. It is an ambitious long-term exploratory project to build a next-generation ‘cognitive health assistant’ that is able to analyze radiology images to spot and detect abnormalities faster and more reliably. This shall help radiologists in the future to look at the most complicated cases where human supervision is essential.

[/vc_column_text][/vc_column]

‘Wearable Tech is another area which I am personally very excited about. It has the potential to change the world as it helps people understand their own bodies by using mass data collected on a daily basis. From fitness bands to smartwatches to eye based wearables, they are being adopted widely. Take the case of Zephyr’s Anywhere Bio Patch which is an FDA-approved, small device that is attached to a patient’s chest and monitors their vitals minute-by-minute and collects medical-grade data for doctors’ use. These devices will connect our organs digitally, enabling disease detection at very early stages. It has the potential to bring down cardiac and other deaths drastically. This offers immense potential to do remote testing, monitoring and thus assisting the doctor in timely treatment’.

[/vc_row]

Point of Care Testing: Technological advancements in laboratory automation, including POCT, and initiatives to increase patient satisfaction are transforming the clinical laboratory market. POCT has come a long way from a handful of simple tests to a multibillion-dollar global market that holds great promise for the future. Not so long ago, laboratory data would often arrive at the bedside too late to be of significant use in the active, continuing care of critically ill patients. Now, most clinicians acknowledge that POCT is a prerequisite for early recognition of life-threatening conditions as they require that laboratory results are made available in real-time and, if possible, at the critically ill patient’s point of care. The College of American Pathologists defines POCT as tests designed to be used at or near the site where the patient is located, that do not require permanent dedicated space, and that are performed outside the physical facilities of the clinical laboratories.

Examples include kits and instruments that are hand-carried or transported to the vicinity of the patient for immediate testing at that site (e.g. capillary blood glucose) or analytical instruments that are temporarily brought to a patient care location (like operating room, intensive care unit). In many cases, the simplicity was not achievable until technologies developed that was simple and affordable. For example, various kinds of urine test strips have been available for decades, but portable ultrasonography did not reach the stage of being advanced, affordable and widespread until recently. Similarly, pulse oximetry can test arterial oxygen saturation in a quick, simple, non-invasive, affordable way today, but in earlier eras, this required an intra-arterial needle puncture and a laboratory test. Thus, over decades, testing continues to move toward the point of care.

The lab-on-a-chip (LOC) is another device that integrates one or several laboratory functions on a single integrated circuit (commonly called a “chip”) of only a few square centimetres to achieve automation and high throughput screening. Imagine that a patient comes to one of our 2,100 collection centres in the remote tier three or tier four towns in India with the high fever. We take a drop of blood from his finger and inform the clinician almost immediately that the patient is suffering from Chikungunya and not from Malaria or Typhoid, or Dengue fever or Japanese Encephalitis – all in a matter of minutes! The driving notion behind POCT is to bring the test conveniently and immediately to the patient. Needless to add, the patient’s data by POCT shall be made available to update the patient’s electronic health records (EHR).

Talking about POCT Instruments: Currently, two broad type of POCT instruments are available: Small benchtop analyzers (for example, blood gas and electrolyte systems) and handheld, single-use devices (such as urine albumin, blood glucose, and coagulation tests). Now let us talk about if POCT is Boon or Bane? The strong point of POCT is speed and the rapidity with which it shall save lives in emergencies. As India marches towards quality healthcare delivery, in course of time regulatory compliances shall have to be adhered to in the interest of the patient’s health.

The post Artificial Intelligence Coming Big Way in Healthcare Sector appeared first on InnoHEALTH magazine.

RANSOMWARE EPIDEMIC – WHO IS NEXT?

InnoHEALTH Magazine — Fri, 17 Nov 2017 09:59:44 +0000

[vc_single_image image=”939″ alignment=”center” onclick=”link_image” qode_css_animation=””]

Nimisha Singh Verma is Healthcare IT consultant. She brings with her experience of various esteemed healthcare organizations Optum, Religare Technologies and tertiary care hospitals. Authored chapter on Indovation in Innovations in Healthcare Management: Cost Effective and Sustainable Solutions book published in US.

[vc_empty_space]

Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers.

[vc_empty_space]

The healthcare industry has been a victim of various cyber attacks in the last few years. According to recent studies, healthcare has outnumbered financial services and become the most cyber attacked industry. The latest in cyber-attack is ransomware wherein the hacker encrypts the data and threatens to publish it until the ransom is paid in form of bitcoins. In US alone, healthcare industry was the victim of 88 per cent of all ransomware attacks across industries last year.

The recent case of WannaCry ransomware crippled the IT systems of NHS, UK. And after hitting NHS, it spread globally targeting more than 99 nations. The hackers demanded payment of £300 – £600 to unlock systems and have earned about £55,000 in ransom.

Ransomware has indeed become a lucrative revenue source for hackers due to which the number of attacks is predicted to quadruple by 2020. Medical records have 10-20 times more value than the credit card data in the internet black market. Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers. Also, the vulnerability of the health data tends the organizations to pay the ransom to get the data back to maintain privacy and confidentiality of patient data.

Even after so many cases of cyber attacks compromising millions of electronic health records each year, the healthcare industry is inadequately prepared to prevent and resolve these attacks. Whether it is India or US, cyber security is always discussed in forums and budget is allocated for the same but is not put to proper use. Cyber attacks happen due to outdated security infrastructure or employee negligence.

Hospitals and insurance companies have been the main targets of hackers. But, a new vulnerability is catching everyone’s attention i.e. medical devices. The next nightmare in ransomware attacks could be hacking of medical devices such as insulin pumps, pacemakers, defibrillators, implants etc.

Disfunctioning of medical devices can be catastrophic. Just imagine, hackers take control of one’s pacemaker and ask for ransom or else they would manipulate the device which could be fatal. This kind of attack has been showcased in the very famous TV show Homeland wherein the Vice President dies due to hackers remotely disable his pacemaker.

Just like the serial, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless functionality due to fear of possible assassination attempts as revealed by him during an interview in 2013. This clearly showcases that medical devices can be the next target for hackers.

Regulators such as FDA are increasingly getting concerned about medical device security and have issued warning. In 2015, for the first time FDA issued safety notice to hospitals which strongly discouraged hospitals to use an infusion pump which was found to be vulnerable to cyber attacks. But it has been observed that FDA did not force the company to fix the devices being used in the hospitals and didn’t investigate other insulin pump models. This shows that FDA needs to be more stringent towards medical device security. The vulnerability of infusion pump was pointed out by a white hat hacker Billy Rios during his hospital stay.

[vc_single_image image=”2367″ img_size=”medium” alignment=”center” onclick=”link_image” qode_css_animation=””]

[vc_empty_space]

Few of the medical device companies/providers have been proactive in strengthening their device security such as Johnson & Johnson in Oct 2016 warned 114,000 diabetic patients about a security lax that a hacker could exploit in one of its insulin pumps (J&J Animas OneTouch Ping). The hackers can disable or alter the dosage which could be fatal. J&J suggested ways to the patients for mitigating risk.

There have been no documented cases of medical device hacking till date but demonstrations have been conducted in research environment. One such example is of Barnaby Jack who succeeded in hacking an insulin pump and demonstrated giving off lethal dose of insulin without the pump alerting the user. Another example is that of St Jude Medical’s implantable devices such as pacemakers, defibrillators, and resynchronization devices. The radio frequency (RF) enabled St. Jude medical implantable cardiac device and corresponding Merlin@home Transmitter enables transmitting and receiving patient data stored on the device to the physician to monitor his health. But FDA reviewed the device and confirmed about cybersecurity vulnerabilities, if exploited, could be fatal.

Also, researchers at TrapX Security analysed three hospitals for medical device hacking. The deception technology was installed which utilized emulated medical devices in the hospitals. These emulated devices attract and trap hackers so that TrapX could trace the hackers activity. These fake medical devices such as Radiation Oncology system, LINAC , Fluoroscopy, PACS and Xray system appeared real to the hackers and TrapX could monitor hacker’s activity.

According to TrapX, these hospitals utilized older version of Windows that made it vulnerable and most medical devices did not have additional endpoint security software which made the attack undetectable. It was also noticed that the main goal of hackers was to steal medical records not to manipulate the device.

Another research at University of South Alabama showcased how they hacked pacemaker and killed a medical simulator called iStan. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. The researchers could speed the heart rate up or could slow it down. Not only pacemaker, researchers could manipulate an insulin pump or a number of things that would cause life-threatening injuries or death. This clearly illustrates why medical device security is important.

With the advent of IoT, where devices are connected via internet should focus on cyber security. Industrial experts are realizing that cyber security is prime priority for all the devices connected to the internet.

Devices such as wearables, smart bed, smart emergency system, etc. are all lagging behind in cyber security. Apart from medical devices, surgical robots are not being scrutinized for cyber security. Just imagine, surgical robots been hacked which could lead to life threatening situation of the patient. One such demonstration has been showcased by researchers at University of Washington in 2015. They hacked a tele-operated surgical robot, Raven II. The experiment demonstrated three types of attacks that made telesurgery vulnerable with this robot. The researchers demonstrated how they took complete control over the robot and disrupted the operation.

[vc_empty_space]

All of this sounds scary but it can be prevented if we are well prepared. It is important to understand that not only regulators like FDA need not address the challenge of cyber security but also the medical device vendors and providers should take shared responsibility. It has been observed that providers point the device manufacturers to be accountable for cyber security for responding to vulnerabilities and providing fixes for the same.

On the other hand, the device vendors hold providers responsible for their negligence and having outdated network protection. To be safe from such attacks, organisations should review their cyber defence strategies and budget. Also, employee training and awareness needs to be tackled to avoid falling for opening phishing mails and change passwords regularly.

[vc_single_image image=”2369″ img_size=”medium” alignment=”center” onclick=”link_image” qode_css_animation=””]

[vc_empty_space]

It has also been observed that providers such as middle scale hospitals, clinics or laboratories have often overlooked cyber security as priority as they believe not much data is present with them and only the big organisations are in trouble. Which is not true, as hackers are aware of the precious financial and patient data these clinics hold and are aiming at clinics or small hospitals also to get the data. So, they should also focus on medical device security.

The next big thing in helping fight against cybersecurity is artificial intelligence (AI). According to some analysts, the advantage of using AI is it can help predict cyber attack before it happens with the use of behaviour analysis. It alerts security team on any behaviour deviation or authentication failures while accessing records. AI not only helps in detecting threats quickly but it is also cost efficient compared to the money paid by companies in ransom. It does not replace security tools but acts as an additional layer of security. AI can also help in analysing employee behaviour for avoiding any internal security breach. AI can help in bridging the shortage of skilled cyber security professionals also. According to Centre for Cyber Safety and Education, there is a shortfall of 1.8 million cyber security professionals by 2022 worldwide. Companies such as IBM are already investing in AI system Watson for cyber security.

Also start-ups such as Cognetyx are providing cognitive cyber surveillance solution to healthcare organizations. Use of AI for cyber security in other areas has been showcased, for example, the Las Vegas city officials and UK government to monitor their Public Services Network and protect their records from security threats. Whereas, the successful implementation of AI in healthcare cyber security is yet to happen.

The next wave of medical device cyber attacks can be prevented by collaborative approach and commitment from all the stakeholders. Not only the healthcare organizations should make sure their security practices and strategies are updated but the government should also help in skill development of cyber security professionals and encourage more research on medical device security by providing medical device at low cost. Since medical devices are expensive and require license, it makes it difficult for researchers to explore this area. At the end, we should not forget that we have to stay a step ahead of hackers to be a hard target for them.

[vc_empty_space]

Want to write for InnoHEALTH? send us your article at magazine@innovatiocuris.com

Read all the issues of InnoHEALTH magazine:
InnoHEALTH Volume 1 Issue 1 (July to September 2016) – https://goo.gl/iWAwN2
InnoHEALTH Volume 1 Issue 2 (October to December 2016) – https://goo.gl/4GGMJz
InnoHEALTH Volume 2 Issue 1 (January to March 2017) – https://goo.gl/DEyKnw
InnoHEALTH Volume 2 Issue 2 (April to June 2017) – https://goo.gl/Nv3eev
InnoHEALTH Volume 2 Issue 3 (July to September 2017) – https://goo.gl/MCVjd6

Connect with InnovatioCuris on:
Facebook: https://www.facebook.com/innovatiocuris
Twitter: https://twitter.com/innovatiocuris
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about IC by visiting: www.innovatiocuris.com

The post RANSOMWARE EPIDEMIC – WHO IS NEXT? appeared first on InnoHEALTH magazine.