At GITEX 2013, His Highness Sheikh Mohammed Bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE, and Ruler of Dubai, outlined a long-term vision for a Smart Healthcare Model. As part of the model, hospitals across Dubai would begin the journey towards digitisation, with the end-result being that all hospitals in the emirate go completely paperless. In February this year, the Dubai Health Authority (DHA) announced that 96.7% of hospitals in the emirate have started the process towards a paperless environment, with the hospitals judged on an EMRAM (Electronic Medical Record Adoption Model) score, which starts at 1, and goes to 7 for completely paperless.
According to Dong Wu, president of Huawei Enterprise Middle East, this wave of digitisation is all part of Dubai’s drive to become a smart city. Indeed, he says, while smart offerings are becoming widely publicised across other verticals, it’s important to note the leaps and bounds that the healthcare industry has experienced on its path to digitisation.
“Alongside the wider Smart City discussions that are happening at a government level across the Middle East, the healthcare industry is one vertical sector in particular that is beginning to identify the significant patient and business benefits that come from a digitised infrastructure. Under national smart city initiatives, government ministries across the region are encouraging private sector organisations including those in the in the healthcare industry, to align with their visions for a better connected world,” he says.
“In order for hospitals to align with smart city plans they need to leverage ICT to improve their operational and management efficient and lower their operating costs to ensure people’s health while contributing to sustainable social development. Digital hospitals focus their development on how better to serve patients. These smart hospitals are based on digital hospitals and require a number of new medical applications to serve patients, such as network services, mobile healthcare, remote healthcare and health management.”
Unfortunately, the implications for moving towards the digital healthcare model are far-reaching from a security perspective. Digital health records are valuable in a way that even financial records fail to be. After all, if a credit card is being used fraudulently, the end-user can cancel the card, and may even be compensated by his or her bank. Personal health data, however, is much more permanent, private, and as a result, needs to be treated with the utmost care. A consumer simply won’t stand for a health institution misplacing or losing their health data.
“The greatest challenges are the risks of security breaches and loss of confidential patient data. For example, the consequences of a breach of Personal Health Information (PHI) can be severe. Medical identity theft, the fraudulent use of someone’s personal identity to obtain medical services, prescription drugs or devices, is just one potential concern. According to a recently released study from the Ponemon Institute, from 2012 to 2013, medical identity theft increased by 19%, with more than 300,000 reported incidences,” explains Nat Pisupati, regional sales director for Identity and Access Management, HID Global.
Added to this, few business verticals put as much pressure on IT as the healthcare segment. After all, along with the standard business requirements for uptime and good performance, there is the added knowledge that any technological error could result in loss of human life. And this is particularly true across hospital networks. Slip-ups are simply not an option, meaning that securing the hospital network, from both outsider threats and from a business continuity perspective, is of paramount importance.
The danger outside
Unfortunately, cyber-attackers realise the importance of personal health data as well as healthcare institutions do. And according to Maher Jadallah, regional sales manager for Cisco’s Global Security Sales Organisation, things are made worse by hospitals’ willingness to adopt new technologies. He warns that, in the desire to be cutting-edge, it can often be too easy to overlook the security aspects of a hospital infrastructure.
“Today’s dynamic computing environment in the Middle East has become the Wild West in a lot of ways — new devices, operating systems, applications, and the cloud. This creates new attack vectors for the bad guys. Yet not all customers can envision the danger associated to what hackers can do their records, such as changing medical results or for VIP customers, even sharing information with the media,” he explains.
“We believe that data security is very vital – for any organisation that uses information technology to operate, regardless of the industry, but especially healthcare. IT managers are now acknowledging the need for a more holistic approach — one that is scalable and addresses mobility, security governance, virtualisation and network policy management, in order to keep management costs in line while simultaneously providing optimal experiences and reaping savings.”
Gary Newe, senior systems engineering manager, F5 Networks, adds that the internet of things (IoT) is also changing the way that hospital IT managers need to think about their networks, given that connected IoT devices often find their way into the healthcare industry first. He says that manufacturers will have to work with experts to protect data and against vulnerabilities. This, he says, begins with the data centre and keeping medical data stored there secure and encrypted.
“In an ideal world, the healthcare sector will evolve to be more agile, adaptable and attuned to the burgeoning application economy,” he says.
Bashar Bashaireh, regional director for the Gulf and Pakistan at Aruba Networks, says that a more holistic approach is required to address hospital network security. Indeed, he even goes as far as saying that the traditional way of doing things no longer works. Instead, he advises, there needs to be a whole revamp on the way that hospitals think about security, due to confidential nature of patient records.
“The traditional way of hospitals securing their networks and infrastructure, such as port and protocol-based security focusing on attacks originating from the outside, are no longer adequate in light of increased adoption of mobility that is transforming and evolving all healthcare services. Increased proliferation of mobile devices and medical equipment requiring connectivity over efficient and reliable wireless networks is driving productivity and collaboration, yet at the same time creating serious IT security challenges as IT managers need to provide access based on user, device-type, application, and location. No user, device, or application on the inside or outside should be trusted until proven otherwise,” he says.
The threat from within
Protection against outsider threats is one thing, but hospitals also need to protect against threats from within their own walls. These could range from accidental loss of data, due to an unauthorised member of staff accessing confidential files, to fully fledged insider espionage, whereby a member of staff steals confidential data by abusing his or her access credentials.
Unfortunately, there isn’t much direct action to be taken against such threats, according to Kalle Bjorn, Middle East director of systems engineering, Fortinet. He says that the best approach, as in any other organisation, remains to implement processes and limiting access to protect against breaches. He further points out that network monitoring can be a useful tool.
“If the insider’s job requires access to the data, there is not much that can be done to prevent access – at this point it’s all about monitoring the usage. Access to data of large number of patients should raise alarms and proper follow-up should be done to see if the data access was really job-related or not,” he says.
However, HID Global’s Nat Pisupati says that there are steps that hospitals can take, from an access point of view, in order to minimise the risks of insider breaches.
“Hospitals face many security threats in an environment complicated by high traffic volumes, complex staffing requirements, and a demanding regulatory environment. Meeting modern security challenges while complying with rules and regulations, such as the recent EU data breach regulations, the UK Data Protection Act (DPA) and other regulatory mandates requires best practices for both physical and IT security, using flexible and scalable access control systems that can combat today’s evolving security threats while supporting future improvements in security and convenience,” he explains.
“It is also important for healthcare institutions to maximise the ongoing value of their investment by ensuring that ID cards used for opening doors can also be used for other applications including time-and-attendance, cashless payment and logical access control to protect IT assets and enhance patient information privacy protection.”