H-ISAC Hacking Healthcare 7-16-19 - Health-ISAC - Health Information Sharing and Analysis Center

#Alexa, #Cloud, State Cyber Resiliency Act

TLP White: In this edition of Hacking Healthcare, we discuss a unique partnership between Alexa and the UK’s National Health Service. We then check in on resistance to Cloud adoption in the Healthcare industry. Finally, we examine the lack of sufficient cybersecurity at the state level and what is being done to improve it.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Hot Links –

1. Alexa.

If you ask anyone how they envision new technologies will revolutionize the healthcare industry, they’ll likely reference developments in AI and machine learning and how they are increasing the speed and accuracy of diagnoses.[1] Perhaps they’d mention how they recently read about robotics being incorporated into surgical procedures to increase precision and control, or even how embracing cloud technology and prioritizing interoperability is ensuring that healthcare providers can quickly and securely access patient data whenever and wherever it’s needed.[2]

All of these use cases are rapidly becoming part of routine reality, but a recent agreement in the UK is attracting attention for using the rapid growth of IoT, in this case virtual assistants, to tackle a more fundamental issue—access to basic health advice and information. The UK’s National Health Service (NHS) has partnered with Amazon to provide accurate, basic healthcare advice through Amazon’s Alexa. In a world clouded with misinformation, and where anyone can post anything on the Internet, the ability to receive professionally vetted medical advice by simply asking “Alexa, how do you treat allergies?” is an interesting development. NHS hopes that this partnership will have a beneficial effect on the quality of medical advice given to individuals, while also alleviating some of the strain placed on primary healthcare providers by reducing the number of face-to-face visits for trivial issues.[3]

NHS’s view is that Amazon Alexa represents a novel way of using cutting edge technology to improve healthcare generally and it has an added benefit to users who can now receive trusted medical advice from a reputable source. It is currently unclear if this new use case will extend to geographical areas beyond the UK.

2. Bringing Cloud Back to Earth.

The Cloud has been touted, and not without reason, as having enormous potential for the healthcare industry. Improved data access, improved interoperability, and cost reductions are potential benefits of embracing cloud technologies. So why are some still resistant to the Cloud revolution?

Jonathan Armstrong from the London-based legal services firm Cordery says that it often has to do with the oversimplification of the security aspects of the Cloud architecture.[4] While many resisters argue from a philosophical point that the Cloud can never be completely secure and therefore needs to be avoided, Armstrong takes an even stronger viewpoint. He believes that cloud vendors often oversell security aspects, like the “full anonymization” of data, and has said that “every time [he has] read [about full anonymization of data he has] found it to be untrue.”[5] When it comes to personal health data, Armstrong says there are always enough details (e.g., dates, location, age, etc.) to make an individual identifiable, and that this data is really pseudo-anonymized as opposed to fully anonymized.[6] When companies have a false sense of their Cloud technologies’ data anonymization capabilities, they can accidentally become non-compliant with regulations regarding the storage and dissemination of sensitive data. Incidents like that can stoke fears and distrust of Cloud vendors’ products and can make healthcare providers reluctant to jump wholeheartedly into embracing the technology.

Another factor in healthcare’s slow adoption of Cloud technologies is the uneasiness of healthcare providers in not having complete control over their highly sensitive data.[7] Once sensitive data leaves a provider’s network and moves onto the Cloud, the exact location of that data and the security and access controls related to that data are no longer fully within the provider’s control. The risk of misconfigurations, improper or lax security, and unknown access controls can make it difficult for healthcare providers to relinquish sensitive data, especially in the face of enormous potential reputational damage and regulatory fines should something go wrong.[8] This has led to nearly 20% of healthcare organizations considering moving back to an on premises model according to a new Netwrix study.[9]

3. States Need Help.

As we covered previously, there has been a significant uptick in malicious cyberattacks against state and local governments this year. These largely unattributed attacks have cost hundreds of millions of dollars to cities and states and have exposed the lamentable state of cybersecurity below the federal level. The silver lining in all of this might be that Congress is finally taking the matter seriously. The first few federal legislative attempts to provide cybersecurity resources and training to states have not made too much headway in this contentious political climate, but the existence of legislation at all is positive sign that at least some legislators do not want to leave states and cities to fend entirely for themselves.

Perhaps the best example of legislation looking to address the issue is the State Cyber Resiliency Act introduced by Sens. Warner (D-VA) and Gardner (R-CO). The bill would create grant opportunities for states looking to improve their cybersecurity capabilities through a broad range of activities. Everything from “supporting dedicated cybersecurity and communications coordination planning” to establishing scholarships or apprenticeships for those pursuing cybersecurity training and education would be covered under one of two grant pathways.[10]

Bills like the State Cyber Resiliency Act have the potential to greatly improve the under-resourced communities they target, and this is an issue that appears ripe for bi-partisan cooperation. However, the reality is that federal cybersecurity legislation has faced an uphill battle lately. Furthermore, throwing money at the issue will likely not be enough to fix the short term problems affecting states. Many state government cyber deficiencies stem from a lack of trained cybersecurity professionals and a workforce that hasn’t been properly educated on basic cyber hygiene, both of which are problems that may take years of focused attention to improve.[11]