When the World Health Organization declared COVID-19 a pandemic in 2020, digital health moved into the spotlight as we sought new and effective ways to deliver healthcare safely and at scale. While these digital technologies created new benefits and efficiencies, they also increased healthcare’s attack surfaces and gave cybercriminals the opportunity to breach vital digital infrastructure.
When we consider that the number of healthcare breaches in the first five months of 2022 has nearly doubled in the same period last year in the US, it’s clear that steps need to be taken to mitigate this risk.
To an extent, companies can rely on the Health Insurance Portability and Accountability Act (HIPAA) in the USA and ENISA in the EU for guidance on best practices in cybersecurity, but compliance does not equate to security.
The speed and sophistication of today’s cybercriminals have made it clear that healthcare organizations must become individually responsible for testing and validating their cybersecurity programs, adopting proactive rather than reactive security postures.
The FBI has repeatedly identified healthcare as the sector most targeted by cyberattacks. The healthcare industry sustains higher financial losses due to breach than any other industry, with an average of over $7 million per attack in 2020, representing a 10% increase on 2019 figures.
How Can a Digital Therapeutic Company Get Cybersecurity Right?
Standing still is not an option given the current healthcare cybersecurity landscape – modern security requires constant vigilance and preparation to ensure readiness for an attack. We need to shift from a reactive to a proactive mindset, and to help us understand what that means in reality, Sidekick Health’s Compliance Officer, Kristinn Gylfason, talks about the best ways to meet modern cybersecurity demands.
1. The pandemic lead to an explosion of medical devices and connected devices within the healthcare industry. This digital acceleration created a gap in advances in digital maturity and advances in security maturity. How has this digital transformation changed the healthcare threat surface?
Yes, the digital healthcare industry exploded in the pandemic, but the same can be said for attacks and other malicious behavior. With more and more people using digital healthcare solutions, the odds that someone somewhere stores or handles his/her own data or other’s data in a careless manner will naturally increase. This is a given. It’s for this reason that Sidekick and other digital health companies should, and are, putting a lot of emphasis on cybersecurity and privacy matters.
Security measures should be a differentiator between products to the extent that products that are not focused on security are not selected for use. Steps toward this goal have already been taken. For example, the FDA is putting stronger and stronger cybersecurity requirements in place as a precautionary measure and a prerequisite for market authorization.
This is more important than ever. It’s as if there was a five times increase in traffic on the roads, but some of the new cars have no seatbelts, even though everyone knows they exist and should be there. It’s basically common sense.
2. What would you consider to be the cybersecurity gold standards?
Good coding practices are one of the most important and effective ways to increase security. At Sidekick, all code is subjected to an independent code review. In other words, someone who is a subject matter expert, but did not write the code will review it. The review is centered around quality and security.
We also apply numerous automatic ways to increase our code’s security. For example, we run dependency checks on the Open Source packages we use, along with vulnerability scans on the code against known weaknesses. We also perform a Docker image scan to review our third-party dependencies.
These approaches are very effective, but we take things a step further by getting an independent cybersecurity firm to perform an annual white-box penetration test. During this process, we put everything we’ve built in scope for them to poke at, and try and find weaknesses in. This is a helpful way of getting great insight into the mind of a malicious person.
Sidekick’s infrastructure is cloud based. We monitor the cloud we operate in with automatic tools that prompt our teams if anything unusual happens.
3. What are the core cybersecurity considerations for medtech, including device set-up and system integration?
Users’ sensitive data is one of the largest threats. Other aspects are the integrity of the information and possible treatment being delivered to the users (patients). If some malicious third party intervenes and disrupts the information delivered to the user, this could have serious consequences.
This goes both ways. If a malicious attacker is able to interrupt the delivery of data from a patient to the digital solution, this could have terrible consequences, especially if the patient needs urgent care or assistance. These are the largest considerations for medtech.
Other considerations include device set-up. Set-up is very dependent on the specific device. In some cases, set-up needs to be calibrated, in others it may be a combination of a wearable device and an app. In general, all that matters is that the user (patient) gets accurate service at applicable times and that his/her data is safe.
4. How does Sidekick approach cybersecurity? Can you please walk us through your process?
Sidekick takes cybersecurity very seriously. For Sidekick, our integrity and our users’ safety and privacy is top priority. We aim for the gold standard when it comes to security. By doing so, we make cybersecurity a part of our lifestyle.
The journey to ultimate cybersecurity is a long one and it will never fully end.
We are continuously improving and iterating our ways of defending against malicious people and software.
5. What challenges has Sidekick faced in its cybersecurity journey?
Sidekick is continuously monitoring the latest developing technologies to increase the security and integrity of our products and services. There are always challenges. For example, the log4j weakness that shook the cybersecurity industry last winter. It was not present in our systems, but we were still required to go through the motions of gathering our response team. Today, we continue to prepare for the worst and hope for the best.
We are very lucky to have a great team of developers and cybersecurity experts at Sidekick. That helps massively. Sidekick was also founded by two medical doctors who are used to having to respect patients’ privacy. These values were therefore ingrained into the company from day one.
6. What are the risks associated with poorly secured medical devices and systems, including the potential risk of patient harm, data theft, or manipulation?
Alongside the physical harm, data theft can also be used to manipulate people. The more sensitive the data is, the more likely people will give in to such manipulation. Blackmail or data hostage where malicious persons use data they have acquired through malicious methods is also a risk. People are often ordered to pay to retrieve their data or to prevent it from being published.
Times have changed, and digital healthcare companies must change with them – that means doing more than annual risk assessments and occasional testing. Companies need to take responsibility for deploying robust, thoughtful technologies and procedures, as well as regular testing and validation of systems. These measures are the best ways to meet modern cybersecurity demands, while preparing a company for whatever is to come.
Join our growing list of partners! Sign-up for The Sidebar now. (Don’t worry, you can unsubscribe at any time.)