Deploying Healthcare Technology: How Vulnerable Are You?

As I’ve written before, there are numerous tech solutions being proffered to advance care, better manage disease states (value based care), and improve patient interactions with clinicians. The tech marketplace is the wild west of ideas with different applications (e.g., patient scheduling, telemedicine, rev cycle, mhealth apps, AI, machine learning) developed to address different segments or stressors on the care delivery ecosystem.

For instance, as Covid snaked its way into the fabric of the world, hospital finances suffered, patients avoided care (in some instances, urgently needed care), and clinician capacity far outweighed demand. If ever there existed a silver lining to a global pandemic, care technology (like remote patient care) catapulting to the stage was, for the good or the bad, warts and all, a glimmer of hope.

Contemplating the remote care “condition” during the heat of Covid I classified health system and clinical readiness in three rather obtuse categories:

1.     Those who are comfortable with, and deeply embedded in, telehealth care,

2.     Those who were nibbling around the edges of telehealth with varying levels of implementation (discussions, examination, curiosity), and

3.     The unprepared (forced to embrace telehealth as the only [short term] means of offering patient visits).

As a refresher, due to Covid, use of telehealth applications increased under the umbrella of a federal Emergency Order which relaxed many regulatory aspects of telehealth and associated remote delivery services. However, once the EO expires, Congress will need to revisit codifying telehealth. That said, it seems the genie is out of the bottle. At this point in Covid’s yearlong-plus history, physicians and health systems have learned to either adapt (see #3 above) or thrive (see #1 above) with telehealth.

It is certainly a stretch to opine that Covid, and its attending havoc, has a silver lining but a razor thin glimmer of promise exists. Covid has nudged telehealth’s efficacy and viability to the fore and compelled clinicians to adopt and adapt. Many health systems are now running concurrent clinics offering brick and mortar visits while managing robust telehealth services. But, as folks embrace the latest tech innovations, the specter of cyber security breaches grows exponentially.

While administrators contend with the myriad opportunities telehealth provides, such as remote visits, remote monitoring (blood pressure, medication management), mHealth (mobile health), etc., bad actors continue to probe and test the security of connected IT systems. These probes or “pings” force health systems and physicians who “bolt” on tech offerings to juggle, manage, and protect multiple systems from hackers and other e-intruders. As one might surmise, with all of this tech there are reasonable security concerns, from mApps to electronic health records (EHRs). System connectivity and broad internet access have created different and expansive avenues for bad actors to compromise systems, hold them for ransom, or worse.

For instance, in a recent report by Alissa Valentina Knight entitled All That We Let In: Hacking 30 Mobile Health Apps and APIs, Ms. Knight noted that there are north of 300,000 mHealth apps available and that many of those are subject to hacking of the apps and APIs. With an estimated 60% of people downloading some sort of mHealth app, she posited that her 6-month study revealed significant security risks.

Ms. Knight examined 30 mobile apps and APIs. All of the apps were found to be vulnerable to API attacks with some even allowing access to EHRs. Ms. Knight suggested that the 30 apps collectively exposed 23 million mobile health users to attack. Of the 30 apps tested, 77% contained hardcoded API keys, some of which don’t expire, according to the report, and 7% had hardcoded usernames and passwords. (For full transparency, Ms. Knight’s report was sponsored by Approov which offers API threat protection.) To put the results into context, and given a discrete value of, say, 300,000 available mobile apps, Ms. Knight’s sample was only 1/100^th of a percent of the mApps available and each one she examined offered some exposure. And, that is only the mApp realm; consider what that portends for the exposure of PHI with all of the various products that are bolted on to a healthcare IT backbone.   

These short comings in IT security are not mere HIPAA exposures. Instead, they represent a greater danger of calculated and concerted efforts to breach healthcare networks to drill into the valuable data inherent therein. Additionally, and perhaps not surprising, on the “dark web” PHI data commands more value than credit card numbers.

As evidenced above, mApps are but one cog in the marriage of care delivery and technology. With a greater reliance on technology solutions offering tools to enhance care delivery, CIOs and IT leadership are challenged to not only manage EHR safety but to be cognizant of the safety of all tech components in the delivery system.

For healthcare IT teams long gone, it seems, are the salad days of simply trying to run and compile data for month end reporting. With a greater reliance on healthcare tech arrives greater exposure to, and management against, hackers and intruders.

Comments are closed.