IT security: Ailing systems harm patients

IT security in the area of critical infrastructures is still treated very neglected in some cases. The topic is particularly explosive in the healthcare sector. Faulty, vulnerable or simply unavailable IT-based technology can quickly lead to personal injury.

IT security in healthcare primarily affects two specific areas: On the one hand, it affects purely administrative data, i.e., information about the patient and the course of his or her illness. Patient data enjoys even greater protection under the law than personal data under the GDPR, due to the medical confidentiality obligation. On the other hand, there is the technological infrastructure that is used directly on the patient - be it pacemakers, ventilators or devices such as ultrasound, ECG, computer tomographs and X-rays. In diagnostics, it supports the attending physician; on the patient, it has life-sustaining functions.

Three specific IT protection goals in healthcare

In order to achieve IT security, three areas must be taken into account: The availability of the component must be guaranteed, the protection of data and confidentiality as well as data integrity must be given.

1. Availability of the component: In the worst case, a technical component or device fails. If the X-ray machine fails during an operation and the surgeon can no longer find the inserted probe in the patient's body, this is a problem. It is therefore important to define measures in advance and to have a plan B in your pocket: If the ventilator fails during surgery, the patient must be ventilated manually (bag-mask ventilation).
2. Protecting data and ensuring confidentiality: Only authorized persons may have access to sensitive data in the healthcare sector. To achieve this, one measure may be to pull the EDP system into the core of the administration so that visitors cannot view the screens. It is also important to protect the data with passwords to allow access only to authorized persons and to transmit and ideally store the data in encrypted form.
3. Data integrity: Here, it must be ensured that the data obtained with IT support is correct and is also displayed correctly. In the laboratory, for example, the test lanes for analyzing blood samples are controlled automatically. Diagnoses and therapies are based on the results of the blood values - they absolutely must be correct. To ensure this, one possibility is to analyze samples in parallel in two systems at the same time to compare the results. Double sampling can ensure data integrity as a measure in this way. Another example of its importance: data sheets and information must be assigned to the correct patient so that the wrong limb is not amputated or the wrong medication is administered. Or in the case of portable devices that, for example, use sensors on the skin to measure a diabetic's blood glucose and on whose readings the patient injects his or her insulin: Here, the correct data must be displayed correctly.

Problems in these three areas and thus the cause of errors often lie in the processes. These must be concretized in order to minimize the probability of damage or reduce its effects.

As a general rule, for IT security to work, it must be taken into account both in the manufacture and subsequent operation of a product. A secure product must therefore first be developed and manufactured and then operated in a secure manner. For this, basic functions and specifications are just as important as competent personnel working with the devices.

A major problem is often the lack of IT expertise. In many companies and organizations, IT is seen primarily as a cost factor, and the resources with which it is equipped are correspondingly scarce. In addition, the standard of evaluation is usually only whether the IT works. This does not take into account whether the technologies used may open the door to misuse: After all, what is possible may not always be possible. For example, if the bored 12-year-old with the broken leg is able to hack into the WLAN and view the documents of the head physician. To prevent this, IT must be operated securely and the manufacturer's specifications must be known and observed.

Risk management system with conscious safety level

Because of the danger to life and limb, the risk in medical IT is higher than in other industries. But there is no such thing as 100 percent security. That is why it is important to protect IT against common hazards. Conceivable damage scenarios include a power failure, earthquake, fire, flood or hacker attack.

In order to establish a risk management system, these threats must be defined, evaluated and their probability of occurrence determined. Subsequently, the effects are examined and evaluated so that it can subsequently be decided which risks, if any, can be accepted and which measures can be introduced to minimize them. In this way, a conscious level of security can be defined and the measures can be used to achieve the desired level of IT security.

Conclusion

Central to achieving IT security in healthcare is the question of which threats you want to protect against. Once this is clear, the threats must be defined and evaluated in a risk analysis and countered with appropriate countermeasures. In addition, IT must be equipped with the know-how and know the technical requirements to operate the infrastructure securely.

Author: Randolf-Heiko Skerka, Head of IS Management, SRC Ltd.

Information Security in Healthcare Conference in Rotkreuz LU

On Thursday, August 12, 2020, the Information Security in Healthcare Conference will take place for the sixth time. This year's edition is dedicated to the topic "Prevention against the disease of healthcare data". The event provides an opportunity to exchange knowledge with other professionals on the topic of data security in healthcare.

For the first time, the conference will be held at the new campus of the Lucerne University of Applied Sciences and Arts in Rotkreuz.

Info: www.infosec-health.ch