Health Technology Deployment: How Vulnerable Are You?
As I’ve written before, there are many technological solutions being offered to advance care, better manage disease states (value-based care), and improve patient interactions with clinicians. The technology market is the wild west of ideas with different applications (e.g. patient scheduling, telemedicine, rotation cycle, mhealth applications, AI, machine learning) developed to cater to different segments or stressors on the care delivery ecosystem.
For example, as Covid weaved its way into the fabric of the world, hospital finances suffered, patients avoided care (in some cases, urgent care), and clinician capacity far exceeded demand. If there ever was a silver lining to a global pandemic, the healthcare technology (like remote patient care) catapulting onto the scene was, for better or worse, warts and all, a glimmer of hope.
Considering the “condition” of remote care during the Covid heat, I have categorized healthcare system and clinical preparedness into three rather obtuse categories:
1. Those who are comfortable with and deeply integrated into telehealth care,
2. Those nibbling at the edges of telehealth with varying levels of implementation (discussions, review, curiosity) and
3. Unprepared people (forced to adopt telehealth as the only [short term] means of providing patient visits).
As a reminder, due to Covid, the use of telehealth apps has increased under the aegis of a federal emergency order that relaxed many regulatory aspects of telehealth and associated remote delivery services. However, once the EO expires, Congress will need to review the codification of telehealth. That said, it looks like the genie is out of the bottle. At this point in the Covid story, which has lasted over a year, doctors and health systems have learned to adapt (see #3 above) or thrive (see #1 below). above) through telehealth.
It is certainly an overstatement to say that Covid, and its attendant havoc, has a silver lining, but a thin glimmer of promise does exist. Covid has pushed the effectiveness and viability of telehealth to the fore and forced clinicians to adopt and adapt. Many health systems now run concurrent clinics offering physical visits while running robust telehealth services. But, as people embrace the latest technological innovations, the specter of cybersecurity vulnerabilities grows exponentially.
As administrators grapple with the myriad of opportunities offered by telehealth, such as remote visits, remote monitoring (blood pressure, medication management), mHealth (mobile health), and more, malicious actors continue probe and test the security of connected computer systems. These probes or “pings” force healthcare systems and physicians who “lock in” on technology offerings to juggle, manage, and protect multiple systems from hackers and other e-intruders. As one would assume, with all this technology there are reasonable security concerns, from mApps to Electronic Health Records (EHRs). System connectivity and wide internet access have created different and expansive avenues for bad actors to compromise systems, hold them for ransom, or worse.
For example, in a recent report by Alissa Valentina Knight titled Everything we let in: hacking 30 mobile health apps and APIs, Ms. Knight noted that there are over 300,000 mHealth apps available and many of them are prone to app and API hacks. With around 60% of people downloading some sort of mHealth app, she postulated that her 6-month study revealed significant security risks.
Ms. Knight reviewed 30 mobile apps and APIs. All applications have proven vulnerable to API attacks, with some even allowing access to DSEs. Ms Knight suggested that the 30 apps collectively exposed 23 million mobile health users to attacks. Of the 30 apps tested, 77% contained hardcoded API keys, some of which do not expire, according to the report, and 7% had hardcoded usernames and passwords. (For full transparency, Ms. Knight’s report was sponsored by Approov, which offers API threat protection.) 1/100and one percent of available mApps and each one she examined offered some exposure. And that’s just the mApp domain; consider what that portends for PHI exposure with all the different products that are bolted onto a healthcare IT backbone.
These IT security gaps are not just HIPAA exposures. Instead, they represent a greater danger of calculated and concerted efforts to breach healthcare networks to mine the valuable data inherent therein. Additionally, and perhaps unsurprisingly, on the dark web, PHI data is more valuable than credit card numbers.
As noted above, mApps are just one cog in the marriage of care delivery and technology. With a greater reliance on technology solutions that offer tools to improve care delivery, CIOs and IT managers are challenged not only to manage EHR security, but also to know the security of all technology components in the system. of service.
For healthcare IT teams, it seems the days of the salad of just trying to run and compile data for month-end reports are long gone. With a greater reliance on healthcare technologies, there is greater exposure and better management against hackers and intruders.