HealthTech Protection
Many startups are achieving success by redefining how the economy works.Xtechs (financial, health, insurance, among others) are reducing
operational costs and delivering more value to customers, by leveraging
on computer science and advances in electronics. 3D printing,
habit-tracking apps, cheap, precise and small measurement devices, and
more, are just a few examples of what citizens and patients are using
these days from so-called HealthTech. Additionally, within health
centers new technology is supporting more efficient and effective
practices. An explosion of new devices and interconnectedness is driving
change to new levels. However, security threats have surrounded
healthcare for years, and the emergence of HealthTech doesn’t mean fewer
risks. Moreover, HealthTech might pose other significant challenges. A
recent publication at Maturitas (Coventry & Branley, 2018) describes the
cybersecurity challenges healthcare is currently facing. The potential
economic exploitation of medical health records, the number of
underprotected medical and non-medical devices, as well as the
increasing complexity of the digitization of medical records calls for a
more serious approach to cybersecurity in healthcare.
How to manage healthcare cybersecurity risks with this overload of
interconnected devices and data? We believe organizations (specifically
HealthTech companies) could learn from what has been innovative in
healthcare management.
How doctors are improving performance in health centers
Figure 1. Atul Gawande
Here’s a short story: Atul Gawande, renowned surgeon and writer worked
with the World Health Organization to address high mortality rates
within intensive care units (ICUs). The finding: checklists reduced40% in mortality in ICUs, according to the evidence. However, that’s
only the medium by which the breakthrough solution was delivered. What
was behind? In general, Gawande says the amount of knowledge and
complexity nowadays makes our work very hard to be accomplished
flawlessly, even when we know how to do things. In the specific case of
medical professionals, he points to overconfidence and memory
limitations from surgeons: they are pretty sure they know what they are
doing. But they also are prone to forgetting some crucial elements in
surgery, like instruments or procedures. As simple as it appears,
checklists are tools for better performance in many contexts. In his
words:
” Checklists provide a kind of cognitive net. They catch mental flaws
inherent in all of us – flaws of memory and attention and
thoroughness.” (Gawande, 2009)
Dr. Gawande has gone further to improve performance, not only in ICUs.
He discussed the Morbidity and Mortality (M&M) conferences he runs in
the Brigham and Women’s Hospital at The Knowledge Project
podcast. These meetings are aligned to
the work of Amy Edmondson in psychological safety (see for example
Edmonson 1999; 2018). In brief, it is a safe space in which medical
teams get together to discuss complications (cases that went wrong)
within medical practice, including every death. The meeting is such that
people attending are legally protected, that is to say, people cannot be
attacked or removed from work by what they mention. In these meetings,
medical teams discuss what could have been done differently to avoid the
complications and how to ensure it doesn’t happen in the future. Making
people feel safe to share about errors they made, for instance, in
administering a higher dose of a drug to a patient with terrible
consequences, has led to death rates falling quickly and faster recovery
of patients. He also mentioned that, in general, the culture this
practice has fostered is invaluable: people feel empowered and
responsible, but also willing to take some risks when needed. For
society, all these mean greater well-being.
How HealthTech could learn from healthcare
Figure 2. Stethoscope and heart
We can see information and IT assets as patients cybersecurity teams
look after. Similar to healthcare, cybersecurity, computer science, and
software engineering enjoy and suffer at the same time from large
amounts of knowledge. Just like in healthcare, “necessary fallibility”
is also present in cybersecurity. That is, despite scientific advances
and the knowledge humankind has developed, some efforts people pursue
are “simply beyond” human capacity (for example, complete security).
We will never know everything for sure, and this is the case in
cybersecurity. As HealthTech goes mainstream, the potential perils of
such increased complexity, interconnectedness, and knowledge should be
addressed.
Healthcare, nonetheless, is showing us that even in “necessary
fallibility” environments, there could be ways to perform better.
Particularly, checklists might be translated into cybersecurity
operations. At Fluid Attacks, we believe there is a clear link in what
we do and how organizations benefit by better managing “fallibility”.
HealthTech providers should be especially aware of how to ensure their
developments provide reliable security for data and operations.
How Fluid Attacks approach helps improving business performance
We have one single offering: we attack your software. We breach IT
systems flaws with superior effectiveness before others do, causing real
harm.
We do this, in part, similar to what Dr. Gawande and his team found to
lower mortality rates in ICUs: using checklists. However, we go some
steps further:
We are capable of continuously
hacking enterprise-level
systems. This is like a smart checklist. As this is continuous, our
services can detect small changes that could pose risks to your
business. We rely on our automated products, so nothing is left out
(like with a checklist). Also, we go deeper: our security engineers
are the best-trained hackers. They think and work all the time on
how your system’s flaws can be combined to configure attack vectors
others cannot identify.We automate almost everything we already know.
Asserts is the product we have to assess how customers’ systems are,
quickly.
It is like using a smart checklist,
fed by all of our knowledge and experience.All that we do gets stored, described, and tracked in our Attack
Resistance Management (ARM) platform. ARM makes it easier for
our customers to keep track of their security weaknesses as well
as their fixes performed.
What about what Dr. Gawande calls M&M meetings? Well, the good news is
that our approach makes you less likely to institute a version of theM&M meetings, as our work is proactive, not reactive. With us, you
don’t have to wait to be hacked for real, and then discuss how to
improve for the future. We help you to anticipate those complications,
so you are better prepared, so you get more
antifragile.
Do you want to share your thoughts? Do get in touch with
us! We can help.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Julian Arango. Read the original post at: https://fluidattacks.com/blog/healthcare-cybersecurity/
