Medical data in a cyber context

Information Security in Healthcare has grown to become a major conference. It spans the gap between security processes and efficient data management in healthcare. It brings together IT providers and users, hospital and practice managers, decision-makers and insiders, and creates a basis for new solutions with relevant presentations and specialist sessions.

In this regard, Martin Pfister, Head of the Health Department of the Canton of Zug, also addressed 245 interested conference participants on 22 June 2017: "Housework is often only noticed when it is not done", similarly, hospital and company IT should not be left to gather dust in order not to be surprised by viruses such as "WannaCry".

Under "WannaCry", the largest cyberattack to date, specialists were no longer able to access patient files because IT first had to carry out rigorous virus checks. Operations and examinations even had to be postponed at the British healthcare provider NHS. According to insiders, it is no coincidence that healthcare facilities, of all places, were hit hard by the "WannaCry" attack.

Not only have hackers infiltrated large corporations, but internationally organized groups are also engaged in black market trading of medical data records. "It's not necessarily about extortionate identity theft, medical data brings in a lot of money on the market - new technologies such as anonymised Bitcoin transactions do the rest," comments Peter Fischer, conference chair and professor at the Lucerne University of Applied Sciences and Arts, critical points that also affect the Swiss healthcare system.

Hackers and exceptional situations
Hackers take advantage of exceptional situations, attack hospital systems, skim off sensitive data via phishing emails and patient profiling, for example. In extreme cases, they even manipulate medical devices (e.g. via callibration software). For example, two insiders from the Chaos Computer Club Zurich spoke at the day conference in Rotkreuz about loopholes and spyware in medical devices. They reported on incorrect programming of vital devices (e.g. a wireless defibrillator) via an iPhone.

At present, these are still isolated cases. Syringe pumps, anaesthesia equipment and, not least, private tablets are online around the clock in healthcare facilities. In order to access medical meta-data, cyber criminals prefer to focus on location-independent devices. Claudio Luck of the Chaos Computer Club: "Online data collected via measuring devices are easier to market for analyses than handwritten letters."

More risks than opportunities
Lucas Schult, a virus defense specialist at Health Info Net AG (HIN): "53 percent of attacks come from the EMEA region. Equally astonishing is that an attack on hospital systems is now attempted every 40 seconds." The healthcare sector in general is "in trouble" since more and more Trojans and spyware are being used in healthcare apps.

"The threat is to be taken seriously," clarified Adrian Schmid, eHealth Suisse in his keynote address "Mobile Health - an opportunity with new risks" at one of the first presentations.

Certifications of apps?
Schmid, Head of eHealth Suisse, emphasized: "A good 3 million health apps are used in Switzerland. However, these apps do not meet the definition of medical devices." According to his estimates, at most 3 percent of those programs meet the conditions of the Federal Therapeutic Products Act, which define medical devices per se. Experts agree: apps can support doctors and therapists in prevention, diagnosis and therapy. However, they should be subject to qualitative regulations and international certification. Patients can currently only rely on recommendations from specialists, such as recording their vaccination status electronically and scanning in personal data.

Unfortunately, the topic of "mHealth" (see infobox), the mobile management of health data, is still too provider- and consumer-driven. A coordinated approach has been lacking in Switzerland so far. Schmid and other experts are in favour of mobile support, provided that concrete measurements are collected and that such Big Data values are securely stored. Schmid: "In any case, the source of information should be used free of advertising and politically independent."

The day's event could not have been more topical and relevant. Even before noon, there were parallel presentations in the areas of "Community", "Health-Tech", "Governance" and "Technology". For example, practitioners paid full attention in the "Community" stream.

"The data protection officer said ...", data protection does not always have to hinder progress in practice, stated Urs Müller, MD, Head Medical Competence Center, Post AG. The doctor demonstrated innovative solutions. Christian Greuter, Managing Director of Health Info Net AG (HIN), also managed the balancing act between security and usability using the example of eMediplan: "Studies on patient safety show that around 5 percent of hospital admissions are due to adverse drug events. The eMediplan not only helps to avoid medication errors - it alerts in real time."

Threatening dimensions
The keynote address on "Ethical Aspects of Big Data in Medicine" by Prof. Dr. Bernice Elger, Head of the Institute for Bio- and Medical Ethics, University of Basel (IBMB), was extremely interesting. The ethicist spoke not only of the changed framework conditions brought about by digitalisation, but also of the analytical problems involved in understanding the "tremendous velocity" of data sets. In general, she said that our society, even palliative patient care, is becoming not only smarter but also more transparent as a result of digitalisation.

Increasing cost pressure in the medical sector is forcing service providers to process more and more data faster and faster. During the second last keynote on the "Current state of cyber security" by Daniel Rudin, Reporting and Analysis Centre for Information Assurance MELANI, one would have liked to hear more about the impact of the "WannaCry" virus on Switzerland. Rudin-O-Ton: "There is no holistic approach to being able to protect yourself from cyber threats."

Switzerland has reached a new dimension since the Internet connects not only computers but also medical devices and household appliances. - However, whether you are in the USA or in Switzerland, malware knows no borders. Prof. Dr. René Hüsler, Director of the Lucerne University of Applied Sciences and Arts, concluded the day's conference at around 5 p.m. with a condensed conference review.