#Enigma2022: Security’s Role in Helping HealthTech Find Its Way
Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.
In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.
Forsythe pointed out that any information collected about a person’s health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).
She noted that it’s not always clear what rules apply when it comes to HealthTech services and devices.
Forces Impacting Security in the Healthcare Ecosystem
Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.
While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient’s fax number can be confirmed.
“Generally speaking in healthcare, if you verify that the fax number is correct, that’s considered secure,” she said. “If there’s a breach because of a fax that was sent to the correct phone number, the provider is not liable.”
While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.
Industry certification is another strong force that security needs to deal with for healthcare security.
“Certification is an attempt to standardize third-party risk assessments and simplify vendor management,” Forsythe said. “But certification often pushes outdated security controls, and they failed to reduce risk in modern environments.”
How HealthTech Can Improve Security
Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.
“Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while,” she commented. “They still have to abide by other privacy laws that are often less burdensome.”
The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.
It’s also important that HealthTech providers track which data is identifiable because that’s the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.
Forsythe concluded by emphasing the role that security can bring HealthTech: “I think there’s still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data.”
China-Aligned “Operation Tainted Love” Targets Middle East Telecom Providers
The deployment of custom credential theft malware is the main novelty of the new campaign Read More
SharePoint Phishing Scam Targets 1600 Across US, Europe
Cyber-criminals used the scam to steal the credentials for various email accounts Read More
Europe’s transport sector terrorised by ransomware, data theft, and denial-of-service attacks
A new report from ENISA, the European Union Agency for Cybersecurity, looking at cyberattacks targeting the European transport network over...
Security at the core of Intel’s new vPro platform
Intel has introduced its 13th Generation Core processor line, which the company claims is the first to build threat detection...
New Post-Exploitation Attack Method Found Affecting Okta Passwords
The flaw derives from the way the Okta system records failed login attempts to instances Read More
Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts
The world has gone ChatGPT bonkers. Which makes it an effective lure for cybercriminals who may want to break into...