#Enigma2022: Security’s Role in Helping HealthTech Find Its Way
Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.
In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.
Forsythe pointed out that any information collected about a person’s health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).
She noted that it’s not always clear what rules apply when it comes to HealthTech services and devices.
Forces Impacting Security in the Healthcare Ecosystem
Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.
While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient’s fax number can be confirmed.
“Generally speaking in healthcare, if you verify that the fax number is correct, that’s considered secure,” she said. “If there’s a breach because of a fax that was sent to the correct phone number, the provider is not liable.”
While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.
Industry certification is another strong force that security needs to deal with for healthcare security.
“Certification is an attempt to standardize third-party risk assessments and simplify vendor management,” Forsythe said. “But certification often pushes outdated security controls, and they failed to reduce risk in modern environments.”
How HealthTech Can Improve Security
Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.
“Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while,” she commented. “They still have to abide by other privacy laws that are often less burdensome.”
The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.
It’s also important that HealthTech providers track which data is identifiable because that’s the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.
Forsythe concluded by emphasing the role that security can bring HealthTech: “I think there’s still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data.”
More Stories
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google...
Friday Squid Blogging: Sunscreen from Squid Pigments
They’re better for the environment. Blog moderation policy. Read More
Compromising the Secure Boot Process
This isn’t good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than...
Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain
Synnovis has rebuilt “substantial parts” of its systems following the Qilin ransomware attack on June 3, enabling the restoration of...
Hacktivists Claim Leak of CrowdStrike Threat Intelligence
CrowdStrike has acknowledged the claims by the USDoD hacktivist group, which has provided a link to download the alleged threat...
CrowdStrike Falcon Outage Exploited for Social Engineering
Cyber threat actors are exploiting the CrowdStrike Falcon outage to conduct social engineering attacks. Here's what the CIS CTI team...