Health Technology, Digital Healthcare
Article | August 21, 2023
NIS2 Cybersecurity Rules Approaching: Is Your Organization Prepared? The EU NIS cybersecurity regulations are evolving for 2024, and if you’re not currently aware of how they’ll apply to your organization, now is the time to get up to speed with the desired requirements. Not only is the directive being tightened, but an extended range of healthcare and related organizations will be added to the list of ‘critical entities’ that must comply. These include certain medical device manufacturers, pharmaceutical companies, and organizations that carry out R&D. The Network and Information Systems (NIS) standards were set up in 2016 to protect essential services – such as water, energy, healthcare, transport, and digital infrastructure – from online cyberattacks. The updated legislation, NIS2, will have stricter rules,reporting requirements, and higher penalties for non-compliance. They will apply to medium-sized and large businesses that operate within one or more EU countries. Those based only in the UK can’t sit back; however, the original NIS regulations will still apply as part of British law. What’s more, a UK version of the rules is coming very soon, and it’s likely that the framework will closely resemble the EU’s. What will the requirements cover? There are a number of cyber risk management measures that all organizations that come under the scope of NIS2 will be required to put in place. For instance, they will need to conduct regular security assessments and risk analyses, adopt incident response and handling plans, and appoint a chief information security officer (CISO), among other obligations. The new directive will streamline and strengthen incident reporting requirements. Entities must notify regulators of any incident that has compromised data or had a significant impact on the provision of their services, such as causing severe operational disruption or financial loss. Applying information system security policies and business continuity plans will form part of the obligations, as will conducting cybersecurity testing and training for all staff. The use of multi-factor authentication (MFA) and encryption, wherever appropriate, will also be mandated. There is plenty of focus within the directive on the cornerstones of cybersecurity best practices particularly, the proper control of administrator-level account credentials, privileged access, and endpoints, all of which are prime targets for attackers. Under NIS2, organizations are being separated into ‘critical’ and ‘important’ entities. It’s important to determine which category yours’ will fall under, as each has different requirements. The third-party threat will also be addressed in NIS2 by pulling in managed service providers (MSPs) to the list of ‘critical entities’, with the aim of keeping digital supply chains secure. MSPs are often granted privileged access to clients’ corporate systems and networks, which creates security risks. What are the consequences of non-compliance? Organizations that come under the regulations’ purview will be subject to random checks, regular security audits, on-site inspections, and off-site supervision. For those found to be in breach, sanctions could include warnings, temporary suspension of certain activities, and temporary prohibition to exercise certain managerial functions. Financial penalties could be as high as 10 million Euros or 2% of an organization’s global turnover, whichever is higher. What steps should healthcare organizations take now? Organizations should take action to establish whether the EU or UK NIS2 regulations will apply to them and what their responsibilities will be. Having identified any gaps in existing cybersecurity processes, policies, and practices, they must determine what changes need to be made to address them. As a priority, they must review their incident response plans and incident management and reporting procedures. It’s also a good idea to begin assessing the security posture of partners and third parties in the supply chain and incorporating relevant security requirements into contracts. Given the framework’s focus on protecting privileged admin accounts, organizations should implement controls limiting the number of staff members with these robust credentials. Implementing privileged access management (PAM) will allow IT to control who is granted access to which systems, applications, and services, for how long, and what they can do while using them. Preparing for the introduction of the EU NIS2 regulations should be considered more than just a compliance exercise. By meeting the strengthened requirements, healthcare organizations will be building a foundation of resilience that protects them, their customers, and the essential services they provide.
Read More
Health Technology, Digital Healthcare
Article | September 8, 2023
The healthcare industry has become a prime target for cybercriminals in recent times.
According to The State of Ransomware in Healthcare 2023 report from Sophos, six in 10 healthcare organizations have been hit by ransomware in the last 12 months, up from 34% in 2021.
Among this uptick have been several headline-grabbing attacks. For example, Shields Health Care Group became the subject of the single-largest breach affecting any organization globally in April 2023, when 2.3 million patients of the Massachusetts-based medical services provider had their personal data stolen after a cybercriminal gained unauthorized access to the organization’s systems.
Meanwhile, in the UK, a ransomware attack on the University of Manchester occurred in June, affecting an NHS patient data set holding information on 1.1 million patients across 200 hospitals.
Critically, the wealth of data housed in healthcare networks, and the potential impact of data unavailability in healthcare, make the industry both attractive and lucrative to threat actors.
It’s no coincidence that the Sophos report shows the rate of encryption in the healthcare sector is at its highest level in recent years. Of those healthcare organizations which suffered a ransomware attack in 2023, 73% had their data encrypted – up from 61% in 2022. When cybercriminals can successfully take down hospital systems and/or encrypt patient data so it can’t be used, they can blackmail health service providers, demanding significant sums before reinstating systems and/or data availability.
Considering healthcare's critical role as the highest-stake industry in our society, where people's lives depend on its success, the likelihood of attackers achieving their goals is greater than in other sectors, as confirmed by the Sophos report. Indeed, of the 73% of healthcare organizations that had their data encrypted, 42% reported that they paid the requested ransom to recover data.
DSPT and the compliance burden
Without question, the security-related challenges in healthcare are mounting. Right now, industry organizations are operating against a backdrop of unprecedented operational and workforce pressures, spiralling demand for care and industrial action.
Moreover, there is a growing regulatory burden, with organizations continually asked to comply with evolving cybersecurity rules, battling with multiple compliance mandates at any given time.
Take the NHS as an example. According to the 2023 NHS Providers’ Regulation Survey, just over half (52%) of respondents said the regulatory burden on their trust had increased. And this is expected to ramp up further in the future, with the UK government setting out a new 2030 strategy aimed at bolstering cyber resilience in healthcare.
Among the compliance burdens that the NHS faces is the challenge of meeting the requirements of the newly updated Data Security and Protection Toolkit (DSPT).
Mandated to minimize cyber risks and enable healthcare providers to maintain a robust information security posture, the DSPT is not a simple checklist of security controls, but a comprehensive toolkit to evaluate current security maturity and establish a risk management programme.
Indeed, in more recent times, DSPT has moved away from being a guide for achieving certain levels of assurance, and toward a mandatory evidence-based system which demands NHS organizations align with 10 precise National Data Guardian (NDG) standards: 1. The organization assures good management and maintenance of identity and access control for its networks and information systems. 2. The organization closely manages privileged user access to networks and information systems supporting essential services. 3. The organization ensures passwords are suitable for the information being protected. 4. Process reviews are held at least once a year where data security is put at risk and following security incidents. 5. Action is taken to address problems as a result of feedback at meetings. 6. All user devices are subject to anti-virus protections, while email services benefit from spam filtering and protection deployed at the corporate gateway. 7. Action is taken on known vulnerabilities based on advice from NHS Digital, and lessons are learned from previous incidents and near misses. 8. The organization has a defined, planned and communicated response to data security incidents impacting sensitive information or key operational services. 9. The organization has demonstrable confidence in the effectiveness of the security of technology, people, and processes relevant to essential services. 10. The organization securely configures the network and information systems that support the delivery of essential services.
Reducing Compliance Challenges with the Right Solutions
Taken individually, these standards may not seem too strenuous to adhere to. However, to be compliant with DSPT, all 10 items need to be completed and deemed ‘satisfactory’.
To tick all 10 key boxes in the most effective and efficient manner simultaneously, organizations should consider their strategy carefully. This could involve embracing supportive tools to accelerate and enhance their compliance journey.
Boiled down, DSPT demands several key things, including unincumbered visibility of the entire ecosystem, as well as the ability to demonstrate secure access, logs and storage, and essential auditing processes to maintain data security.
Achieving these things might appear complicated, even daunting. However, there are solutions known as Security Information and Event Management (SIEM) systems on the market that can make achieving these capabilities, and in turn DSPT compliance, easy.
Here, we outline some of the key features to look out for to meet compliance: • Log retention: A modern SIEM should be able to provide a centralized log storage and big data platform that scales to any organization’s size. Platforms should be able to provide role-based access to log data, including ‘data privacy’ functionality that can mask sensitive data until approved. Log data should not be modified or removed by users once ingested into the platform, while all data held should also be indexed and fully searchable. • Identifying and disabling unnecessary accounts: A good SIEM will also provide account auditing facilities for Active Directory that allow administrators to quickly identify dormant accounts. They should also be able to remove privileged user access when no longer required or appropriate. More sophisticated platforms will be able to do this in an automated manner. • Easy identification of issues: Clear and easily readable dashboards, alerts and reports for user logging activity should be provided, including failed login, apparent brute-force attempts, and bad password management practices. Further, those using machine learning will be able to identify unusual behavior patterns based on a baseline of activities of users and their peer group. • Integrate with third-party threat feeds: It will also be able to integrate with a wide variety of third-party threat feeds that provide information about specific known threat payloads/hashes and destination domains/addresses.
Meeting the mandate
Of course, having the right features in place is only part of the puzzle. For organizations to be truly successful in embracing tools that enable them to meet DSPT compliance more effectively, they should work to ensure that solutions providers offer them ongoing support – both in terms of ease of deployment and to ensure that they are using key systems in an optimal manner.
Scalability is another important aspect to consider.
Systems should be able to scale and continue to support the organization as data volumes increase and become more complex over time.
In respect of scalability, organizations should take time to think about pricing models, ensuring that these are based on the number of devices (nodes). In doing so, it will become easier to accurately budget future costs, as well as provide greater budgeting certainty over the short, medium and longer term.
A converged SIEM allows organizations to prioritize the big picture over individual tools, enabling them to develop a seamless and easy to use security operations setup. Not only does this approach boost cost transparency and eliminate potential complexities with managing a variety of siloed products – equally, it reduces the burdens on security teams, eliminating complexities over system integration and enhancing performance.
A converged SIEM combines key technologies easily to offer improved security outcomes. In doing so, organizations can easily home in on specific standards and adopt security best practices while reducing the burden on security teams tasked with meeting DSPT compliance.
Read More
Healthtech Security
Article | November 29, 2023
Since ChatGPT’s launch in November 2022, artificial intelligence (AI) tools have become disruptive to nearly every industry. While there's been controversy about whether AI would benefit the healthcare industry, it has proven to be just as capable in healthcare as in other sectors.
In the medical field, there is reason to believe AI tools may be an even more reliable and useful resource than other sectors. Medical students have been panicking over AI's threat to their career prospects. But as these systems mature, the experts increasingly believe that AI may serve as a counterpart to human medical expertise rather than a threat.
How AI Tools Are Expected to Aid Medical Professionals?
Again and again, as the debate over modern AI tools rages on, we encounter the analogy of the calculator. No one feels threatened by calculators, not even professional mathematicians. Instead of throwing up their hands, math experts embrace the power of these now archaic computerized devices. If the experts are correct, this may be similar to the future of the alliance between AI and humans.
According to the designers and programmers who understand how these systems work as well as how information technology tends to progress, AI can be expected to help the medical profession in the following ways:
Cosmetic Surgery Consultations
One of the farthest-reaching applications we see develop is in consultations for plastic surgery and similar applications. Perhaps one of the easiest aspects to understand is hair-loss consultations. In our practice, we use a device known as HairMetrix, which uses an AI-driven analytical system to help determine what is causing a patient to lose their hair and which treatment options would be the most effective.
Because it is AI-driven, it is fully based on visual scans and is completely non-invasive. Just like this, AI can be used in an abundance of other ways to minimize the use of exploratory surgery and improve healthcare outcomes.
Improved Diagnostics
Artificial intelligence is already helping medical providers deliver diagnoses more quickly. These tools can identify anomalies that might otherwise take human hours or even weeks to identify. This has improved the rate of cancer detection, among other things, which will predictably improve survival rates.
Developing New Pharmaceuticals
The development of new medicines is notoriously slow. Not only is testing a painstaking process, but even seeking FDA approval can take years. AI is expected to help the development of pharmaceuticals through simulation on the molecular level, allowing researchers to see how the active mechanisms in a drug will work in the body.
Improved Administrative Efficiency
In the medical field, administrative tasks are notoriously slow. It is believed that generative AI will be able to automate many administrative functions and innumerable office chores. It could streamline sorting patient files, accelerate the interpretation of data, and much more.
Patient Access
In an area where information technology is already improving patients' lives, access to medical advice is still a bottleneck in the system. AI tools have the potential to slowly bridge the gap in health disparities. Combined with the power to diagnose, this could dramatically increase the capability of online patient portals.
Of course, this list of anticipated AI capabilities is far from exhaustive. Researchers and medical professionals have high hopes for these tools, and some are already proving to be more than mere speculation.
In a world where AI is reshaping industries at an unprecedented pace, the healthcare sector stands poised to benefit significantly from this technological revolution. From streamlining administrative tasks to revolutionizing diagnostics, the potential of AI in medicine is vast and diverse. As we witness AI-enabled tools like HairMetrix, enhancing the cosmetic surgery consultations and AI algorithms expediting diagnostic accuracy, it's clear that we are only at the beginning of a healthcare transformation that is set to improve patient care, increase survival rates, and revolutionize medical practices.
Read More
Health Technology, Digital Healthcare
Article | September 8, 2023
Embark on a journey into the frontier of healthcare innovation in this article. Discover how EHR telemedicine and remote patient monitoring serve as catalysts, driving forward a new era in healthcare.
Contents
1. Integration of EHRs in Telemedicine and Remote Patient Monitoring
2. Technical Challenges and Solutions in EHR Integration
3. Financial Analysis: Cost-Benefit Assessment of Integration
4. Data Privacy and Consent in Integrated EHR-Telemedicine Systems
5. Forging Stronger Patient-Clinician Relationships
1. Integration of EHRs in Telemedicine and Remote Patient Monitoring
EHR telemedicine and remote patient monitoring have reshaped healthcare delivery by seamlessly integrating electronic health records, allowing healthcare providers and patients to exchange information effortlessly, regardless of geographical barriers. This synergy empowers healthcare professionals to access patients' comprehensive medical histories in real time, facilitating more informed decision-making during virtual consultations.
During the spring of 2020, when pandemic restrictions kept most people in the US at home, the use of telehealth rose to about 51%.
[Source: Elation Health]
Moreover, it enhances the accuracy of remote patient monitoring by providing up-to-date data, enabling timely interventions and improving overall healthcare outcomes. Integrating EHR telemedicine systems enhances efficiency and ensures that patient care remains at the forefront of modern healthcare, transcending traditional physical boundaries.
2. Technical Challenges and Solutions in EHR Integration
Navigating telehealth EHR integration and remote patient monitoring solutions uncovers a range of technical challenges, each with its own set of potential remedies. These include interoperability issues, which can be mitigated by adopting standardized data formats like HL7 FHIR. EHR interoperability solutions may involve using data exchange protocols such as HL7's Consolidated Clinical Document Architecture (C-CDA) or developing custom APIs to facilitate seamless data exchange between EHRs and telemedicine platforms. Additionally, the imperative need for data security and privacy is achieved through robust encryption and adherence to regulations like HIPAA or GDPR. Data integration challenges arising from varying EHR data storage methods can be resolved using middleware or integration platforms. Investing in telecom infrastructure and developing offline-capable telemedicine apps can address limited connectivity in remote areas. Ensuring real-time data access involves optimizing EHR databases and creating low-latency systems. Other challenges encompass integrating data from medical devices, ensuring data accuracy, scalability, user-friendly interfaces, regulatory compliance, and cost management strategies.
3. Financial Analysis: Cost-Benefit Assessment of Integration
When contemplating the integration of EHR telemedicine and remote patient monitoring systems, conducting a comprehensive cost-benefit analysis is crucial. This assessment covers financial aspects, including initial implementation costs (software development, hardware upgrades, training, and data migration), ongoing operational expenses (maintenance and data storage), and potential efficiency gains (streamlined workflows and improved data accessibility). It also evaluates the impact on patient outcomes, satisfaction, and financial benefits of enhanced healthcare quality, reduced readmissions, and increased patient engagement. Healthcare organizations can estimate cost savings in remote patient monitoring and explore expanding telemedicine services to underserved populations to make informed financial decisions.
Additionally, this analysis considers long-term financial viability and alignment with organizational goals, including regulatory compliance costs, risk assessment, scalability considerations, and the competitive advantages of integrated telemedicine services. By calculating ROI and assessing potential risks, healthcare entities can develop risk mitigation strategies, ensuring that EHR integration in telemedicine and remote patient monitoring enhances healthcare delivery and aligns with the organization's financial sustainability and long-term success.
4. Data Privacy and Consent in Integrated EHR-Telemedicine Systems
Data privacy and obtaining informed consent are paramount in integrated EHR and telemedicine systems. Patients should provide explicit consent, understanding the data collected and its intended use, with strict encryption protocols safeguarding data during transmission. Access controls and data minimization practices restrict unauthorized access, while patient portals enable individuals to manage their data-sharing preferences and revoke consent if needed. Compliance with regulations such as HIPAA or GDPR is crucial, as is maintaining comprehensive audit trails to track data access. Training, awareness, and robust incident response plans fortify data privacy efforts, fostering trust and transparency in these integrated systems where healthcare organizations and patients share responsibility for secure data handling.
5. Forging Stronger Patient-Clinician Relationships
Integrating EHR telemedicine and remote monitoring systems goes beyond mere efficiency and accessibility objectives. It serves as a catalyst for nurturing more substantial and meaningful patient-clinician relationships. This fusion of technology and healthcare has the capacity to bridge physical distances, allowing clinicians to truly understand and engage with their patients on a deeper level. Patients, armed with increased access to their health data, become more active participants in their healthcare, while clinicians, with their comprehensive information, can offer more personalized and informed guidance. The potential of EHR telemedicine reaches far beyond the digital screen; it empowers both patients and clinicians to collaborate in pursuit of improved health outcomes, ushering in a new era of patient-centric care grounded in trust, communication, and shared knowledge.
Read More