Security threats are major concerns to health care organizations due to the value and vulnerability of clinical data that is being recorded and distributed. The value of the data comes from the fact that it is historical in nature, it directly affects our ability to safely treat patients, it takes a long time to rebuild, and it contains more than just clinical data, such as personal, financial, and demographic data which allow it to be used for wider identity theft. It is persistent, whereas you can change credit cards and their passwords, PINs and account numbers in the event of a breach, you cannot change your mother’s maiden name. The vulnerability comes from the fact that there has been a revolution in health care with the interconnection of systems, cloud computing, IOHT and mobile devices and the changes in working practices of clinicians, such as remote monitoring, telemedicine, and working from home. This revolution has not always been matched with the security awareness, policies, practices, and budgets of health care organizations.
There has been an increasing sophistication of attacks using social engineering techniques (e.g. Phishing) that can overcome “traditional” defenses such as anti-virus, rule and signature based detection systems. But before looking at what new AI based tools can do for organizations, I would like to suggest that these are only more sophisticated tools, and without the basics in place they will fail to deliver on their promises.
Good systems management is important, keeping not just the central servers up to date with security patches but also connected devices, and to do this, assessments of suppliers’ security policies and procedures should be a key part of your procurement department’s process for selecting devices which may be attached to the system.
Information Governance is key, defining critical data, knowing how the data is managed both in transit and at rest, and having defined, usable policies and processes, is much more important than adding more technology to a fractured system. Similarly, education and awareness are necessary so that everyone on the system is regularly made aware of these policies, not just on induction day. As threats are evolving, staff should be kept aware of the people side of security with ongoing campaigns such as anti-phishing behavior management. However, all this is just guess work if you do not know how effective it all is and there should be regular penetration testing of the systems to ensure that you know your defenses are up to date and effective.
Doing all of this means there is a shortage of security experts to help ensure your custody of your patients’ data remains as effective as time moves on, this is where AI and Machine Learning may be able to help healthcare cyber security. However merely purchasing new tools does not improve defenses, they need to be deployed, maintained and monitored to provide effective defense.
Security Information and Event Management (SIEM) software products and services provide real-time analysis of security alerts generated by network hardware and applications and are also used to log security data and generate reports for compliance purposes. By combining this real-time data gathering with Threat Intelligence, extending the storage of this data over time and applying the enhanced analytics capabilities that come with Machine Learning and AI techniques, it improves the detection of attacks around the clock with less skilled staff. By looking at past performance it becomes possible to analyze user and device behaviors to detect activity that is out with the expected patterns from the devices or users much quicker and more accurately than human observers can. This use of AI in health care cyber security is becoming more and more important for protection of on-site systems and as health care networks expand and data and processing gets pushed out into the “cloud”.
Ai and Machine Learning offers health care organizations a way of securing their patients’ data as health care evolves, without relying on scarce high-cost skills, but will only meet its promise if the basics of information governance, awareness and education are in place first.