Safeguarding fast expanding healthcare data

Growing reliance on electronic data in the healthcare environment has security implications for patients and healthcare providers

By Morand Fachot

Recent years have witnessed a rapidly growing volume of healthcare-related data being collected from a variety of sources that include patients’ records, and information provided through home monitoring or wearable smart devices.

Hollywood Presbyterian Medical Center The LA Hollywood Presbyterian Medical Center computer systems were locked by ransomware (Photo: Junkyardsparkle, via Wikimedia Commons)

Fast expanding volume of healthcare-related data

This big data, which describes vast and complex amount of data from a variety of often unrelated sources, is increasingly stored electronically in cloud databases. It is worthless unless properly managed, analysed and converted using medical informatics into practical medical applications. However, a number of recent incidents have highlighted also the risk that this data could be compromised, tampered with or misused. Protecting electronic medical records’ integrity has become an overriding priority. 

Paper or electronic health records?

Keeping and maintaining medical records on paper or in other physical forms is very time-consuming and presents a number of drawbacks, regarding in particular workload, accessibility and information sharing:

  • physicians, nurses or support staff have to fill and file physical records (including medical history and imagery) by hand, wasting valuable time
  • records of the same patients using different healthcare providers are dispersed across many facilities, making it difficult to put together their medical history, and contributing to unnecessary repeat testing
  • records may not be retrieved easily or in a timely manner, access being limited by location or opening hours; they may have to be faxed or sent by mail. This can have serious consequences in emergency procedures for instance.

By contrast electronic health records (EHRs) present a number of obvious benefits for healthcare facilities’ workload, for accessibility and sharing of patients’ information:

  • entering patients’ medical data using computers allows more complete information to be recorded
  • EHRs allow the complete medical history of patients, including medical imagery or the adverse effects of certain medication, to be kept in a single file that can be accessed by all practitioners
  • they can be transferred electronically and accessed around the clock by medical facilities and physicians. 

Health monitoring anywhere, anytime

Keeping track of patients' health in the home environment is getting more important in many countries faced with a growing ageing population and healthcare costs. Many people, particularly the elderly, need to be frequently monitored for health issues, however regular visits by health professionals or to healthcare facilities may not always be practical or possible. Furthermore, most people prefer independent living, while letting healthcare professionals remotely monitor their condition and be alerted if there's something wrong.  A number of remote patient monitoring solutions relying on the transmission of patients' data via computer or wirelessly have been introduced in recent years and are used in private homes and nursing environments. They include, for instance:

  • smart bed technology that uses a sensor mat placed under any mattress that continuously detects patient motion and presence. This technology helps transform any bed into a smart bed. It helps drastically cut pressure sores and prevent falls. It is also available for children, to assess quality of sleep by monitoring presence in bed, average breathing and heart rate, and movement
  • electronic blood pressure monitors that can record and store the blood pressure of patients sitting at home and transmit it to health professionals via computer
  • more advanced continuous multi-parameter monitoring systems, which can also give additional readings of vital signs such as pulse, heart and respiration rates, skin temperature and SpO2 (estimate of the amount of oxygen gas dissolved in the blood), are used in in hospital environments. They allow health workers to be alerted remotely in case of changes in patients' condition
  • integrated home health and safety monitoring solutions that provide status of patients, changes in their behaviour based on analyses of individual patterns. These solutions include finding out if a person is up and active, stays in bed longer than normal, needs assistance in the bathroom, eats regularly, leaves the front door open and more. They rely on a multitude of sensors and other systems which inform and alert carers of possible issues or incidents such as falls.

These solutions, among others, help physicians monitor the conditions of patients and anticipate potential needs for medication or treatment.  

They all rely on devices and systems built around a variety of sensors; International Standards for sensors are developed by IEC Technical Committee (TC) 47: Semiconductor devices, and its Subcommittees (SCs). 

Extending healthy life expectancy and helping the elderly and people with disabilities live a healthier, more active and independent life is important. To help achieve this the IEC set up a System Committee on Active Assisted Living (SyC AAL). Several IEC TCs are also playing a leading role in this domain with their activities in various aspects of AAL. 

Wearables everywhere – any good?

The development of so-called wellness and health monitoring (mHealth) apps for mobile devices and the introduction of electronic mobile and wearable devices have seen a spectacular expansion. A February 2016 report by Juniper Research estimates that "the adoption of health monitoring devices will nearly treble by 2020, exceeding 70 million [units] worldwide, up from an estimated 26 million this year."  

The vast majority of mHealth apps are intended for consumers rather than healthcare professionals.

According to the Financial Times "on the Apple store alone there are now more than 165 000 health-related apps available, offering everything from early stage prevention to advanced medical consultation and monitoring. Yet just 5% register any significant number of downloads." In addition to iOS, Android and Windows mobile operating systems propose also mHealth apps paired to various devices.

These apps and devices have opened new perspectives in healthcare. However, many physicians express doubts regarding the benefits of consumer-oriented mHealth apps, and also about the amount of data generated, the practicability of using it meaningfully and of safeguarding it against security breaches.

Some 15% of mHealth apps are not consumer-oriented, but designed for healthcare professionals who use them for applications such as access to medical images, double checking diagnoses, or looking up for drug information and interactions.

Mobile and wearable devices rely on International Standards prepared by several IEC TCs and SCs, such as IEC TC 47 and its SCs for semiconductors and sensors, IEC TC 21: Secondary cells and batteries, and its SCs. 

Danger lurking in the shadows

In recent years healthcare-related big data, which offers a wealth of information that can be exploited for financial profit or other malicious goals, has emerged as a target of choice for criminals of all kinds as recent examples show:

  • healthcare service providers and insurances have been increasingly targeted by criminals. Between 2010 and 2014, approximately 37 million healthcare records were compromised in data breaches in the US, but in the first 7 months of 2015 alone, more than 105 million healthcare records had already been exposed through 153 separate attacks, according to the US Identity Theft Resource Center (ITRC)
  • John Kuhn, an IBM senior security threat researcher, was billed USD 20 000 by a hospital for a surgery he never had after his medical records were stolen from the hospital. Kuhn had to pull up his shirt in front of the billing department to show them that he did not have any major scar on his stomach
  • in February 2016 hackers introduced ransomware that locked the computer systems of the Hollywood Presbyterian Medical Center in Los Angeles. The hospital agreed to pay a ransom of USD 17 000 in bitcoins to have its systems unlocked.
  • the following month the Methodist Hospital in Henderson, Kentucky, faced a similar attack, which forced it to operate in an “internal state of emergency” for five days. It didn’t pay any ransom

IEC standardization work at the forefront of protection against data breaches

The IEC is active in efforts to thwart attacks aimed at breaching data confidentiality in a number of domains, including healthcare.

IEC TC 62: Electrical equipment in medical practice, and its SCs, develop International Standards for electrical equipment, electrical systems and software used in healthcare. The TC's remit is to focus on safety and performance, including "data security, data integrity and data privacy".

IEC SC 62A: Common aspects of electrical equipment used in medical practice, has issued International Standards and Technical Reports that cover medical device software and IT networks incorporating medical devices.

In addition to data security-related work carried out by IEC SC 62A, significant international standardization in the field of IT security techniques at a general level is carried out by ISO/IEC JTC 1/SC 27, a SC of the Joint Technical Committee (JTC) set up by the IEC and the International Organization for Standardization (ISO) to work on International Standards for information technology.

The importance the IEC attaches to cybersecurity was further highlighted by the decisions taken in recent years to create new entities.

Hollywood Presbyterian Medical Center The LA Hollywood Presbyterian Medical Center computer systems were locked by ransomware (Photo: Junkyardsparkle, via Wikimedia Commons)
ViSi Mobile The wearable ViSi Mobile System lets doctors wirelessly monitor patients' vital signs (Photo: Sotera Wireless)
Jawbone UP3 fitness tracker The Jawbone UP3 fitness tracker is one many wearable devices that collect personal fitness data (Photo: Jawbone)