The appetite among healthcare providers for new technologies is voracious. The benefits are obvious: Individual providers and facilities want to improve care and increase convenience and reputations. New technology, however, involves risks - both to patients and in working through internal "glitches." The potential for hacking and loss of security, privacy and access increases these risks.
In considering new technologies and associated risks, it is helpful to categorize by how soon they become available.
The Near-Term: Connected Devices/IOT.
Devices that are connected to an open network are "connected devices." When those devices can then communicate with each other via the internet, they become part of the Internet of Things (IOT).
- What it Does: Just about everything. Relevant devices include monitors in hospitals, wearables and machines to auto-administer therapies or track real-time health data.
- Why We Want It: Connected devices and the medical IOT (mIOT) are not only part of a larger increase in telehealth, but also can increase efficiencies, reduce costs and improve care for those with chronic conditions. Connection to a network permits timely monitoring, easier delivery of software, and utilization of health-related applications by patients.
- What's the Problem? Imagine receiving a text that your pacemaker has been hacked, and if you don't pay bitcoin into a foreign account, it will be turned off at midnight. The potential risks are as varied as the imagination. Often older technologies are retrofitted to connect to the internet without having security "baked in."
- What Do I Do Now? You can think of the security risks of connected devices/mIOT as a manufacturing issue, a vendor issue, or a security issue. In fact, it's all three:
- Manufacturing processes for medical devices must ensure that security is implemented from the ground up, particularly for devices with software that can be connected.
- Vendor assessments must be robust and ongoing.
- Devices should be included in an overall compliance program to assess, test (including pen tests) and monitor security.
The Mid-Term: Artificial Intelligence/Machine Learning.1
Our ability to function and understand the world around us depends on our capacity to find and use patterns in our environment. AI/ML is a collection of different methods for permitting machines to do the same - learn on their own.
- What it Does: To simplify, it takes input, gives potential responses, receives feedback and refines its responses. For example, show a machine enough pictures of fish, and it can identify a fish in a picture that it has never seen before.
- Why We Want It: There is a correlation between how many humans are on this planet and the rate of innovation.2 To oversimplify, the more brains, the more likelihood that one of them will belong to Einstein. AI/ML allows computers to supplement humans in innovation. AI is not an incremental change but a changing of eras in which machines begin undertaking tasks that humans may not even understand. For the most optimistic, AI/ML has the potential to help create a frictionless, evolved society.
- Where's the Singularity? You've seen the movies. Before our new overlords take over,3 there are near-term concerns. For example, the inability to know whether we're interacting with a human or a bot. Authentication, spoofing, phishing and other issues are rife.
- What Do I Do Now? In the short term, authentication and authorization controls are required. Multi-factor authentication is a good fix. In addition, old-fashioned human contact can help. Policies that require phone calls in some circumstances (such as unexpected requests for access to data) can save headaches.
The Long-Term: Distributed Ledger Technology (Blockchain).
You likely know this from Bitcoin, but its potential for the healthcare industry is far beyond cryptocurrency.
- What it Does: DLT connects numerous machines to increase the security and reliability of information. In addition, it drives the sharing of information and completion of transactions without a centralized authority.
- Why We Want It: Blockchain is already impacting supply chain and other use cases and could make the counterfeiting of pharmaceuticals impossible. It could make medical records immediately available and completely secure (don't expect this in the short-term) and create "smart contracts" that are self-enforcing.
- What's the Problem? Blockchain is slow, energy-intensive and limited (contrary to popular imagination, medical records may never be stored on a distributed ledger). Also, blockchain is software and thus subject to the imperfections of designers. Individuals can take advantage of flaws, and there is a threat of "51 percent attacks" where a limited number of actors control the entire blockchain.
- What Do I Do Now? A good percentage of healthcare entities are considering jumping into DLT, but it's important to keep in mind the risks, as well. Consider whether to have an open or restricted (permissioned) network. If restricted, how limited, and is there a threat of a 51 percent attack? Also, consider whether the ledger should be anonymous or identified, and whether private or public (i.e., no centralized management). Each of these decisions should be based not only on the business but also the potential security of the network's members.
Machines are getting smarter faster ... and keeping up with threats will become increasingly difficult until, at some point, we rely on machines to protect us from other machines. Until then, healthcare industry professionals have a responsibility to implement technology wisely.
1 Some may note that placing AI/ML in the Mid-Term understates its current impact. We place it here because the growth of AI/ML is likely to be exponential, replacing the current drizzle of ML with a hurricane of AI in the future.
2 See, for example, https://www.sciencedirect.com/science/article/pii/S0040162513001261.
3 01010011 01001111 01010011
Roy Wyman is a partner of Nelson Mullins Riley & Scarborough LLP in Nashville, co-chair of Nelson Mullins' Cybersecurity and Privacy Industry Group and is a member of the Healthcare Regulatory and Transactional team. He can be reached at firstname.lastname@example.org or (615) 664-5362.