Cyberattacks and the Value of Medical Data
On July 20, 2018, SingHealth, a Singapore healthcare institution consisting of four public hospitals, five national specialty centers and a network of nine polyclinics, reported that it had been the target of a cyberattack resulting in the information of around 1.5 million individuals being compromised.
This is not an isolated incident as statistics compiled from the U.S. Department of Health and Human Services (HHS) indicate that more breaches involving healthcare data were reported in 2017 than any other year since records first started being published. In Experian’s 2018 Data Breach Industry Forecast, Experian noted that from January through June of 2017, 233 healthcare data breach incidents were reported to HHS, the media or state attorney generals. For the 193 attacks for which there are numbers, 3,159,236 patient records were affected. In a 2016 Data Breach Industry Forecast, Experian predicted that healthcare companies remain one of the most targeted sectors by attackers, driven by the high value that compromised data can command on the black market, along with the continued digitization and sharing of medical records.
Forbes reported that, on the black market, the going rate for a social security number is 10 cents and a credit card number is 25 cents, while electronic medical health records could be worth hundreds or even thousands of dollars because such medical data contains a wealth of exploitable information, such as names, addresses, work history, family member names, financial information, as well as more sensitive information relating to medical history.
Digital Currencies and Blockchain in the Medical Arena
Recently, digital currencies, such as bitcoin, have greatly increased in popularity. Some of this popularity may be attributed to digital currencies’ many purported advantages over traditional currencies, such as that blockchain technology allows for a distributed and cryptographically secure ledger without the use of traditional banking institutions. Newer and more advanced digital currencies have recently been introduced with the added advantage of smart contracts, which are said to be self-executing contractual clauses that may be programmed into a digital currency transaction. As such, many new digital currencies have been appearing with individuals investing in Initial Coin Offerings (ICOs), which are somewhat akin to the Initial Public Offerings (IPOs) of a traditional corporation.
Even more recently, a few companies have begun to make use of digital currencies and blockchain technology in the medical arena. Many have found blockchain technology uniquely suited to secure patient records, and have found that the smart contracts of digital currencies may allow individuals greater control of their medical data. Below is a summary of a few fields of medicine and companies within those fields in which digital currencies and blockchain are already being developed.
Medical Records and Health Data
According to The Merkle, Bowhead Health is the first medical device company using their AHT digital currency tokens with smart contracts to create a new medical data market. The company plans to allow individuals with Bowhead’s digital currency to control the dissemination of their medical data, and also to compensate those individuals if and when they choose to share with research institutions. Bowhead’s AHT tokens are said to allow 70% of research fees to be distributed to users with the other 30% going to token holders.
According to Blockchain News, Medicalchain is a UK-based company using blockchain technology to allow patients to securely store and send their medical records to their healthcare professionals. Medicalchain is said to allow patients to have a centralized medical record accessible from anywhere in the world, and allow individuals the ability to control medical institutions’ access to their records.
The Medical Society of Delaware has partnered with the company Medscient, and they are using blockchain technology to create a proof-of-concept platform to allow insurers and medical care providers to access patient records, according to The Cointelegraph. The article further states that this partnership was made possible when the state of Delaware became the first state to pass a law allowing the use of blockchain technology in business for stock trading and record-keeping.
Medical Licenses
The Illinois Blockchain Initiative has partnered with Hashed Health to create a pilot program to streamline the process of issuing and tracking medical licenses, according to The Cointelegraph. The goal of this partnership is said to give patients and healthcare providers a transparent license registry system that uses smart contracts to automatically update information.
Medicine and Artificial Intelligence (AI)
According to news sources, Doc.ai is a collaboration between developers from the universities of Stanford and Cambridge, and is said to be creating a platform built on blockchain technology and using AI to create a resource to answer patient’s specific questions regarding their personal health records and their physician’s analysis.
Hackers Steal 600K Records from Health Care Firms – Could Your Wearable Device Be Next?
Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data. In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers. Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).
Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry. In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.
According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited. Furthermore, medical devices face certain unique cybersecurity pitfalls. For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.
Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges. For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety. A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president. While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.
While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern. Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices. These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication. Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.
With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.
Apple’s ResearchKit Turns iPhones into Medical Devices
Apple recently released ResearchKit, an open-source software platform that allows scientists to gather medical data using an individual’s own iPhone. According to The Asian Age, the new platform allows iPhone users to easily and voluntarily join medical research studies while deciding how their data is shared with researchers.
ResearchKit enables researchers to learn about a patient’s gait, motor impairment, fitness, speech, and memory by accessing the iPhone’s built-in sensors (e.g., accelerometer, microphone, gyroscope and GPS sensors). The new software builds on Apple’s HealthKit software, which was announced last year. HealthKit allows applications that provide health and fitness services to share their data with HealthKit and with each other. With the release of ResearchKit, users will be able to send data gathered through the HealthKit application, such as information on blood pressure, weight, blood glucose levels, and exercise habits, to medical researchers partnering with Apple.
Jeff Williams, Apple’s Senior Vice President of Operations, said:
With hundreds of millions of iPhones in use around the world, we saw an opportunity for Apple to have an even greater impact by empowering people to participate in and contribute to medical research.
Several research institutions, such as Stanford University School of Medicine and Weill Cornell Medical College, have already partnered with Apple to create software applications for ResearchKit for use in clinical studies on asthma, heart disease, diabetes, and Parkinson’s disease.
Share
