Who'd want to be a CISO?

Challenging job, but increasingly well paid

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

ISfTeH

Richard Staynings with Michele Griffith MD, President of ISfTeH
Richard Staynings with Michele Griffith MD, President of ISfTeH.

The 'International Society for Telemedicine & eHealth' held its annual conference in San Jose, CA today and the author was proud to be invited to speak on the subject of 'cybersecurity as an enabler of new remote medical services'. 
 
Remote patient services whether telehealth consults with a primary care physician, post operative recovery from home to free up needed hospital beds, or the right of patients to die in their own home (embodied in law in many jurisdictions now), requires a different approach to patient data protection, privacy and security. Indeed, many of the new services envisaged as part of improvements to patient care for the future, will require careful examination to ensure that these do not expose provider medical networks to undue risks. Personalized medicine looks set to transform patient well-being and intervention outcomes but if providers are to store and process patients' DNA then they need to do a much better job of protecting that information than they do protecting current personal health information. 
 
Regulation across multiple jurisdictions requires that the confidentiality (privacy) of electronic patient information (ePHI) be protected, yet from a risk perspective loss of confidentiality although still important, is minor compared to the loss of health data integrity (the changing of a medical record) or the loss of availability (patients unable to receive an X-ray or CT scan while in the Emergency Room). 
 
With multiple hospitals being attacked with ransomware every week today, the risks for providers are obviously great. Although the costs of loss (lost revenue) can be massive, (Scripps Health is reported to have lost $112.7 million in revenue following its ransomware attack in 2021), the impact to patients for protracted downtime caused by a cyber attack can be life threatening, impacting patient safety, morbidity and even mortality, as we have seen from some prior ransomware attacks. Cyber-criminal activity by extortionists is literally killing people. Cyber attacks against the 'availability' of health services can be devastating to patients in need of radiotherapy or chemotherapy when those services are denied them. The same is true for those in need of Emergency Care or those giving birth when health IT and IoT are unavailable and being held to ransom.
 
The conference heard that it is important to balance 'confidentiality', 'integrity' and 'availability' of health information that together form what is known as the CIA triad. It also heard that a more risk-based-approach is required if providers are to get in front of managing the proliferation of new AI and ML based technologies, clinical applications and medical devices.

A full copy of the author's deck can be found here.



 

Attendees, speakers and panelists came from all over the world and were drawn from many different medical disciplines and specialties.  This was the first international conference of the ISfTeH since COVID-19 locked down many countries and prevented international travel.