When we consider that the number of healthcare breaches in the first five months of 2022 nearly doubled in the same period last year in the US, it’s clear that steps need to be taken to mitigate these security risks.
Companies can use HIPAA in the USA and ENISA in the EU for guidance on cybersecurity, but following these guidelines does not guarantee security or prevent data breaches.
Modern hackers have made it essential for healthcare companies to develop and verify their cyber defense approaches, taking a preventative stance instead of a responsive one.
The FBI has repeatedly identified healthcare as the sector most targeted by cyberattacks. The healthcare industry sustains higher financial losses due to breach than any other industry, with an average of over $7 million per attack in 2020, representing a 10% increase on 2019 figures.
How Can a Digital Therapeutic Company Get Cybersecurity Right?
In this digital age, standing still is not an option. Modern security requires constant vigilance and preparation to ensure readiness for an attack. Sidekick Health's Compliance Officer, Kristinn Gylfason, explains how to adjust to modern cybersecurity needs by adopting a proactive mindset.
Talk to us about implementing digital-first health solutions.
Want to learn more about implementing digital-first health solutions?
1. The pandemic lead to an explosion of medical and connected devices. How has this digital transformation changed the healthcare threat surface?
Yes, the digital healthcare industry exploded in the pandemic, but the same can be said for attacks, data breaches, and other malicious behavior.
As digital healthcare solutions become more popular, the chances of someone mishandling their own or someone else's data increases.
It’s for this reason that Sidekick and other digital health companies should (and are) put a lot of emphasis on cybersecurity and privacy matters.
Security measures should be a differentiator between products to the extent that products that are not focused on security are not selected for use. Steps toward this goal have already been taken. For example, the FDA is putting stronger and stronger cybersecurity requirements in place as a precautionary measure and a prerequisite for market authorization.
2. What would you consider to be the cybersecurity gold standards?
Good coding practices are one of the most important and effective ways to increase security. At Sidekick, all code is subjected to an independent code review. In other words, someone who is a subject matter expert, but did not write the code will review it. The review is centered around quality and security.
We also apply numerous automatic ways to increase our code’s security. For example, we run dependency checks on the Open Source packages we use, along with vulnerability scans on the code against known weaknesses. We also perform a Docker image scan to review our third-party dependencies.
Sidekick goes beyond typical methods by having an external cybersecurity company do an annual white-box penetration test with full access.
During this process, we put everything we’ve built in scope for them to poke at, and try and find weaknesses in. This is a helpful way of getting great insight into the mind of a malicious person.
Sidekick’s infrastructure is cloud based. We monitor the cloud we operate in with automatic tools that prompt our teams if anything unusual happens.
3. What are the core cybersecurity considerations for medtech, including device set-up and system integration?
Users’ sensitive data is one of the largest threats. Other aspects are the integrity of the information and possible treatment being delivered to the users (patients). If some malicious third party intervenes and disrupts the information delivered to the user, this could have serious consequences.
This goes both ways. Malicious attackers interrupting data delivery from a patient to the digital solution could have terrible consequences, especially if the patient needs urgent care or assistance. These are the largest considerations for medtech.
Other considerations include device set-up. Set-up is very dependent on the specific device. In some cases, set-up needs to be calibrated, in others it may be a combination of a wearable device and an app. In general, all that matters is that the user (patient) gets accurate service at applicable times and that his/her data is safe.
4. How does Sidekick approach cybersecurity? Can you please walk us through your process?
Sidekick takes cybersecurity very seriously. For Sidekick, our integrity and our users’ safety and privacy is top priority. We aim for the gold standard when it comes to security. By doing so, we make cybersecurity a part of our lifestyle.
The journey to ultimate cybersecurity is a long one and it will never fully end.
We are continuously improving and iterating our ways of defending against malicious people and software.
5. What challenges has Sidekick faced in its cybersecurity journey?
Sidekick is continuously monitoring the latest developing technologies to increase the security and integrity of our products and services. There are always challenges.
For example, the log4j weakness that shook the cybersecurity industry last winter. It was not present in our systems, but we were still required to go through the motions of gathering our response team. Today, we continue to prepare for the worst and hope for the best.
We are very lucky to have a great team of developers and cybersecurity experts at Sidekick. That helps massively. Sidekick was also founded by two medical doctors who know what it means to respect a patient's privacy. These values were ingrained in the company from day one.
6. What are the risks associated with poorly secured medical devices and systems, including the potential risk of patient harm, data breaches, or manipulation?
Alongside the physical harm, data theft can also be used to manipulate people. The more sensitive the data is, the more likely people will give in to such manipulation. Blackmail or data hostage where malicious persons use data they have acquired through malicious methods is also a risk. People are often ordered to pay to retrieve their data or to prevent it from being published.
Times have changed, and digital healthcare companies must change with them – that means doing more than annual risk assessments and occasional testing. Companies need to take responsibility for deploying robust, thoughtful technologies and procedures, as well as regular testing and validation of systems. These measures are the best ways to meet modern cybersecurity demands, while preparing a company for whatever is to come.
Don't forget to share this post!