• Cyber-security
  • Some regulation breaches are daft but serious

    Local reports of bad practices by eHealth users show that data breaches are simple to avoid, and can have dire consequences. iHealthBeat, a USA eHealth news digest, reports that an emergency department employee posted on Facebook a photograph of a screen on her computer, and  accidentally showed a patient’s name, address and social security number. Even though the hospital removed the photograph within 30 minutes, criminals used the data to steal the patient’s identity. The patient has filed a police report after the State’s Department of Economic Security notified her that someone had used her personal information to apply for food stamps.

    There are three important lessons for African countries:

    Some breaches are elementary failures, and can lead to serious consequences Train staff to high levels of knowledge and performance about eHealth security and regulation If a breach occurs, notify effected patients immediately, or the consequences may escalate.
  • BYOD is an opportunity and a big security threat

    More and more people bring their own devices to work for the convenience of having personal and business related data on one device. The snag is that bring your own devices (BYOD) is a growing security risk to corporate ICT infrastructures. B2B International’s study Global Corporate IT Security Risks 2013  has shown that the number of IT security incidents involving cell phones and tablets is on the rise. It also suggests that most companies have no plans to limit the use of personal mobile devises for work-related purposes.

    According to the study, only 17% of South African companies have developed mobile device security policies for their corporate environments. ICT security incidents involving mobile devices take on many different and changing forms, and are challenging to keep up with, and they will become more diverse and widespread.

    B2B International’s survey found that 11% of respondents identified mobile devices as the source of at least one confidential data leak over the past year. This means that mobile devices caused more critical data leaks than the 9% from employee fraud, 5% from staff sharing data, and 2% corporate espionage.

    Effective, tough ICT security policies for mobile devices are essential to reduce the business risks of mobile phones and tablets. That well-developed security policies for BYOD are the exception rather than the rule leaves corporate entities, including healthcare organizations, exposed to risk

    Irish Novelist Samuel Lover (1797-1868) is attributed with the aphorism that “It is better to be safe than sorry.” It still resonates after two centuries.

  • Cloud and security needs high-level capabilities

    Healthcare providers that use the Cloud to store private, personal and sensitive information in EHRs need specific precautions in place to ensure safety and confidentiality. Both Cloud services and healthcare providers must be sure that all the required security measures and functions are in place to prevent unauthorized access and data breaches. This can provide transparent assurances to patients and engender trust. These are the main conclusions of Analysis of the Security and Privacy Requirements of Cloud-Based Electronic Health Records Systems published in the Journal of Medical Internet Research.

    The functions that need putting in place include:

    Role-Based Access Network Security Mechanisms Data Encryption Digital Signature Third-Party Certification Monitoring Information and Communication Employee Lifecycle Physical Security Environmental Safeguards Configuration Management Business Continuity Management Backups Storage Service Decommissioning Network Security.

    The report puts these in a context of current and planned use of the Cloud. It says that, “With the emergence of Cloud computing, EHR management systems are facing an important platform shift, but such important changes must be approached carefully. In order to make a secure and smooth transition, studying all the security requirements regarding the privacy and confidentiality of patient data are essential. The Cloud computing paradigm is still under development but stands to become revolutionary in many different fields.” This perspective and analysis provides a valuable resource for African countries in eHealth planning and operations.

  • Cyber-security risks need mitigating in eHealth decisions

    In his Trans-Antarctic Expedition, Ernest Shackleton claimed as he strived to rescue his team that, as options become fewer, it leads to taking bigger risks. Thankfully, meeting the need for better cyber-security and regulation of eHealth still has plenty of options that mitigate risks.

    Like any other investment decision, those for eHealth projects need to assess the impact of risk and design measures to mitigate them. Removing them completely is not the goal, mitigating their effect is. Over eHealth life cycles, risks to net benefit, or socio-economic return (SER), rises dramatically. Acfee's eHealth economic evaluations  database puts the impact of risk to net benefits at around 200% at the peak of the curve as projects reach diminishing returns. New fears and anxieties about inadequate cyber-crime and regulation may add increase the risk factors to about 250%.

    Coupled with an increase in eHealth implementation and operating costs for better cyber-security, the increased risk curve can push good SER estimates for eHealth projects much closer to zero and possibly into extended negative territory. This does not mean abandoning these good eHealth projects. It shows that decision-takers must incorporate effective, sustained cyber-security and regulation measures, such as more qualified security staff and eHealth solutions with built-in security functions, to mitigate the risks and secure both value for money and the cyber defences.

    Ernest Shackleton would have loved to have these kinds of choices before he decided to cross 800 miles of the Antarctic Ocean in a rowing boat.

  • Better cyber-security poses an old economic question

    Woody Allen said, “I am not afraid of death, I just don’t want to be there when it happens.” The increasing fear and anxiety now generated by cyber security may encourage CIOs to adopt a similar aspiration about breaches. It is not just a technology challenge. Increased costs of cyber-security and regulation pose the classical question for eHealth decision-takers. How do I afford cyber-security and still have the sustainable net benefits from eHealth?

    Now that cyber-security and regulation are rapidly climbing the eHealth priorities chart, the economic and financial implications are becoming a bit clearer. The first approach is to adopt the eHealth definition that tinTree uses: ICT and organisational change. Generally, ICT is just less than half the cost over a ten-year timescale.

    The economic analyses of eHealth over the last decade generally reflected security as part of the cost of ICT and compliance with regulation as part of the cost of change, mostly through training. Acfee has reviewed its eHealth economic database of 57 eHealth economic evaluations and updated its model. Relative to the total cost of ICT and change, the cost of better cyber security and regulation compliance are not high. Effective eHealth has high net benefits, the socio-economic return (SER). This is resilient to the extra costs over long timescales. The SER is a bit lower, and the time to reach a net a few months longer. Good eHealth is still good value for money. For weak eHealth, there is no hope. The bad value for money just deteriorates.

    Affordability is the biggest challenge. Where do organizations find the money? African countries have few choices. Their main one is to review their eHealth strategies and investment plans and redeploy finance by changing the pace of change. If cyber-security is minimal, the eHealth risks rise and new eHealth projects start to look a bit shaky: not a good place to be. eHealth News Africa will report on the effect of increased risks for eHealth decision-taking in a few days.

    The next step is for the cyber-security experts to provide estimates of better performance that tinTree can use to refine the prospective data its eHealth economic model described in the eHealth News Africa story costs, benefits and economics of eHealth.

  • HIMSS provides a step forward for social media security

    Social media poses new, and partly understood, security risks to organizations’ information services. The Health Information Management  Systems Society (HIMSS) Privacy and Security Committee has released its White Paper Social Media in Healthcare: Privacy and Security Considerations.

    In recognizing the increasing use of social media and its potential value for patient engagement, collaboration, brand management, and recruitment, it puts these alongside the privacy and security challenges. The White Paper aims to encourage discussion to help address these issues. It does not explicitly deal with the challenges of Bring Your Own Devices (BYOD), but the principles, ideas and proposals are valuable in this context too.

    It provides a good checklist of the topics that eHealth professionals in Africa need to deal with ton create and sustain their eHealth regulation initiatives.

    eHealth News Africa reports on eHealth regulation in New study reveals limited eHealth regulation in sub-Saharan Africa.

  • Is the steady flow now a torrent of cyber-security?

    Henry David Thoreau, the USA author of Walden, said, “If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them.” It is strange how sound 19thcentury advice is resilient in the modern age. For about twenty years, the eHealth exhortation was invest and keep investing. Over the last few months, the message has shifted to secure what you have, and the volume is turning up. What started as bit a trickle from apparent security geeks has turned into is turning into a torrent of good advice and guidance, much of it reported in eHealth News Africa. A quick surf through the website, and they will stand out.

    It is probably a safe bet that existing eHealth strategies and investment plans understate cyber-threats and have inadequate resource allocations to respond to them. For African countries, it matches the underinvestment in eHealth regulation identified by Greenfield’s report. The shortfall on good practice is some 75%. The implications for eHealth security and regulation in Africa are immense.

    tinTree has increased its cost schedules and risk adjustment in its eHealth economic model to reflect the costs of cyber-security over eHealth life cycles. The changed economic case leads to the need for a few critical actions:

    Identify cyber-risks Review eHealth strategies and increase the emphasis on regulation and security Review eHealth investment plans and reallocate resources for eHealth regulation and cyber-security, especially for specialist staff and capabilities Review existing eHealth services for cyber-risks and set up the resources needed to mitigate them Reset the timetables and resources for eHealth projects inevitably squeezed by the costs of regulation and cyber-security.

    For eHealth strategies and investment plans being prepared, the changes are not as difficult to achieve. There is still time to include the costs of cyber-risks and regulation and achieve better eHealth.

    Other eHealth News Africa reports on cyber-security are: Medical devices may not be secure enough, Cyber-crime worries for Cote d’Ivoire,Ghana’s cyber security strategy with ITU underway, Most health data breaches are cyber-crimes, and SIM security risk warning for Africa.

  • Ghana's cyber security strategy with ITU underway

    Ghana’s National Government has made a commitment to transform the ICT sector, by putting in place policies and regulations to create an enabling environment for ICT. Deputy Minister for Communications, Victoria Hamah, announced that the national cyber security strategy is already under development.

    The National Government has signed an agreement with the International Telecommunication Union (ITU) to develop a National Computer Emergency Response Team (CERT) to respond to all security threats that may affect national security or the well-being of Ghanaians using the Internet. These new developments provide Ghana with the capacity and technical capabilities needed to deal effectively to cyber-crimes and cyber-attacks.

    ”This project demonstrates the commitment of Ghana to unleash the full potential of ICT by ensuring security in cyberspace and building trust and confidence in the use of the Internet,” said Minister of Communications Edward Omane Boamah.

    The project sets a template for African countries to ensure that their regulations follow their ICT developments and initiatives. It is crucial that ICT is adequately regulated and secure for eHealth to flourish.

    You may be interested in Most health data breaches are cyber-crimes.