Risk (14)

Advice from the late W C Fields, an American comedian, was to “Always carry a flagon of whiskey in case of snakebite and furthermore always carry a small snake.”  Dr James L. Madara, Executive Vice President and CEO at the American Medical Association (AMA) has invoked snake and other metaphors with other creatures as imagery for bad eHealth. In his AMA address, he says it’s vital to separate “The digital snake oil from the useful--and potentially magnificent--digital tools.” Snake oil’s quack medicine and remedies, and the equivalent has no place in eHealth . It’s essential advice for Africa’s health systems.

Achieving it needs action to It ferret out and quell the undesirable “digital dystopia” that doesn’t improve health, healthcare or make it more efficient. Dr Madara says examples are:

  • Ineffective EHRs
  • mHealth apps of questionable quality
  • Tools often fail to enrich the doctor-patient relationship
  • Tools that need more time, not less.

He sees these as an increasing challenge that needs tackling. His examples of good investments are robotic surgery and telemedicine. These provide camouflage for poor eHealth that are “Appearing in disguise among these positive products are other digital so-called advancements that don't have an appropriate evidence base, or that just don't work that well.” The AMA’s separating the useful tools from the “digital noise” and working with vendors and federal regulatory agencies to apply the findings.

How can Africa’s health systems replicate this essential and unending task? They’ll need:

  • A new eHealth role for each countries’ medical, nursing and pharmacist associations
  • Developed and applied eHealth regulation
  • Doctors and other health workers knowledge embedded in eHealth solutions
  • Adapt eHealth tools to variations in practices
  • eHealth evidence databases
  • Applying findings in eHealth strategies, plans and procurements.

Acfee’s eHealth evaluation database has examples of good and bad eHealth. Some of the bad eHealth is partly due to weak or inappropriate eHealth leadership, procurement, project management, benefits realisation and financing methods. Inadequacies in these limit the benefits of good eHealth, so need adding to the list of actions for Africa’s eHealth.

These activities need resourcing. It’s a better investment than coping with the disruption of inappropriate eHealth.

Risk pervades all endeavours. It’s prevalent in actions and inaction. Mark Zuckerberg, a Facebook co-founder thinks that “The only strategy that is guaranteed to fail is not taking risks.” The challenges are first, is the risk of change so great that it’s unmanageable? Second is how to mitigate manageable risks? Dealing with these enables investors and decision takers to realise a good relationship between risk and reward.

The Healthcare Internet of Things Rewards and Risk is a report from the Atlantic Council. McaFee, a sponsor with Intel Security, has a summary. The core proposition is that industry must build security into IoT devices from the outset, not as an afterthought. It’s becoming an imperative as IoT move rapidly towards consumers and embedded in medical devices, wearables, stretchables and ingestables.

It sees the main risks as disruption, leading to threating and distressing situations. This lays a responsibility on numerous IoT actors, including the IoT industry, regulators, and the medical profession. Minimising the risks across the IoT networks helps to maximise the rewards, especially for patients and health workers and the software, firmware, and communication technology firms.

The report sees this risk and reward emphasises the “Delicate balance between the promise of a new age of technology and society’s ability to secure the technological and communications foundations of these innovative devices.”

Disruption is seen from three main causes:

  • Accidental failures where the technology destroys users’ trusts and IoT demand
  • Privacy violations from often unpredictable malicious attacks
  • Connected devices susceptible to malware that infects IoT devices.

Requires actions are:

  • Evolving regulation that’s co-ordinated and provides incentives for medical device and IoT innovation
  • Better private to private and public to private collaboration
  • Regulators that keep pace with technological progress.

This provides a challenge for African countries. eHNA posted that their eHealth regulation is limited, and well below good practices from other continents. Both regulatory capacity and capability needs expanding considerably for African countries to keep pace with IoT. There are affordability and expertise constraints. If these aren’t overcome, then the business case for IoT investments needs a significant adjustment for risks, many of which will remain unmitigated. This’ll be inhibiting as the long-term strategic opportunities for mHealth and IoT are considerable for Africa’s vastly overstretched healthcare systems.

Patrick Warburton, an actor, has another view of risk. “You've got to go out there, jump off the cliff, and take chances.” After you, Patrick. African countries should be at the back of this queue.

Cyber-security seems like a bleak, pessimistic science. Tamar Myers, an author born in the Democratic Republic of the Congo seemed to capture its essence when she said “We pessimists have everything to gain, whereas optimists have a fifty-fifty chance of being disappointed.” Cyber-attacks that make the news seem more frequent and widespread, so it’s a different goal to go for pessimism in advance. Instead of reporting on events, Websense, a cyber-security firm, has set its view on the top ten coming up in 2015.

Number one’s healthcare. It says that “Healthcare will see a substantial increase of data stealing attack campaigns.” Next is the Internet of Things (IoT) probably through a device connected to the internet, such as a programmable logic controller in a manufacturing environment. This doesn’t rule out telemonitoring devices in hospitals and communities.

Mobile phones’ authentication consolidation will trigger data to help exploit transactions, but not for stealing data. This could extend to the increasing use of mHealth. Open source solutions, many of which are in place in healthcare, are seen as offering new vulnerabilities emerging from old source code. Some of it goes back decades.

Many of us would be rendered speechless if our emails were cut off. They’re now a daily routine.   Emails will attract more sophisticated and evasive cyber-assaults. The expanding cloud isn’t immune. As organisations open up access to more cloud, collaboration and social tools, cyber-criminals will locate their command and control infrastructures to hide in these approved channels.

Africa’s healthcare will follow these trends, so needs to assess and implement the cyber-security needed for each one. The impending doom isn’t a good reason to do nothing. Jean-Baptiste Alphonse Karr, a French novelist “Some people grumble that roses have thorns; I am grateful that thorns have roses.” It seems a constructive, optimistic way for Africa’s healthcare to deal with eHealth and its cyber-challenges.

The ECRI Institute has released its Health Devices 2014 report: Top 10 Health Technology Hazards. Their annual top ten list identifies potential sources of risk and is a tool that healthcare facilities can use to prioritize their patient safety efforts. Not all the risks on the list apply to all healthcare facilities, but it’s a good starting point for setting eHealth safety priorities.

Health technology risks come in many forms and can be the result of a number of factors, including ICT problems such as improperly configured systems, incomplete data, or inappropriate and outdated malware protection. Human negligence has part to play too, such as incorrect reprocessing techniques and  problems intrinsic to the devices themselves, such as hard to use, design flaws, quality issues, and failure of devices to perform.

It’s critical to recognize these risks and address them before they cause problems. ECRI provides a good starting point. Their list for 2015 includes:

1. Alarm hazards: inadequate alarm configuration policies and practices

2. Data integrity: incorrect or missing data ICT systems

3. Mix-up of intra-venous lines leading to misadministration of drugs and solutions

4. Inadequate reprocessing of endoscopes and surgical instruments

5. Ventilator disconnections not found because of misset or missed alarms

6. Patient handling device use errors and device failures

7. Dose creep: unnoticed variations in diagnostic radiation exposures

8. Robotic surgery complications due to insufficient training

9. Cyber-security: insufficient protections for medical devices and systems

10. Overwhelmed recall and safety-alert management programmes

African countries developing eHealth strategies need to be aware of these risks and plan to avoid them, or at least deal with them effectively. Identifying and managing these risks could save precious resources down the line.

Longstanding PC products from reliable suppliers can have security vulnerabilities that pass from one version to another. In May this year, IBM found one, called WinShock, in Microsoft Windows Object Linking and Embedding (OLE) that’s 19 years old. Microsoft’s released a patch to fix it, and rated the update as critical.

It seems that the bug was in every version of Windows 95. It provided a way in for cyber-criminals for drive-by attacks that entice users to download malicious software to run code and control PCs remotely. Then, attackers can take over PCs.

Microsoft’s November Security Bulletin includes fifteen security updates, including WinShock, with one more to come. Four of these are critical, the same classification as WinShock. A critical update to Internet Explorer fixes 17 vulnerabilities reported privately. Another fixes one in Microsoft’s Secure Channel, or Schannel, that enabled access through servers to encrypted data.

It’s vital that all healthcare organisations in Africa download updates for all their Microsoft products as soon as they’re released. It’s the same for updates from other suppliers too. Just because they’re old, doesn’t mean that all the bugs are fixed.

A cyber-security campaign by two researchers, Karsten Nohl and Jakob Lell, has led them to sharing online the computer code, the BadUSB flash, which can turn almost any device that connects using a USB into a cyber-attack platform. Their goal is to force electronics firms to improve defences against attack by USB. The BBC technology site has commentary on their altruistic activities.

They discovered that the weakness is in the on-board software, the firmware. It tells a computer what kind of a device is being plugged into a USB socket. There’s a way to subvert this and install attack code. Two other researchers, Adam Caudill and Brandon Wilson, have completed their reviews of BadUSB too, and produced code to exploit it. It now seems well understood, but the fix may be difficult to deal with. It seems that the problem is structural because the standard used is not robust enough, and individual vendors can change it.

With numerous USBs often switched between laptops and other devices, African countries need rigorous control of users’ habits as well as looking for secure USB devices. This is quite a challenge with the wide range and uses of USBs.

How secure is your mHealth app? Security vulnerabilities of mHealth need addressing with rigorous risk assessment, says a study by researchers at Warwick University in the UK, and published in the Journal of Medical Internet Research (JMIR). While medical apps offer clinicians the capability to access medical knowledge and patient data at points of care, some apps could compromise patient safety and are potentially dangerous. There are different kinds of risks, and specific measures are needed to deal with them, especially their accuracy and reliability.

The team proposes four main types of risk, each with different responses needed for regulation and with different regulators, ranging from individual clinicians for low risk apps, such as Body Mass Index (BMI) calculations, to independent, statutory regulators for higher risk apps with more complex mathematics.

Many risk management methods are still in early development stages, so the initiative will roll on. The current status is still extremely valuable for eHealth regulators. For African countries, the model offers a faster start to mHealth regulation.

A demonstration by two German researchers at the Black Hat Hackers conference in Las Vegas seems to have shot a big hole in using Universal Serial Bus (USB) devices. Karsten Nohl and Jakob Lell from Security Research Labs (SR Labs) have shown how easy it is to use a USB stick to infect computers, and users’ wouldn’t notice a thing until it was too late.

The researchers said that:

  • There is no practical way to defend against it
  • The USB standards body and manufacturers should build in extra security.

Rigorous regulation, good practices and compliance are part of the solution, but it isn’t enough. It needs a concerted effort by the supply side and users. With an estimate from USB Company of US$3 billion of USB 3.0 in use in about four years’ time, finding a sustainable solution is urgent.

Logging on to public wi-fi hotspots usually has a greeting saying that the links are open and not secure. It seems that cyber-criminals think that enough users disregard the warnings, so it’s worth spending time hacking into them.

Europol’s cybercrime chief, Troels Oerting, told BBC Click that there’s a continued growth in cyber-attacks attempted through public wi-fi. His says that people should only send personal and sensitive data across networks they trusted, so not use public wi-fi. If they do, they risk hackers stealing it.

The hacking techniques aren’t sophisticated. Hackers use a Man in the Middle set up where thieves place themselves between users and hotspots, then gather all data passing between the two points. This tricks users into connecting to a hotspot that looks legitimate and similar to the ones in cafes, pubs, restaurants, airports and other public places. The European Parliament recently switched off its public wi-fi system when it found that a Man in the Middle had penetrated the service.

Healthcare ICT teams should advise all their users that everything they send through wi-fi is at risk, and is exposed to greater risks when using public wi-fi hotspots, so patients’ health data should never be transmitted across public wi-fi services. Better awareness should help. Complete compliance will help more.

Anxiety disorders have many manifestations. One is wondering about cyber-attacks. Another is wondering where the data breaches are. Data Protection Strategies for the Health IT Pro, a Search Health IT ebook might help. Its focus is encryption.

The simple principle is that protecting patient data is a major priority for all healthcare organizations. Using encryption technology strategically throughout an organization can prevent data from falling into the wrong hands. The task begins with a rigorous risk analysis and with data security seemingly easy to breach, it sees data encryption as essential.

The report is free. To download it, go to the SearchHealthIT website, create an account if you do not have one already, and download it. If you go to the Expert E-books page, there are many other valuable publications.