Cyber Experts Seek a Prescription to Limit Risks of Putting Patient Data Online

Panel debates ‘rewards and risks’ of technological advances

Midway through Season 2 of Showtime’s popular TV series Homeland, US Marine Sgt. Nicholas Brody—who is being blackmailed by Iraqi terrorist Abu Nazir—sneaks into the home office of Vice President William Walden, desperately looking for the serial number of Walden’s pacemaker.

Brody finds it and transmits the number to Nazir, whose computer-savvy accomplice uses it to remotely accelerate Walden’s heartbeat, inducing a heart attack. Brody watches without remorse as the politician who ordered a drone strike that killed Nazir’s son dies an agonizing death.

The incident is pure Hollywood, of course, but targeted, high-tech assassinations like these may actually take place in the not-too-distant future, panelists warned at a March 18 “Cyber Risk Wednesday” conference hosted by the Atlantic Council’s Brent Scowcroft Center on International Security.

The event, “The Healthcare Internet of Things: Rewards and Risks,” was the second in a series that looks at the potential of key technologies. It opened with a speech by US Rep. Diana DeGette (D-CO), whom the center’s Director, Barry Pavel, called a “leading voice in the healthcare debate.”

“My 21-year-old daughter Francesca has been a Type 1 diabetic since the age of four,” said DeGette. “Francesca has an insulin pump and a continuous glucose monitor. The pump acts as a receptor for radio signals, measuring her blood sugar every few seconds. The data the pump collects is transmitted to a computer where her doctor is able to slice and dice that data. It’s a medical breakthrough that’s going to save the lives of Francesca and millions of other diabetic patients around the world.”

Although such innovations let doctors monitor patients in real time—giving them a level of detailed information that was completely unavailable before—they also open up inherent risks, warned DeGette, an expert on human embryonic stem-cell research who is currently Chief Deputy Whip of the Democratic Caucus.

“With devices like Francesca has, not only would we risk a breach of her privacy, but intentional disruption could cause serious physical injury or death. This could be a new wave of terrorism,” said the congresswoman. “I would argue that the privacy issues we’re facing right now is a good problem to have, because it means we’re dealing with real advances for patients and medical providers. But, nonetheless, it’s a challenge for us to ensure that new developments adhere to the highest standards.”

DeGette said she and fellow lawmaker Rep. Frederick Upton (R-MI) are working to draft bipartisan legislation that would, among other things, incorporate portions of existing US software law to reflect 21st century realities.

“Without a final draft, we don’t have any details about precisely how we’re going to address these issues, but we want to do everything we can to encourage these developments in ways that keep patients’ safety and privacy in the forefront,” she said.

“Think of what’s happened in the twenty years since Congress passed the Telecom Act of 1996—developments those members of Congress could have never imagined,” DeGette explained. “It’s the same thing with medical devices. We need to protect patients’ safety, but we also need to give room for innovation, and that’s what we’re trying to achieve.”

The March 18 panel coincided with the release of a report, “The Healthcare Internet of Things: Risks and Rewards,” by Jason Healey, Neal Pollard, and Beau Woods.

After DeGette’s presentation, Healey, Director of the Council’s Cyber Statecraft Initiative, moderated a discussion with Pat Calhoun, Senior Vice President and General Manager of Network Security at software antivirus giant McAfee; Joshua Corman, Chief Technology Officer at Sonatype, a Maryland-based software supply chain management company; and Suzanne B. Schwartz, Director of Emergency Preparedness, Operations and Medical Countermeasures at the US Food and Drug Administration.

“This report educates the industry on the evolution of healthcare and connected devices. But it also helps set the best path forward,” said Calhoun. “We have to make sure security is built into these devices from the get-go. We can’t bolt on security after the fact.”

Citing the report, Calhoun noted that 48 percent of healthcare practitioners have already integrated consumer devices into their IT systems, and that more than 60 percent have begun doing basic security audits on these devices—with a potential $63 billion in savings if such devices are adopted globally.

But those advantages may come with substantial risk. The same day as the Atlantic Council panel, leaders of the Senate’s Health, Education, Labor and Pensions Committee were accusing insurer Anthem of failing to inform fifty million customers who may have been affected by a massive data breach in February that exposed nearly eighty million customers’ Social Security numbers and birthdays.

Hackers place a higher value on patient data than even credit-card data, Calhoun said, warning that “we’re one breach away from hitting one hundred million.” And potential terrorists could seek to exploit a specific security flaw, putting millions of users at risk.

The problem, said the McAfee executive, is that “the underlying architecture of firewalls has not changed in twenty-five years”—a loophole that has led key manufacturers like Intel to drastically change this architecture to “lock down known threats.”

“Now we have a pretty good idea what threats actually look like,” he said.

Even so, argued Corman, it’s ironic that US companies spend an estimated $80 billion a year on cybersecurity—but that most of it goes to protect credit-card data. And that strategy, he said, is an abject failure.

“Our dependence on connected technology is growing faster than our ability to control it,” he cautioned. “What we’ve noticed is a material weakness in a lot of these devices. If you watch the news, there’s more than one breach per week. And while dependence [on these devices] is rising, we haven’t risen to the challenge.”

The answer, he said, is to be a “helping hand” rather than to scare people.

“No one’s been killed yet, but we can’t wait for that moment,” Corman said. “We once had a terrible problem with pollution, but it took the Cuyahoga River in Ohio to catch fire [in 1969] and stay on fire for days before we finally decided to do something about it.”

Larry Luxner is an editor at the Atlantic Council.

Related Experts: Jason Healey

Image: Jason Healey (left), Director of the Atlantic Council’s Cyber Statecraft Initiative, moderates a panel on “The Healthcare Internet of Things: Rewards and Risks” March 18 at the Atlantic Council. Suzanne B. Schwartz (center), Director of Emergency Preparedness, Operations and Medical Countermeasures at the US Food and Drug Administration, and Joshua Corman, Chief Technology Officer at Sonatype, a Maryland-based software supply chain management company, were part of the panel. (Larry Luxner / Atlantic Council)