Prescription: Better Cybersecurity Hygiene in Digital Health and Life Sciences
A recent issue of MIT’s Technology Review magazine is titled, “Look how far precision medicine has come.“ At least part of the premise is that personalized medicine or precision medicine is not perceived as having made the great strides promised nearly 20 years ago, when genome mapping was increasingly feasible and affordable. What is not up for debate is the extent to which life sciences and digital health firms rely upon increasingly distributed data collection and analytics. The data security challenges confronting healthcare delivery become all the more daunting when one considers the sheer volume of current and historic health information used in research and product development.
The increased use of applications that rely on cloud computing, when coupled with the rise in mobile and use of personal devices for work, allows sensitive data to flow outside the traditional enterprise firewalls. Since employees often have more access to sensitive data than they actually need, companies end up placing their data at risk unnecessarily. This means that hackers can now also use the same pathways that company employees use to access sensitive company data.
Security in Mobile Devices and Applications
Mobile devices that fall outside enterprise management potentially constitute the weakest link in a security infrastructure. Not only is the device outside of the system administrator’s direct control, it is also being managed and operated by a human being within their environment and is subject to the individual’s own understandings and misconceptions.
As with other advanced computing equipment, user awareness is key to safeguarding the mobile device, both electronically to protect the identity and data it carries and physically to secure the device if lost or stolen.
Security for a Research Application
Privacy, data security, and informed consent are integrally bound together in the health research environment, from the standpoints of protection and compliance. The growing use of mobile devices for the recruitment of and communication with study participants, as well as the subsequent collection of patient-reported data, puts new emphasis on these elements. A software framework, such as Apple’s ResearchKit, can aid in building a mobile research app, but still does not address data management, privacy, and security controls. Key protective steps include:
Completely wiping both the app and related data from a device when the participant leaves the study, and providing assurance that such measures are taken to the participant.
Using credentials to control access to the app and its data. At a minimum, this should be a PIN or biometric ID, with two-factor authentication strongly recommended.
Enabling the highest level of file/data protection possible. For example, having files/data stored by the app automatically encrypted whenever the device is locked.
Deleting all sensitive data collected by the app on the device as soon as possible.
Security Around Data Management in the Cloud
Cloud services are especially attractive for data-oriented projects, given their essential characteristics: on-demand self-service that does not require human interaction at the cloud provider, ubiquitous network access, rapid elasticity in scaling resources up and down, and measured service.
Key stakeholders need to be aware and part of the evaluation of any cloud service provider, and should demand transparency in certain aspects. While these suggestions don’t require a detailed understanding of the technology, they do require some technical literacy to ensure that the proper questions are being asked of the cloud provider—ones that balance privacy, security, and legal requirements with functional needs. These include:
Privileged user access. This includes both cloud provider staff access to information owned by the researcher, and the methods available to authenticate, manage, and track anyone who might have access or might gain access to the sensitive information and applications.
Data segregation. Data in the cloud is typically not segregated in a multi-tenant environment. Know whether your data will be stored on dedicated hardware and, if not, what protective measures the cloud provider takes to ensure that your data will not be compromised in that shared environment.
Investigative support, such as breach investigation and forensics. Get terms for visibility and incident response reports up front and in writing. Will the provider routinely provide the correct level of logs if requested by a customer?
Liability and indemnification. Will the cloud provider stand behind their security and privacy assertions and defend the researcher should a breach occur? If dealing with electronic protected health information (ePHI) subject to HIPAA rules, make sure that the cloud provider will sign a business associate agreement (BAA) also compliant with HIPAA rules.
IMPACT OF DATA SHARING
Open data sharing avoids the duplication of research effort and facilitates the work of researchers who are able to build on and advance the findings of others. Properly de-identified health data is an invaluable tool for scientific and health research advances. The National Institutes of Health typically require researchers to make data available to other investigators via an NIH-designated database or approved alternative.
No one can depend on the traditional cyber walls and moats in the new paradigm of loosely connected computing and data devices. What is needed is more aggressive self-assessment, with the understanding that “offense can inform defense.” Just as the move toward patient-generated data is transforming care, the growth in personally generated identity is transforming health-related information security. Proactive self-assessment and self-security are needed to allow identification and remediation at the individual level.