Do No Harm. Matthew Webster
that is not possible with traditional infrastructure. They do not have to pay for processing power—only storage for keeping their virtualized systems powered down, which is a huge cost savings.
For the IoMT, the cloud is a very critical component because for some companies the growing ubiquity means that companies will need to grow as their devices grow. While there are a range of technologies that aid or support connectivity, the cloud is one of the key technologies. That being said, cloud technologies come with their own types of unique risks. Mature companies have the issues related to those risks mostly accounted for, but smaller companies are not always as adept at understanding or compensating for those risks. For example, where companies had traditional physical security to keep track of, a cloud provider takes full responsibility for that security.
Some of the differences that take some getting used to for many companies are cloud native capabilities. For example, years ago, traditional systems used a database. Think of a database as a giant electronic repository of data. It is more complex than that, but it is sufficient for this discussion. Today, a separate database does not need to be purchased. Many cloud systems have databases built into the infrastructure. We refer to those as cloud native systems. The challenge for companies is that there is a learning curve when it comes to cloud native systems. Let's take the example of the S3 bucket, which is a cloud native database within Amazon Web Services (AWS). (I almost wish I had kept track of the number of organizations—both government and corporate—that have been hacked as a result of a misconfigured S3 bucket.) It is a very common occurrence despite the fact that AWS has increased the security and brought to the attention of others the dangers related to it and has educational information on how to configure the S3 bucket securely. One of the proverbial sins of IT is to make sure that a system works, but not to make sure that the system is secure. If everyone on the internet can access the system, it is probably working from an IT perspective—often the administrator not realizing they just opened the database to hackers as well. This is not just a problem of small companies; some of the major breaches that have hit the news are related to S3 bucket security. Examples include such prominent names as Uber, Accenture, and even the United States Department of Defense.30 While there is a much deeper dive that can be had related to this specific topic, suffice it to say that cloud native technology has its challenges, and not all companies are equally up to those challenges.
The reason this is important to consider is that companies often store the information related to the connected medical devices in those buckets—often without the knowledge of the end users of those systems. All a physician cares about is ensuring their system works properly when they need it to. They are operating under the assumption the host company is doing the security properly.
Many of you may be thinking that the problem has to be resolved soon. The reality is the problem does not appear to be going away. In August 2020, Truffle Security reported that they uncovered thousands of leaky S3 buckets in AWS that are accessible to anyone on the internet without authentication.31 To make matters worse, they believe that these open buckets are “wormable.” This means that software could be written so that one bucket leads to another, magnifying the impact of a leak. With all of these leaks, it is only a matter of time before ransomware based on misconfigured S3 buckets will become a new norm. Already the proof of concept has been created.32
While AWS is the focus of this discussion, most of the major cloud providers have their own versions of the AWS S3 buckets. Since AWS is the largest player in the market (and one of the most mature of the cloud players), it is used by many and thus these issues are more prevalent. As the other cloud providers become more prevalent, these issues will pop up. There are numerous articles about some of their competitors.
A few of the more astute readers have probably noted that this chapter has not touched on the most obvious aspect of databases—encryption. A foundational requirement in information security is to encrypt data. HyTrust performed a survey of companies moving to the cloud. The survey uncovered that 25% of healthcare organizations are not encrypting data in the cloud.33 What has not been specified is if this is related to cloud native databases or installed, non-native databases. Either way, it is a very serious issue and points to lack of due diligence and/or due care in organizations.
Another cloud native technology that is a challenge for some businesses is the portal to the clouds themselves. Think of that portal as an administrative gateway that provides full access to one or more virtual data centers. That access includes all cloud native infrastructure, and now, quite often, virtual computers used by everyday corporate employees.
So far, though, I have not touched on a branch of the cloud known as Software-as-a-Service (SaaS). Instead of needing to build your own tools in the cloud, services are available to do many of the common actions that hospitals and doctors’ offices would otherwise need to create on their own. While sometimes there is a significant customization effort, these tools can provide companies with huge cost savings. Many of these companies also provide the compliance and security necessary to secure the data. Of course, these third-party vendors are far from perfect. Atrium Health had to notify 2.65 million individuals of a data breach as a result of AccuDoc being breached.34 So, due diligence related to the vendors is a must just as with any technology.
Mobile Devices and Applications
The use of mobile applications in medicine is becoming more common with each passing year. They cover everything from information and time management, access to records, communication and consulting, patient management and monitoring, to aids for clinical decision-making. They are helping to lead the charge for better decision-making and improved patient outcomes. With digitalization of records, healthcare professionals can access the information from anywhere. For some this is a marvelous miracle. For devices that are heavily controlled by corporations, the risks are relatively low. The challenge comes in with consumer technology. We do not necessarily have the most up-to-date versions of the software. While some people buy the latest technology, keep up to date with patching, and have antivirus installed on their devices, others do not. There is also a tremendous number of risks from downloading applications with malicious software in them. Review 42 identified that one in 36 phones had a high-risk application in them.35 If you tie that back to phones that are not patched or protected, this is a very large volume of phones at high risk.
Let's take a look at this from another perspective. Science News had an article where a research team from the University of Sydney, the University of Toronto, and the University of California studied how top-rated medicine tracking mobile apps shared data. They looked at the top 24 apps on the Android platform within the United States, United Kingdom, Canada, and Australia. They were looking for potential data leaks beyond the apps themselves. They found that 19 out of 24 of the apps shared data outside of the apps. A total of 55 unique entities were receiving the data. Those unique entities were owned by 46 parent companies. The entities they analyzed could share the information with 216 fourth parties, including multinational technology companies.36 What they did not state in the article was whether those 216 parties had limitations about the data that is shared. Nonetheless, this is fairly concerning as it does shed light on how many companies do business this way from one app.
Clinal Monitors
Clinical monitors are the lynchpin that helps to coordinate a wide range of IoMT devices so that medical information regarding a patient is all together in one location. They also make sure that the records are fed directly into Electronic Health Record (EHR) systems. The data can then be reviewed by specialists at a later point in time. Almost predictably at