Lisa Dalgleish, health and care solicitor at leading law firm BLM, looks into some of the challenges and liability risks resulting from the proliferation of digitalised healthcare and new technologies.

The BBA, the trade association representing the UK banking sector, has reported that there are 9.6 million log-ins to internet banking every day and £2.9 million is moved by customers using banking apps every single week. Meanwhile, online retail purchases were made by 81% of Brits last year. When it comes to booking holidays, finding your dream destination, paying for it and then printing out the plane tickets from the comfort of your own sofa, purchasing is now more convenient than ever.

Against the continued rise in popularity for the convenience of digital solutions across all aspects of our daily lives, is the healthcare sector on track to keep pace with the ever-evolving digital world?

Last year only 2 per cent of the population engaged with a digitally enabled transaction with the NHS, according to the Department of Health’s National Information Board (NIB). 

Efforts to increase digitalised healthcare provision in the UK are now essential for the NHS and beyond. In fact, NIB’s ‘Personalised health and care 2020: a framework for action’ states that: ‘Better use of technology and data is a prerequisite for supporting and enabling the key developments needed to reshape the health and care system.’

mHealth, wearable and implantable technologies, medical equipment and devises connected to ‘the Internet of Things’, remote consultations, diagnoses and treatments and a variety of other healthcare innovations, once only the predictions of science fiction and now real, are set to hit unprecedented heights in 2016 and beyond.

But with new technologies come new risks – so what implications should we be aware of? How can we manage all of the data – personal and extremely valuable data – that is produced by these new technologies? What are the key vulnerabilities? Is ‘medjacking’ the biggest emerging threat?

Medjacking’

Medjacking’ is a term coined to describe the use of malicious software (‘malware’) as a means to launch cyber attacks on healthcare systems. This is usually done by hackers placing malware on networked medical devices – giving them the ability to remotely control medical equipment.

Medical devices may be vulnerable to attacks on their security systems that are installed by the manufacturers. Some manufacturers, especially those with low budgets for cybersecurity, turn to open source code and libraries for security solutions. They may be using older, more exploitable code, with known vulnerabilities in their products.

Where security systems are managed solely by the manufacturer’s external technicians, healthcare providers are totally dependent on manufacturers to maintain security.

Cyber attacks on healthcare providers

Medical devices have emerged as a new target for cyber attacks. In a report published in June 2015, one cyber defence company reported a case at an unnamed hospital where hackers were able to plant malware in surgical blood gas analysers.

The hackers then used the equipment as a back door to find passwords throughout the hospital’s IT systems and leak sensitive information. Another case involved hackers creating a backdoor access point through a hospital’s X-ray system.

The information that healthcare providers hold is more valuable than payment card information held by retailers. Health organisations often have complete profiles of people including national insurance numbers and medical health information that is impossible to change in light of a data breach.  Health data attacks give hackers the information they need to commit identity fraud and organisations are vulnerable if their security systems are not sufficiently robust.

Healthcare apps

The healthcare industry is now using ‘apps’ in the same way as the fitness industry, to track patient health and assist with treatment compliance.

This year has seen the launch of Apple’s ‘iWatch’, which is able to monitor heart rate, blood glucose, sweat and sleep patterns. Various other fitness bands offer a variety of options for capturing an individual’s key health data, and consultants are predicting that up to 75% of the global population will be expected to use devices like this in the future.

We are also moving into an era of ‘implantables’. Google’s smart contact lens has the potential to monitor a person’s glucose levels or other vital signs. Drug companies are working on implantable smart pills that work with Bluetooth to inform doctors and family members if a patient has taken his or her medicine.

The progression from remote health monitoring to health apps will see patients monitoring and assessing their own health issues and managing their own prescriptions, relying on applications to inform patients to take clinical action and make diagnoses.

Bionics

A new generation of bionics that can connect wirelessly with the nervous system and enabling ‘feeling’ sensations is now available to patients in the UK.  These devices are implanted directly into the nerve to process and transmit signals wirelessly to an external device.

A £1.4m UK research project lead by Newcastle University aims to develop novel electronic devices that connect to the forearm neural networks to allow two-way communications with the brain. This could allow the hand to communicate directly with the brain, sending back real-time information about temperature, pressure and shear force. A £5.3 million award from the Engineering and Physical Sciences Research Council will also be used to develop smart trousers, to help disabled and older people walk and biosensors to monitor how patients use equipment or exercise during rehabilitation.

Where the data sent through such devices is not encrypted, there is greater potential for a hacker to intercept or even modify that data.  The former poses a security risk, the latter a threat to human health.

Conclusions

Technology can provide many answers to the challenges faced by healthcare providers.  It can provide new and effective treatments, where patients can be treated away from hospitals and surgeries, reduce the scope for human error and result in costs savings. 

However, the increasing use of technology means that more and more data is being held by healthcare providers and the high value of that data means that they have become increasingly attractive targets for hackers. 

The focus of technological development therefore needs to be as much on the security of the data obtained as on the effectiveness of the devices themselves.  Whilst there have not been any reported UK data breaches involving cyber attacks against healthcare providers so far, healthcare providers should be prepared.

www.blmlaw.com