Some cybersecurity experts are asking if new types of federal oversight are needed to prevent the growing number of HIPAA violations due to hacking. In 2020, Google and Apple announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 “with user privacy and security central to the design,” according to Google. The company’s COVID-19 contact tracing app, however, reportedly had a significant security flaw, and individuals who used the app are suing Google for violating their privacy.
Google and Apple launched the Exposure Notifications System (ENS) to help combat the spread of the coronavirus. With this system, the Bluetooth function provides alerts to nearby individuals of potential exposure to COVID-19. It was unveiled on April 10, 2020, and it came on the market May 20, 2020. It was added to devices via a Google Play Services update on Android. The ENS has been adopted in more than half the states and has millions of users.
Individuals who used California’s public health COVID-19 contact tracing app have filed a lawsuit against Google claiming the app exposed their data and violated privacy laws. “Google is not the only tech giant to face court action for perceived violations of privacy laws and exposing data of their users,” said Maya Levine, a technical marketing engineer for cloud security at Check Point Software. The real cost for these companies, according to Levine, is not just money or loss of public trust but mounting evidence calling for a shift in regulation.
Many devices are Bluetooth enabled, so companies and individuals need to be aware that Bluetooth functionality can be compromised because of what has been dubbed “BlueBorne” vulnerabilities, Levine said. It is widely and wrongly believed that Bluetooth cannot be intercepted and that a hack always requires some sort of user interaction. “The BlueBorne vulnerabilities proved both assumptions wrong, as merely having Bluetooth on a device switched on renders it vulnerable to an attack,” Levine said.
Most people leave Bluetooth on their devices on constantly, but they should shift to enabling Bluetooth on devices only when needed. This is easier said than done, however, and unlikely to be widely adopted. “For example, many headphones nowadays are Bluetooth enabled. Are people willing to not listen to music at all in high risk zones such as airports or public transit centers? I think what is important here is to educate both individuals and companies of the risks and allow them to make informed decisions,” Levine said.
European countries have changed laws to put the responsibility of users’ data onto the tech companies and levy heavy fines for irresponsible practices, she said. “These tech companies have operated largely unregulated for a length of time,” Levine said. “I believe that this free rein is quickly coming to an end. Hopefully, more regulations and a more watchful eye over this industry will lead these companies to increase their investments in security.”
Before releasing a new feature, it should be vetted and tested against any possible vulnerability or attack scenario. It is impossible to have 100% protection against every type of attack however, she said. Numerous studies have highlighted how expensive cybersecurity incidents can be for an organization. Usually it is the monetary cost that is highlighted, but another problem is that it significantly erodes public trust.
“A common perception is that if an organization cannot appropriately safeguard sensitive user data, it raises questions regarding what other managerial processes within the organization may be flawed or broken,” said Victor Benjamin, PhD, an assistant professor in the Department of Information Systems in the W.P. Carey School of Business at Arizona State University in Tempe, Arizona.
Conduct Internal Security Audits
Physicians can protect themselves and their patients’ privacy by conducting internal security audits. This includes examining the internal technology ecosystem and network within an organization and cross-referencing vulnerable databases to check for potential security flaws. “Organizations should work with suppliers to maintain cybersecurity consistency,” Dr Benjamin said. “Many recent attacks occurring against organizations actually originate from within the supply chain.”
A compromised vendor was the cause of the 2013 Target data breach and the 2020 SolarWinds hack. Organizations should consider partnering with so-called red teams, Dr Benjamin said. “Red teams are typically professional cybersecurity consultants who are versed in network penetration,” Dr Benjamin said. These individuals are employed to try to exploit any potential security vulnerabilities within an organizations’ system. This can help provide some level of real-world cyberattack simulation.
All organizations should be practicing some level of cyber-risk mitigation that includes technological safeguards and processes that ensure good cybersecurity posture, he said. The level of cybersecurity readiness that an organization should put in place is typically related to the value of the data requiring protection. In health care settings, the data in question is patient information, which is valuable and sensitive. Risk mitigation often begins by taking stock of what technology, software, devices, and networking equipment an organization uses to operationalize their IT infrastructure. “Bluetooth-enabled devices should fall into this portfolio of technology that is examined and monitored,” Dr Benjamin said. “But what makes Bluetooth potentially more susceptible to attack is its incredibly useful nature of allowing for different devices to communicate over the air.”
For physicians, the rate of technological advancement is increasing rapidly. It takes a consistent effort over time to assess what new technologies can be used safely and efficiently but also with a low concern for abuse. “Really you can’t get around being a lifelong learner if you truly want to adopt the latest technologies to your specific domain of interest,” Dr Benjamin said. “You have to stay current with the needs of your practice, what novel capabilities are afforded by new technology, what risks bringing in those technologies may carry, and so on.”
It is highly recommended among cybersecurity experts that clinicians partner with outside consultants who better understand the technology space, and let them recommend technologies for use in health care environments. “At least then the liability can be pushed to the consultant organization rather than the physician,” Dr Benjamin said.