Why telemedicine represents a cybersecurity risk
Published on: 01 10 2019
It’s been a little over a year since French social security services started reimbursing remote consultations. And although the practice offers numerous benefits, some cyber-security risks need to be considered in advance. Here’s why.
Telemedicine means no more having to travel: your appointment with the GP takes place through a TV screen in between you. Thanks to telecommunications, the remote delivery of medical services (appointments, consultancy, monitoring, assistance) is growing. And such advances are providing easier access to care for everyone, everywhere.
“Digital technology has disrupted our society; and so, logically, we need to rethink how our care journeys work”, says Lydie Canipel, Secretary-General of the Société Française de Télémédecine. “This needs to be done by mutual agreement between doctor and patient, but telemedicine is a great way to fight against geographical gaps in the medical map.”
This method of consultation is also particularly well suited to following up chronic diseases. “These are difficult, expensive illnesses that require close monitoring. Having two remote consultations in between your annual appointments with the cardiologist makes your life easier as a patient. Digital technology has enabled us to get back to proximity-based monitoring”, she adds.
Faster, fairer and more efficient... telemedicine has many advantages. But how secure is it?
Cyberattacks and their various motives
Telemedicine involves risks inherent to the technologies it is based on. A computerised medical instrument, such as a smart morphine pump, may experience a technical malfunction; but more importantly, it comes with increased cyber risk. And when it comes to remote operations, such risks are vital issues which must be directly factored in.
There are many possible motivations: resale of personal data (including health data), elimination of a competitive advantage, increased bargaining power, and even military sabotage. “All scenarios are possible, including the hijacking of a telemedicine instrument to monitor an individual or threaten their life”, adds Robert Wakim, Offers Manager at Stormshield. The six categories of risk apply perfectly to telemedicine: data integrity, confidentiality, availability, authentication, traceability of transactions and attribution of acts. “It has recently been shown that it is possible for a hacker to modify test results, resulting in a misdiagnosis. But hackers can also block access to patient records or paralyse health equipment - in this case, to obtain a ransom”. Returning again to remote operations, hackers could attempt to disrupt the connection with the doctor’s computer, or even switch it off or take control of it...
Teleradiology is, for example, a domain requiring an awareness of these issues. Robert Wakim details a few possible attack scenarios. “In real time, attackers could alter data being sent from the health device to the doctor’s computer; they could also change how commands are interpreted directly at instrument level and change the viewing angle; and lastly, they could take control of the doctor’s computer and change the result displayed on the screen”. In all of these cases, the test results would be wrong. And the diagnosis would be unreliable.
So how can we ensure that telemedicine can offer its benefits while at the same time protecting patients, health personnel and their data?
Multiple solutions against attacks
Faced with cyber threats, health professionals must consider the four components of the system: the communication, the instrument, the computer and the human being. Here, “communication” refers to the exchanged data enabling the instrument to be manipulated using electronic control systems.
In terms of systems, Stormshield has a full range of solutions to provide optimum assistance to health professionals, as Robert Wakim explains. “A solution such as Stormshield Endpoint
Security protects end workstations and ensures they remain healthy. As for Stormshield Network Security (SNS) and its VPN system, data exchange confidentiality can be increased by creating an encrypted “private” virtual tunnel. SNS is also able to perform protocol verification; i.e. ensuring that transiting data complies with exchange standards. Once the data has reached the servers or the end workstations, solutions such as Stormshield Data Security are useful for protecting it in line with GDPR requirements.”
But the first and last line of defence is, of course, the practitioner, as the party best placed to realise that something is wrong and raise the alarm at the slightest doubt. “It is essential to educate medical and telemedicine professionals about the new risks and symptoms of a cyberattack,” Wakim points out.
It is essential to educate medical and telemedicine professionals about the new risks and symptoms of a cyberattackRobert Wakim, Stormshield Offers Manager
Because cybersecurity is also about habits and practices: “the health system needs to be fully informed about the telemedicine solution. In particular, it must ensure it has fully understood how the data are transmitted, processed and stored, and whether regular updates are being made”, he urges.
It’s a message that Lydie Canipel also promotes when training health professionals: “No-one is ever safe from the threat of a cyberattack. It’s vital to comply with ASIP Santé technical frameworks and CNIL data protection standards regarding secure messaging, CE marks and health data hosting. These regulations were designed with patient security in mind”. This message was echoed at a morning session focusing on the issue of health data protection, at which Bernard Cassou-Mounat, a health sector co-ordinator at the French ANSSI cybersecurity agency, explained, “Just like hygiene in the health sector, digital hygiene needs to be an instinctive reaction for health professionals”.
Just like hygiene in the health sector, digital hygiene needs to be an instinctive reaction for health professionalsBernard Cassou-Mounat, ANSSI health sector co-ordinator
And lastly, industrialists also need to change their habits, as shown in a proposal by France’s Agence nationale de sécurité de médicament (ANSM) drug safety agency, which is expected to result in the issuing of recommendations to manufactures of medical equipment by the end of the year. When it does, improved telemedicine security will be one step closer.