How healthcare breakthroughs could help cybersecurity

Many startups are achieving success by redefining how the economy works. Xtechs (financial, health, insurance, among others) are reducing operational costs and delivering more value to customers, by leveraging on computer science and advances in electronics. 3D printing, habit-tracking apps, cheap, precise and small measurement devices, and more, are just a few examples of what citizens and patients are using these days from so-called HealthTech. Additionally, within health centers new technology is supporting more efficient and effective practices. An explosion of new devices and interconnectedness is driving change to new levels. However, security threats have surrounded healthcare for years, and the emergence of HealthTech doesn’t mean fewer risks. Moreover, HealthTech might pose other significant challenges. A recent publication at Maturitas (Coventry & Branley, 2018) describes the cybersecurity challenges healthcare is currently facing. The potential economic exploitation of medical health records, the number of underprotected medical and non-medical devices, as well as the increasing complexity of the digitization of medical records calls for a more serious approach to cybersecurity in healthcare.

How to manage healthcare cybersecurity risks with this overload of interconnected devices and data? We believe organizations (specifically HealthTech companies) could learn from what has been innovative in healthcare management.

How doctors are improving performance in health centers

Figure 1. Atul Gawande

Here’s a short story: Atul Gawande, renowned surgeon and writer worked with the World Health Organization to address high mortality rates within intensive care units (ICUs). The finding: checklists reduced 40% in mortality in ICUs, according to the evidence. However, that’s only the medium by which the breakthrough solution was delivered. What was behind? In general, Gawande says the amount of knowledge and complexity nowadays makes our work very hard to be accomplished flawlessly, even when we know how to do things. In the specific case of medical professionals, he points to overconfidence and memory limitations from surgeons: they are pretty sure they know what they are doing. But they also are prone to forgetting some crucial elements in surgery, like instruments or procedures. As simple as it appears, checklists are tools for better performance in many contexts. In his words:

” Checklists provide a kind of cognitive net. They catch mental flaws inherent in all of us – flaws of memory and attention and thoroughness.” (Gawande, 2009)

Dr. Gawande has gone further to improve performance, not only in ICUs. He discussed the Morbidity and Mortality (M&M) conferences he runs in the Brigham and Women’s Hospital at The Knowledge Project podcast. These meetings are aligned to the work of Amy Edmondson in psychological safety (see for example Edmonson 1999; 2018). In brief, it is a safe space in which medical teams get together to discuss complications (cases that went wrong) within medical practice, including every death. The meeting is such that people attending are legally protected, that is to say, people cannot be attacked or removed from work by what they mention. In these meetings, medical teams discuss what could have been done differently to avoid the complications and how to ensure it doesn’t happen in the future. Making people feel safe to share about errors they made, for instance, in administering a higher dose of a drug to a patient with terrible consequences, has led to death rates falling quickly and faster recovery of patients. He also mentioned that, in general, the culture this practice has fostered is invaluable: people feel empowered and responsible, but also willing to take some risks when needed. For society, all these mean greater well-being.

How HealthTech could learn from healthcare

Figure 2. Stethoscope and heart

We can see information and IT assets as patients cybersecurity teams look after. Similar to healthcare, cybersecurity, computer science, and software engineering enjoy and suffer at the same time from large amounts of knowledge. Just like in healthcare, “necessary fallibility” is also present in cybersecurity. That is, despite scientific advances and the knowledge humankind has developed, some efforts people pursue are “simply beyond” human capacity (for example, complete security). We will never know everything for sure, and this is the case in cybersecurity. As HealthTech goes mainstream, the potential perils of such increased complexity, interconnectedness, and knowledge should be addressed.

Healthcare, nonetheless, is showing us that even in “necessary fallibility” environments, there could be ways to perform better. Particularly, checklists might be translated into cybersecurity operations. At Fluid Attacks, we believe there is a clear link in what we do and how organizations benefit by better managing “fallibility”. HealthTech providers should be especially aware of how to ensure their developments provide reliable security for data and operations.

How Fluid Attacks approach helps improving business performance

We have one single offering: we attack your software. We breach IT systems flaws with superior effectiveness before others do, causing real harm.

We do this, in part, similar to what Dr. Gawande and his team found to lower mortality rates in ICUs: using checklists. However, we go some steps further:

  • We are capable of continuously hacking enterprise-level systems. This is like a smart checklist. As this is continuous, our services can detect small changes that could pose risks to your business. We rely on our automated products, so nothing is left out (like with a checklist). Also, we go deeper: our security engineers are the best-trained hackers. They think and work all the time on how your system’s flaws can be combined to configure attack vectors others cannot identify.
  • We are also capable of assessing valuable IT and information assets in one shot. Again, we rely on “smart” checklists.
  • We automate almost everything we already know. Asserts is the product we have to assess how customers’ systems are, quickly. It is like using a smart checklist, fed by all of our knowledge and experience.
  • All that we do gets stored, described, and tracked in our Attack Surface Manager (ASM). ASM makes it easier for our customers to keep track of their security weaknesses as well as their fixes performed.

What about what Dr. Gawande calls M&M meetings? Well, the good news is that our approach makes you less likely to institute a version of the M&M meetings, as our work is proactive, not reactive. With us, you don’t have to wait to be hacked for real, and then discuss how to improve for the future. We help you to anticipate those complications, so you are better prepared, so you get more antifragile.

Do you want to share your thoughts? Do get in touch with us! We can help.

The original content can be checked here.

MI Group has partnered with Fluid Attacks to provide services that contribute to the problems and recommendations discussed in this post.