Encryption is the digital PPE (Personal Protective Equipment) that the healthcare industry needs now
The lack of personal protective equipment and ventilators is a major concern of doctors, nurses and hospital administrators on the front line of the COVID-19 pandemic, and for good reason: lives are at stake every minute of the day. But that is not the only challenge facing health care providers who are still struggling with the COVID-19 epidemic across the country.
Cybercriminals Have Found a New Gold Mine in Growing Amounts of Online Health Data, and Recent surges in Attacks Show Huge Safety Gaps for Providers and Patients at Risk to suffer harm.
The increase in criminal activity is not entirely surprising. The large amount of health data online should be taken into account as part of global efforts to stem the pandemic. Telemedicine is increasingly replacing the traditional visit to the doctor’s office. Many hospitals around the world now rely on digital records. And with companies striving to develop contact finder and other health tracking apps, the amount of data generated is difficult to grasp.
The threat is so serious that in an announcement in May 2020, cybersecurity officials in the United States and the United Kingdom warned that national and international health organizations should prepare for cyberattacks during the COVID-19 crisis.
To put security gaps into perspective, a survey of IT workers by the Ponemon Institute found that 53% of healthcare organizations worldwide had experienced a cyber attack in 2019 alone, and 75% had had one for the first time “in their existence”. Even more troubling, only a third of those surveyed felt they had sufficient resources to deal with the threat.
The financial implications of these attacks are enormous. A recent Radware report estimated that the average cost of recovering from a cyberattack against a healthcare organization was $ 1.4 million in 2019. While it is still too early to predict the cost or impact of this problem in 2020, it can safely be said that the value of health care data is likely to increase given the crisis.
The good news is that digital protection equipment already exists for our health system, and that it can be used by everyone.
Encryption is an important technology that helps internet users keep their information and communications confidential and secure, and plays a crucial role in strengthening the personal security of billions of people every day.
Encryption can help the healthcare industry strengthen its digital security practices in two ways. The first is to protect “data at rest” (eg data stored on hospital servers) by encrypting the stored data so that even if it is hacked, it will be unusable for the attacker. Digital medical records are essential for everything from treating patients to monitoring the spread of the virus worldwide. For years, national regulators have required encryption to be used for all hospital records (the HIPAA in the United States is one example). Strong encryption is essential to protect these files from bad actors.
Encryption can also protect “moving data”, which is essential to maintain the confidentiality of telemedicine communications between doctors and patients. Supporters of telemedicine have for years advocated increased use of videoconferencing and other communication tools, especially for rural communities where it can be difficult to reach a doctor’s office. The pandemic has pushed demand for these services to a new level.
End-to-end encryption provides the highest level of security. It not only protects the communication from interception by bad actors, but also prevents the company providing the videoconference service from accessing this communication. The only two parties who should have access to a telemedicine treatment session are the doctor and the patient.
But while encryption is vital to the integrity of the healthcare sector, some governments are trying to undermine it.
In the United States, for example, the EARN IT Act threatens technology companies that implement strong encryption technologies if law enforcement cannot access data to track child trafficking. The problem with this approach is that the bill attempts to solve one problem while creating countless others.
It is not without reason that the Global Encryption Coalition, launched on May 14 by the Internet Society, strongly opposes attempts by governments to weaken encryption. Weakening encryption would open Pandora’s box for potential criminal activity and could have devastating consequences for the personal safety of billions of people and for industries trying to navigate a global health crisis. Breaking encryption, even with the best of intentions, endangers all digital infrastructure.
The most effective way to ensure the security of our health information is to ensure that the health care sector has unhindered access to the digital protective equipment that billions of people already rely on for their activities. most sensitive and most important in this time of global health crisis. This involves not only adopting and maintaining uncompromising end-to-end encryption practices, but also adopting and strengthening strong encryption policies.
Kenneth Olmstead is a senior Internet security and privacy advisor at the Internet Society. Greg Nojeim is the director of the “Freedom, Security and Technology” project at the Center for Democracy and Technology