Trust in today’s digital health world

Return to eHealthNews.nz home page

Picture: NZHIT CEO Scott Arrol

Regular column by Scott Arrol, CEO of New Zealand Health IT (NZHIT)

If we don’t retain trust in the health sector’s ability to hold data securely, the sector will respond to the public’s concerns by becoming more risk averse regarding digital technology.

Cybersecurity and privacy of health-related data and information has grabbed the headlines over the past few months. Some of this has been overhyped but most of it has been hitting the mark in terms of raising awareness of what lies ahead if we’re not proactive in our planning, resourcing and partnership approaches.

Most of all, now is the time for leadership from all levels in the health sector, as well as from other areas of government and industry, to make sure there is alignment in the fight against cybercriminals. Otherwise, there will be a loss of trust in the health sector’s ability to hold data securely. This will make it very difficult for technology to do what it is truly capable of doing and the sector itself will become even more risk averse than it currently is.

A battle over data security

When it comes to the security of digital health records, and maintaining trusted levels of privacy, it is all about the people involved and how the battle is fought over the long run. There is a demarcation line between those who want to do the right things because trust is very important to us; then there are those whose self-serving objectives are not aligned with caring for others.

And, let’s make no bones about it – cybercriminals (the baddies) only have two objectives when it comes to gaining access to health records, holding systems to ransom, collapsing systems, destroying data, etc.

The first is to make money and the second is to cause disruption and mayhem. Usually, they achieve both at the same time but just like any criminals there is no concern about the victims or the ramifications of what they do to the lives of others.

The paradigm here is that people who work in the health sector always have the desire to help others and to do the best they possibly can to provide care when it’s needed most. It is often said that nobody in health goes to work to intentionally do harm. However, the exact opposite is the case for the baddies.

Try to imagine someone leaping out of bed in the morning full of excitement about how much data they can steal today and how many health IT systems they can hold to ransom!

So, the first point is that we’re dealing with fundamentally bad people who have no concerns about causing harm to others or even being responsible for someone’s death through their actions.

The second point is that the baddies are clever, highly resourced and most of them operate in a business-like manner. They have strategic and operational plans, they have global networks and they’re highly resourced. But, unlike most businesses, we can’t see them, we don’t know exactly where they are, they don’t make media statements about what they’re going to do next and they seem to be a step ahead of us all the time.

In other words, nobody can take the baddies for granted and there’s no point in asking them to play nice. They also don’t fight among themselves as they know the value of strength in numbers.

I’m sure that you’re all aware of the types of activities the baddies have been getting up to. The WannaCry attack on the NHS in mid-2017 through to the recent breaches in Singapore, and much more. Even on our own shores there have been the reported attacks on the Bay of Plenty DHB’s systems.

In her recent eHealthNews.nz article, Ann-Marie Cavanagh from the Ministry of Health rightly points out that the most important issue is how many actual breaches have occurred. A breach clearly shows that a system has failed, and the sheer volume of attacks globally demonstrates that the baddies work on a numbers game basis. Somewhere in the world they will find a way into a system then it’s open slather to monetise it as much as possible.

Fighting back

It’s good to know that there is plenty being done; a lot of resources are being put into securing systems and fighting the good fight against cybercrime in health.

More has to be done especially when it comes to the leadership required to get us a step ahead of the baddies. Leadership in this context comes from everyone: from the Minister of Health, to homecare support workers, to nurses and orderlies and to every governance board member who will ultimately bear the brunt of responsibility in the event that a breach occurs on their watch.

For instance, does every board member across New Zealand fully understand their personal obligations and responsibilities when it comes to the protection of health data? Regardless of the legal structure they’re governing (company, trust, not-for-profit), directorship responsibilities cannot be delegated away, which basically means that claiming ignorance and pointing the finger at others when there’s a breach simply won’t be acceptable.

Leadership also means that there is shared responsibility in making sure we’re doing everything possible to fight the baddies. Leaders know how to form strong, trusted relationships and use these to collaborate for the common good, especially when fighting an enemy that doesn’t care about how much damage they cause.

There is little to be gained from individuals or groups trying to gain an advantage that also breaks down trust and collaboration. After all, isn’t this exactly what the baddies want – allies fighting among themselves creates a perfect environment for cybercriminals to keep many steps ahead of us.

In summary (and quoting from a recent presentation by Faustin Roman, CIO at Patients First):

• cybersecurity is everyone’s responsibility
•  it is a matter of when not if – prepare for an incident
• policies, plans and people must be tested regularly
• learn from failures (ideally not your own)
• risk management should be standard operating procedure
• be proactive.

As far as I’m concerned, there cannot be any excuses in the case of a breach especially when we must all work together to provide collaborative leadership that makes it far too difficult for the baddies to do their worst.

Scott Arrol is the CEO of New Zealand Health IT (NZHIT).

Return to eHealthNews.nz home page