Cyber Security: Enabling the next frontier of healthcare

Automated introduction 

Welcome to the Australian Digital Health Agency podcast, supporting health professionals to realise a healthier future for Australians through connected healthcare.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Hello and welcome to this podcast hosted by the Australian Digital Health Agency. I'm Danielle Pentony, Acting Chief Information Security Officer. Before we get started, I'd like to acknowledge the traditional custodians of the lands we're meeting on. I would like to pay my respects to the elders, past, present and emerging, and acknowledge and extend that respect to other Aboriginal and Torres Strait Islander people and elders from other communities who may be joining us today. Today's topic is enabling the next frontier of healthcare. We will delve into the evolution of digital healthcare and how cybersecurity plays a role and share some practical tips on preparing your practice for the next frontier of healthcare. Today, we're joined by Dr Steven Hambleton, Chief Clinical Advisor at the Australian Digital Health Agency. Dr Hambleton provides clinical input into the work of the agency with a strong belief that safe, secure data sharing will result in a better experience of healthcare for the patient and the clinician. And we also have Mr. John Bocchi, Acting Chief Technology Officer at the Australian Digital Health Agency with us today. John leads the Technology Services division, he is an intelligence and security professional who has worked in government, the military, and the commercial sector. Welcome to you both and thank you for joining our podcast today. Dr Hambleton, what do you think of when you hear the term evolution of digital healthcare.

Dr Steven Hambleton – Chief Clinical Advisor at the Australian Digital Health Agency

Well Danielle thank you, that's a really interesting explanation for what's happening in healthcare in this country. And you know evolution makes us think of small changes that provide an advantage. Or a series of small changes that provide advantages and very occasionally evolution will deliver a big change which delivers a lot of advantage. Of course, change, if it doesn't deliver advantage, doesn't succeed. And also, it reminds us that if you don't change, things will overtake what you do. So, in healthcare if we make a small change and it provides an advantage to the provider, you might find that gets adopted. If it provides better outcomes for the individual as well, it tends to get adopted. We also see that individuals who don't change sometimes are left by the wayside. A few years ago, there was a prediction that we wouldn't need radiologists anymore, that digital healthcare was going to make them redundant. That's not quite what happened. But it probably is true to say that radiologists or providers who actually use digital tools will outcompete those who don't, and probably therefore will take over. So, in digital health, that's what we're seeing is happening and we actually firmly believe at the end of the day we'll just be talking about health. Not digital health. But that gradual change that benefit to the individual that benefit to the community, that really is an evolution that we are living, and we do need to change with it. I think that's a strong message that comes along with that thought.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, Dr Hambleton, that’s an interesting take on evolution of digital healthcare. John, how do you see the role of cybersecurity evolving in the next frontier of digital healthcare?

John Bocchi - Acting Chief Technology officer at the Australian Digital Health 

Thanks, Dani. I think digital healthcare is moving at a rapid rate. The take up of digital is moving at a rapid rate and what's happening is Healthcare has always been reliant on information. The accuracy of the information and availability of it at the point of care. The explosion that's going on at the moment with how we make that happen, not just in major hospitals but across the whole Healthcare ecosystem is a challenging area for cyber security. Doing things historically, which is build the system, test it, assure it and roll it out. What we need to do, and what a lot of providers are doing healthcare providers, is embedding cyber security as part of the design of the system. So, security by design. And if we don't have that move moving quite rapidly into that phase, we'll be left behind in cyber security. And I think that has already happened, a lot of technologies being released and then retrofitted for cyber security components and the worst-case scenario is that happens after a major incident. So, we've heard about quite a lot of major incidents in healthcare industry. After that happens, there's a review, there's investigations and there's retrofit. So, the sooner we move into cyber by design and getting that mentality that cyber is part of the solution, it's not an add-on. The quicker we can evolve and the quicker we can provide that information in a reliable and secure way.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

So, having said that, security by design and cyber being part of the solution, what do you think are the unique challenges and vulnerabilities that the healthcare sector faces in terms of digital security today?

John Bocchi - Acting Chief Technology officer at the Australian Digital Health 

This is quite a big question and over the years we've come across these challenges in our different healthcare settings. I think that summary of them, they might not apply in every healthcare setting, but the summary I'll just quickly go through one is that Healthcare is always on 24 by 7. What that does is makes us vulnerable even when we're asleep and gives the attackers an opportunity to get into our systems when we're not watching. But there's still healthcare being provided, there are still people working on those systems and interacting. So that causes a different challenge to a nine to five sort of business where everything gets shut down and there's no people interacting with their systems. The other one is that over time, the healthcare records have become one of the most attractive types of records for criminals. So, in the past it used to be an opportunistic attack where you know a simple fake e-mail would go to a lot of different e-mail recipients and some of them happen to be healthcare providers or even patients. What's happening now is that those entities are being targeted specifically because criminals know that the profit margin for healthcare data is much bigger than say a credit card and the credit card only has a life span of about a week before the person finds out, turns it off. It's even less than that, it's probably a day or two. Whereas healthcare records cannot be deleted, cannot be changed, it becomes a big, big attraction for criminals. The take up that we talked about, the evolution and digital healthcare has a downside in that we're making it easier for criminals to access those records. And if our systems are not secured by design and they're vulnerable, those records are available online for example, makes it easier for criminals to get access to them. We've had a few incidents in the past where large amounts of paper records were either discarded inappropriately like in the rubbish bin behind a hospital and then people found them. But usually, those types of incidents on paper are small in comparison to say millions of records that are held electronically. So, it makes it even more important to secure. The effort of digitising records is also a challenge in that the care that you have to put in to making sure the accuracy of the data remains high because of patient safety. And then the integrity of the data so meaning that you don't want anyone to interfere with that data. So, it's not just about stealing the data, it's about maintaining its accuracy and not allowing people to change it who shouldn't have access to change it, is a big challenge. That doesn't happen in a lot of industries. It's more about the data being available and not being stolen. But that accuracy and patient safety creates another challenge. There's a lot more to talk about, but I think they're the main ones that I'll cover for today.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, John. So, taking a cue from what we've heard so far on evolution and being always on 24/7 and the growing challenges in the healthcare sector, Dr Hambleton if I may ask you the next question. We are hearing a lot more about how artificial intelligence and machine learning are increasingly being integrated into healthcare. What are your thoughts on how these type of technologies can be used to enhance patient care and treatment?

Dr Steven Hambleton – Chief Clinical Advisor at the Australian Digital Health Agency

Well thanks Dani, and once again, the enormous topic that's growing by the day and by the week. When we think about artificial intelligence machine learning, we should remember that we've been exposed to the rudimentary things like this for some time. Now we've had clinical decision support built into our clinical information systems probably for decades. So, it is a bit, it is a little bit of artificial intelligence. You know, when I think in 1995, I put together my first clinical information system as I added data to my practice patient list and you add in the demographics you add in medication. And then you add in their allergies as soon as you do that the computer systems, next time you write that same family of drugs or that same drug, the flag comes up and says, do you really want to do this ,they're allergic to that, you recorded that, which is clinical decision support. And as our systems get smarter, that ability has expanded. For example, we can now get interaction checks against medical diagnosis. So if you've got kidney disease and you prescribe the product, the flag will come up saying well, be careful with this product with a person with renal failure and you might find that doesn't suit them. Or they've got this other problem that there's an interaction, so this is sort of more deeply embedded into our systems. In fact, today many people would prefer not to provide healthcare without that support structure. But as our systems are getting smarter and we think about things more broadly you know the real benefits to individual patient care at the time of care start to become available. So, we make better decisions because we have more information about that person at the time we make those calls. We want to remember that there are two other places where artificial intelligence and machine learning can help us and that is in educating the patient. Because the patient can learn more about their own symptoms and they can be prompted to look in various places to actually improve their own understanding, their own conditions. And the right sort of things, they ask better questions? They actually stimulate their doctors to and their providers to provide better care. But if we step back a little bit further, so we've discussed a little bit again rudimentary on better decisions that clinicians make about the person, better education of the person about their conditions and therefore a better interaction. If we step back little bit, look at what happens at a population level. And as John reminded us recently that there is a massive amount of information about all sorts of people. One thing that machines can do is recognize patterns that no human could. And they can help us with treatment decisions about populations, and prompt us to think about based, on population data, what might affect the particular individual. And again, they can also help us with service planning and resource allocation. And it's something that people can't do on their own. You know machine learning, artificial intelligence, big data sets can say, well in this population you've got a problem with diabetes. We might want to invest in support for people with diabetes to pre-empt those people ending up in the emergency departments or in healthcare settings. And I think we've just started on the very start of that ability to analyse those large data sets and draw some inferences from that which is going to make a difference. And so, as we've moved on to large language models, you know these huge data sets, you can actually put that information into a digestible format for individuals, both for providers and for consumers. Our challenge is there's so much information available out there now. How do we get rid of the information chaos? How do we present it in a constructive and helpful way? And how do we establish that its accurate information coming through? These are the big challenges we're facing in the future, but there's lots of opportunities and the technologies will definitely enhance patient care and treatment. You know we used to say that genomics was going to lead to precision healthcare. Well, it won't just be genomics. It'll be all the information about the patient, which we can now aggregate and distill. And their genetic makeup and that will lead to precision healthcare for the person in front of us and it will actually lead to improved population health outcomes as well.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, Dr Hambleton. Smarter Healthcare systems are definitely the future. John, are there any security or ethical implications that you foresee in the introduction of AI into the healthcare environment?

John Bocchi - Acting Chief Technology officer at the Australian Digital Health 

Thanks Dani, another huge question, I think as Dr Hambleton articulated, the importance of having these systems be available and start working through more proactively identifying large data sets. And making sense of what we're seeing so that we have more proactive, healthcare provision rather than reactive is very important. With any new technology, just like social media, the introduction of that, there's always ethical dilemmas and human behaviours that come into it as well. There's so many articles on this going around, but I think to simplify it for me that there's a couple of key things. One is that the tools are only as good as the data that they have access to. So I think it's hugely important that the data sets are accurate and they comprise of the information that we want to look at versus opening up for example, a large part of the Internet which can introduce a lot of inaccuracies and a lot of perception from the tool itself about what reality is, based on the volume of specific data. So, one example could could be gender bias for example, or other biases. The clearest example I've heard, which makes sense to me is if you look on the Internet for a photo of a schoolgirl, this is where gender bias comes in, you end up finding a lot of images that are provocative about girls, whereas if you look at a for a photo for a school boy, they're generally non sexualized. That's a simple example of how volumes of data can lead the AI tool to focus on a particular way of thinking or a particular example of what you're looking for and to manage those biases I think we need to assess the data sets that we're looking at. The other one for me is not all tools are the same and not all AI tools are the same. So how these tools were configured, how they were built is important. Because we need to know what construct they have in their decision-making process. Some tools might be quite stringent in how they make decisions and be quite intuitive in providing you the accuracy of the information. And others might be just simple tools that may end up giving you the wrong information just based on how they've designed and how they respond to queries. So, they're the main issues for me. There's a lot of other information out there about ethical issues with AI, but I think they're the main ones. For security I think the scariest thing now is that AI can be used to create like security vulnerabilities or rules that can exploit security vulnerabilities. So, a hacker doesn't have to be a well-trained hacker to understand how the system works. You can run an AI tool of a system and say what are the vulnerabilities, create me an exploit for that vulnerability and we've seen that happen as well. There's examples of how that works. So it's reducing the capability of the hacker. And creating more hackers is probably a simple way to see it, but yeah, AI tools are there for a reason, and there's always people who use it for the wrong things.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, John. We've spoken about the future of healthcare and the implications. I would like to get both of your opinions on this next question. While there are many exciting new technologies, the healthcare sector often deals with legacy systems. How can these outdated technologies be secured effectively without disrupting critical healthcare operations?

Dr Steven Hambleton – Chief Clinical Advisor at the Australian Digital Health Agency

Thank you, Dani for the question I might jump in there straight away. I think this is a very good reason that we need to have clinicians and technology experts working closely together. We need to make sure and there are outdated technologies there's no doubt . You know the number of old systems , we can't get by on that are in hospitals, that are in general practices, that are in specialist practices around the healthcare system are enormous, and they do their job, but they really don't match the security requirements or the data sharing requirements that we're going to need in our new health system. We need to work with our technology colleagues to identify the elements of the system that we need and how we can best protect them and how that data often can be converted to end up and usable format. So I do think we need to work together closely. If one side outweighs the other side we're going to get an outcome that either isn't safe or doesn't suit the healthcare system. So for me, this is about putting experts, digital experts and clinical experts in the same room and look for an outcome that's going to suit both of us.

John Bocchi - Acting Chief Technology officer at the Australian Digital Health 

Thanks, Dr Hambleton, I'll add to that, that every sector ,so every kind of business has legacy systems and basically how that happens is you have a reliance on that technology as part of your business process in order to make sure that your business is viable and you're delivering on your product or service. And it's the same in healthcare. Systems are there, as Dr Hambleton mentioned, to deliver healthcare outcomes and regardless of the setting there’s processes and there's information that is required in order for that healthcare outcome to be achieved. When we introduce new systems or new technologies , that convergence is what I call it between the clinical process and the technology, how it works is so critical, and that's where you end up identifying perhaps a new clinical process or amending the clinical process to work with the technology. All the technologies configured to work with the clinical process. And depending on that clinical process or the entity that's delivering it, it could be bit of both and in order to get legacy systems to be removed out of our environment that's the only way to do it. And if we don't do that properly, we'll always have a reliance on the legacy system because it's still part of our clinical workflow or still part of our administrative workflow, in a large hospital say. The way to secure them, there's probably thousands of ways, but the main one that I think is the most useful is to remove that legacy system from access from the Internet and to create it or put it in an environment where it's more reliable and more secure. So things called virtual hosting, so you host a software product on a virtual machine and that virtual machine is more secure than say, an old legacy hosting environment and old infrastructure. So you layer the security to help that system become more secure. And there's many ways to do that, but the first thing we should try and do is remove legacy systems as we introduce new systems and that's the challenge that we have ahead of us.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, Dr Hambleton and John, I quite like the thought of partnership between digital experts and clinical experts to resolve the legacy issues and you know, layering security to secure solutions. Dr Hambleton , how do you balance the need for efficient patient care with the importance of safeguarding patient data and privacy in a digital healthcare environment?

Dr Steven Hambleton – Chief Clinical Advisor at the Australian Digital Health Agency 23:31

Thank you, Dani, and this is a really important question and this is the tension between access to information and security of information which we face every day. You know, if we lock information away like we used to on paper or in the filing cabinet in the back room, it's pretty secure. It's not completely secure because with serious damage or fire or theft, or people accessing information. But if we locked it away and we locked it away digitally, no one can get access perfectly secure. But of course, if we can't get it when we need it and we can't use it for the benefit of the person. The way I think about it often is health information is not secret. But it is private and we need to treat it very, very sensitively otherwise we begin to lose trust of the consumers. And even trust of the providers. And trust is so hard to gain and it's so easy to lose. So there does need to be a strong balance. And we've seen this debate publicly, when we when we start talking about large systems and the information available in those systems to any provider, that makes people very nervous. So we need to actually provide that support, build that trust, make sure only the people who should be accessing that information can access it. There needs to be a tangible benefit for the individuals who allow that to happen. Probably the pandemic has actually made people understand that ,that information being accessible is a benefit to them. Being accessible to themselves and being accessible to the people that are caring for them. And so that's a real balance that we have to strike to maintain that trust and yet provide access at the right time and deliver a tangible benefit. So yeah, that tension is going to live on.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

That's a great thought, Dr Hambleton , balancing trust and access at the right time, and I'm sure we're going to have those conversations for a long time to come. John, in your opinion, what are the most critical cybersecurity practices that clinicians should adopt to protect patient records and maintain trust in the healthcare system?

John Bocchi - Acting Chief Technology officer at the Australian Digital Health 

Thanks, Dani, probably the first thing we should say is there are various systems or healthcare systems that we're talking about. It could be a small general practice office, it could be a medium size private or public clinic. Or it could be a large major hospital, so I think the large and the medium could benefit from specialist security people to help them secure their information in that context. So I won't go there because there are so many different things that we could do. I'll focus on the small general practice or small practice. I think a lot of people see security and quite rightly as a challenge because their job is to deliver great outcomes for their patients. So patients coming in, you need to have access to their information, the medicine they’ve been prescribed, the last visit, the history of of what the patient has, and if that information is really difficult to get to, it's just going to make it a lot more difficult for that clinician and the patient and that's not what we want. So for me it's more about practical outcomes to secure the data, so still make it available, as Dr Hambleton articulated recently, and that availability or access to the data and then the the security of it. So one one thing to do is if you do have non-patient data and patient data try to segregate the patient data away from all your other data so you don't have to secure everything in your practice. So if you have information about staff rosters, about payments to different providers, and things like that they could be removed or they could be put somewhere other than the patient records. And what that does is give you a small footprint for the protection of your data and allow you to just focus on what's important for that trust that we're talking about with your patients. Once you do that, then you can see how that information is presented, you can probably have that information sitting other than on a computer in your practice or server in your practice. Secure cloud is something that's evolved overtime and cloud gives you that opportunity for IT specialists to maintain a lot of the environment that your data sitting on and prevent it from being hacked. Whereas if you just have that data sitting on the computer and your clinic or practice, you're going to have to secure everything on that, your Internet access, the infrastructure the data sits on the software that it that hosts that data and how you interact with the data, like the access management. If you have a provider that does that as a specialty, that will remove all those things and and the only other thing that you might want to consider is a lot of small to to medium businesses go out of business if they do have a phishing attack that becomes a ransomware attack. So this is where they take your data or encrypt the data that you can't use it, and then you have to pay a large amount of money to bring that data back, and it's not guaranteed you will have your data back. So without that patient data, a lot of businesses are not viable. They can't rebuild what they've lost or they have to outlay a lot of money to get access back to the data. A simple way to fix that is just to back up your data, so have that information backed up on a regular basis on a separate environment and your cloud provider can do that or you could simply have a computer that downloads the data at the end of the day. But that removes that risk of your data not being available to you because you can just bring that data back if that sort of ransomware attack happens. I think they’re the key things is having someone professional look after your data after you've identified the small subset of data that you want to secure and then have it backed up in case something bad happens.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, John. That was some great points for clinicians to adopt. Dr Hambleton from your point of view, what advice do you have with fellow clinicians on staying vigilant and proactive in the face of evolving cybersecurity threats while delivering high quality patient care?

Dr Steven Hambleton – Chief Clinical Advisor at the Australian Digital Health Agency

Well, once again, this is an enormous topic that really does require focus and attention, and it's often said that cybersecurity is everybody's problem. It is everybody's problem. As individuals, we need to support our security frameworks. You know, we need to individually make sure there's no those yellow sticky notes with the password on our screen. When you're prompted to change your password, you do need to change your password. You need to have a password that's difficult to guess, and it shouldn't be your birthday. It shouldn't be the word password. You know we need to individually embrace that. But if we step back a little, those of us who have some influence over our practice structures, need to make sure there are policies and procedures for managing that information and information security in the practice. Those policies and procedures need to be known to people. It seems obvious, but people need to know what the policy is and they need to know what and when to do it. It should be reviewed regularly, there should be review date on that policy. For general practices, if you're accredited, a lot of these things are part of that accreditation process, so it reminds us to go looking. Often you need a leader within the practice whose responsibility it is to think about security and safety, and we need to make sure that we do backups. We just heard about backups, but where are the backups? If the backup is on location, we saw what happened in northern NSW with the floods, and we saw that with the fires earlier, but the backups need to be somewhere else physically. They can be in the cloud perhaps, but they need to be somewhere else and you need some expert advice about that. You need to, manage access to your systems and your data. You need to make sure that not everybody's got the password for everything, you do have administrators for that particular reason. And something that we often forget is internet and e-mail, you know, we need to have firewalls. Once again you need to have that security advice about what can get in? But what gets in is often e-mail, phishing attacks are often the cause of major breaches. Data encryption, in a recent story I read was that the data and practice had become encrypted, but the backups were encrypted, so there was a total loss of information. So you need a policy and procedure, you need a person in charge of it, we all need to participate. We need to participate individually; we need to participate as groups. We need to think about things that you don't think about Internet and e-mail. Should you allow Webmail within your practice? It's a difficult question because it annoys everybody when you can't get access to those things, but that's often the vehicle that cyber criminals use to get access to your services and systems. So we need to be disciplined about it. We need to focus on it. Once again we talked about trust, hard to gain, easy to lose and we've seen too many cyber incidents among big businesses. We just don't hear about the ones in small businesses and that's basically how health is set up in this country. We need to protect ourselves, we need to be disciplined about it.

Danielle Pentony - Acting Chief Information Security Officer with the Australian Digital Health Agency

Thank you, Dr Hambleton. As we wrap up today's discussion on enabling the next frontier of healthcare, we hope you found our conversations informative and helpful in understanding the challenges and opportunities from the digital health horizon. Thank you to our guests for sharing their insights and expertise on this important topic. We hope that this conversation has been informative and helpful to all of our listeners, and we encourage you to continue exploring the latest developments in digital health and cybersecurity. Thank you for tuning in to today's podcast and we hope to speak with you again soon.