AI, yes, ‘but doctor’s hand on wheel at all times!’
Artificial Intelligence (AI) tools will never replace the doctor, but doctors who use AI will replace those who don’t, Dr Mohammed Dalwai, of...
Having a security penetration test in a medical practice does not only mean having the practice’s wi-fi tested but the people working in the practice as well, Dr Grant Newton, CDE CEO, stressed during the Smart Health Summit’s panel discussion on cybersecurity in the healthcare environment, in Johannesburg last week.
Moderator Neil Kinsley with (from left) Dr Newton, Prof Paruk, Peter Kanda and Dr Christian
Moderated by AxessHealth CEO, Neil Kinsley, the discussions highlighted the fact there were still questions around the continent’s preparedness for health system cyber security issues in most quarters.
“Cyber security systems around the world are often only geared towards big business, big hospitals and big pharma,” Newton added, after getting little or no response from the audience when asking how often those in practice had had security penetration tests.
“You have people in the practice inadvertently allowing data to go out, placing that data in a phishing environment and therefore quite easy to use subversely against both the practice and the patient.”
This, Newton indicated, represented a huge health data security risk: “Also a problem is it is where we have the least amount of activity happening.”
Picking up on this, moderator Kinsley acknowledged that security risks around telehealth in particular were now becoming well understood, but what about other tools such as wearables and those being applied in specialist health environments?
“The question is how do we manage security,” Prof Fathima Paruk, Professor and Head of Critical Care at the University of Pretoria, posed in response.
Earlier Prof Paruk, who is also the co-chair of the Africa Telehealth Collaboration, had presented a comprehensive appraisal of the use of AI in the critical care environment at her city’s Steve Biko Hospital in a talk on “Tele-ICU: Redefining and Transforming Healthcare”.
“We understand the risks that come with the benefits from technology, but what worries me is who is accountable when breaches occur. When they do occur we can’t stop the train!” she exclaimed, stressing that this was the type of management from an IT perspective that such institutions didn’t have as yet.
“We are really ill-prepared as a community.”
On the matter of security breaches, Peter Kanda, Chief Information Officer at Gertrude’s Childrens Hospital in Nairobi, Kenya, volunteered that it was cheaper to do a vulnerability test as opposed to handling a data breach: “Go for an independent IT guy, then deploy the solution,” he suggested.
“There’s been a lot of talk about standards and frameworks like HIPAA (the USA’s Health Insurance and Portability Accountability Act).
“I say take 20 per cent of the IT budget and channel it completely towards security,” he said, reiterating that the biggest threat was actually internal sources across the healthcare board.
Similar sentiments were shared by Care Connect CEO, Dr Rolan Christian, in his discussion contribution, highlighting the fact that his organisation had found that attacks were happening around people “because that was the entry point”: “We had to make people understand everyone’s data was now available on the internet.”
His advice to stakeholders, therefore, was that they must chose a methodology and framework specific to their business – including penetration testing – and incorporate staff education to prevent them from being a weak link in the phishing scheme.
“Spend money on finding the loopholes. Granted, it takes resources away from what you should be doing, but it is necessary to do it!”