Rezilion sponsored this post.
Earlier this year, the Cloud Security Alliance put out a very interesting whitepaper addressing the need for increased scrutiny of telehealth data in the cloud. It reminded me of an article posted on this very site back in 2017, about the myriad compliance and privacy issues surrounding the development of mobile health apps. In the age of COVID-19, medical application and device developers are challenged with increasingly multifaceted requirements for effective management and processing of sensitive health data.
Although HIPAA and GDPR offer useful compliance frameworks for security-centric thinking, it’s up to telehealth application developers and medical device manufacturers themselves to come up with the protection schemas for the services they provide. They must assure that data generated, stored, and communicated by telehealth applications and connected devices remain compliant.
Since these services are transmitting a lot of patient data to cloud services, application security engineers must bake end-to-end security and compliance into the architecture. For example, HIPAA security rules require connected health device manufacturers and telehealth service providers to maintain reasonable and appropriate administrative and technical safeguards for protecting patient health data. Specifically, providers must attest to the confidentiality, integrity, and availability of all patient health data created, stored, processed or transmitted via their services — and identify and protect against reasonably anticipated threats to the security and integrity of patient health information.
To ensure security, HIPAA requires continuous security threat-risk analysis. This assessment includes threats to cloud computing. As part of the assessment, the connected device manufacturer and telehealth application developer must address patient and healthcare provider concerns about governance, compliance, confidentiality, integrity, availability, and incident response and management.
For developers, the challenge introduced by all of these compliance hoops is that they inhibit innovation and, in some cases, actually increase the attack surface. Aside from not being able to push code and updates at the pace their non-health industry counterparts are enjoying, even security patching itself comes with friction and baggage. The healthcare market is tightly regulated, and new solutions must pass stringent approval processes that will slow adoption and give competitors an advantage.
Vulnerability scanners overload and confuse development teams with mountainous results that are impossible to patch all at once. Existing prioritization practices, such as CVSS, provide no notable reduction of breaches in organizations with mature vulnerability management programs.
Better Hygiene for Smoother Pushing
Rezilion has recently published a case study that found 67% of known vulnerabilities in connected device cloud services identified by vulnerability scanners were never loaded to memory. It is crucial to first validate that critical applications have the minimum necessary resources installed to minimize its attack surface, and then to measure the exploitable attack surface used by critical applications so that associated vulnerabilities that are not exploitable can be de-prioritized, in order to deliver significant gains in operational efficiency.
There are two takeaways here:
- Focusing on actual risk vs. perceived risk can help developers push code faster and more securely.
- Since, on average, connected medical device manufacturers are spending $1.4 million annually on vulnerability management activities, reducing that spending by over 60% is significant not only to the bottom line, but also to the agility of the organization.
With the increased use of health telemetry in the cloud, connected devices and telehealth service developers must adequately and proactively address data, privacy, and security issues. By focusing on the risks that matter, it’s possible even for medical applications providers to scale at the speed of DevOps, while maintaining a secure and robust service.
Feature image via Pixabay.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: firstname.lastname@example.org.