Responsible data security: Ikonix Connect’s management of health information
Providing a communications tool for hospitals entrusts us with delivering confidential information between clinicians.
Ikonix Technology has worked with leading cybersecurity experts to undergo rigorous system testing to ensure sensitive patient information is safeguarded from unauthorised access.
Digitisation is occurring at all levels of the health industry. This modernisation of the healthcare system is important to streamline the provision of clinical services, but it also presents a range of challenges. One of the most significant is protecting the highly sensitive information held in the new electronic systems.
Ikonix Technology has first-hand experience identifying and mitigating risks during hospital digitisation, supporting information flows through some of Australia’s largest and most complex hospitals.
The impact of cyber security risks.
Negative consequences resulting from cybersecurity risks caused by hospital digitisation can be grouped into three key areas.
Clinical outcomes
Financial impact
Privacy concerns
Clinical outcomes.
A recent study cited in the Australian Digital Health Agency’s 2022 Cyber Security Report found that
- 70% of surveyed organisations reported that healthcare ransomware attacks resulted in longer lengths of stays in hospital and delays in procedures and tests causing poor outcomes including an increase in patient mortality.
- 65% reported an increase in the number of patients being diverted to other facilities.
- 36% reported an increase in complications from medical procedures due to ransomware attacks.
Another report found “a direct correlation between cyberattacks and mortality due to the series of events following a breach”. After a security event, the hospital is more likely to have an IT systems failure impacting access to electronic medical records or diagnostic technologies. This can in turn cause patients to be diverted away or reduce care options available. These each contribute to worse community health outcomes and by extension, greater patient mortality.
Financial impacts.
As PWC advises, between 2019 and 2020 there was an 84% increase in reported cyber security events or incidents in the Australian healthcare sector.
As cited in the ADHA report above, healthcare is the industry most likely to pay a ransom to get stolen or seized data returned, and at an increasing rate relative to other industries. Health is also one of the highest in average cost to ‘rectify’ ransomware attacks.
A separate report by IBM found that healthcare took the greatest financial impact from data breaches, with the average impact the highest of any industry, and growing.
While these are largely American figures, the digitisation trend is similar in Australia, and we must assume a similar risk framework for Australian hospitals and health industry organisations.
Privacy concerns.
The IBM report also found that the average time taken to identify a data breach was around 7 months, followed by a period longer than 2 months to contain it.
With such a delay and the nature of medical information that can be stolen, seized, and/or sold, it can be significant time before a patient or provider becomes aware.
Malicious actors can utilise medical records for identity theft of the patient and other fraud, or more healthcare-specific crimes, such as leveraging the data to falsely claim from insurers or Medicare, or buy medical equipment or pharmaceuticals for resale.
What are the legal obligations?
What is HIPAA?
Much of the online content around medical information privacy discusses The Health Insurance Portability and Accountability Act. It’s important to note that HIPAA is an American law and as such does not apply in Australia. Instead, the Privacy Act 1988 is relevant for Australian service providers and governs requirements for privacy and security in our region.
What about Australia?
Health services in Australia are covered by the Privacy Act, and the Australian Privacy Principles. The Act regulates government departments, as well as organisations above a specific threshold of revenue. This means it necessarily applies to all public hospitals and health services.
There is also a specific addition that means any organisation that provides a health service and holds health information is also subject to the Act, regardless of not meeting the revenue threshold.
Even if Ikonix Technology like many other organisations doesn’t directly store health data, it’s not uncommon for our partners to require we operate in such a way that we ensure a high degree of privacy to assist them with meeting their Privacy Act regulations, and not provide an additional avenue for exploitation or breach.
Australian Privacy Principle 11 requires ‘reasonable’ steps to protect personal information, and the more stringently controlled health information, from unauthorised access, modification or disclosure. While APP11 doesn’t specify security standards, there are other frameworks and standards available and selected by our healthcare clients.
What does this mean for hospital communications?
With our experience deploying our Message Integration Engine (Ikonix Messenger) into hospitals, we have a sound understanding of the sources of security risk.
As the end-user communications platform built for healthcare, and with integrations into Electronic Medical Records (EMR), it’s imperative that the integrated Ikonix Connect mobile app provides the very best security and privacy possible.
So how does Ikonix Connect manage data security?
Data access on device
Data in transit
Data storage & access
Device-level security.
With Connect deployed to your whole team, managing the securing of the app on user devices is crucial.
Supported by robust security policies, Ikonix Connect maintains a high degree of security. Firstly, we typically integrate with your organisation’s user directory so that accounts are managed through existing enterprise processes. Logging into the app requires access to your organisational email address to access a one-time password. Connect requires a PIN or biometric security lock is enabled on your device. A secondary app-specific lock can also be enabled.
All data is stored securely within the app, including message history and media. For example, if you take a photo of a wound to send for consultation, the photo is stored separately from the user’s personal data and remains within your organisation’s control, regardless of who owns the device.
Data is stored encrypted on the device. If a user loses their phone, an administrator can remotely log them out, ensuring private information is inaccessible to others
Secure data transfer.
Ikonix Connect interfaces with your organisation’s user directory and servers through a Virtual Private Network (VPN). This means the connection from data sources at either end is protected from outside eyes, accessible only from either the server end by an administrator, or at the user end by the authorised employee.
Database security.
The Ikonix Unified Messaging Suite, which encompasses both Connect and Messenger, can be deployed to reputable and secure cloud partner environments, or to your organisation’s own data centres.
When deployed to the cloud, our solutions are single-tenant, meaning your data is protected from sharing space with other clients or databases, improving the security of your data.
Your database is also encrypted, accessible only to designated, authorised administrators. Admins can access audit logs and other record to ensure compliance investigations can be facilitated, important for healthcare providers. User access is customisable, allowing you to configure access to reflect what you want each role to perform. Given the greatest security threat in any environment is lax or poor habits among your team, Ikonix Technology works with our clients to create a system that pre-empts these risks.
Third-party security assessment.
Ikonix Connect was designed to be secure, but it’s important we have that independently verified. Before deploying to major hospitals, Ikonix Technology engaged two market leaders to examine and attempt to penetrate the app, searching for flaws that would leave our customers and their patients vulnerable.
In building software, responsible vendors must account for any vulnerabilities. This is one of the reasons your operating system sends you updates to patch new risks, and your bank’s online services have routine maintenance lockouts. It’s also why Ikonix Technology engaged independent security experts to analyse and advise before any deployment to the secure health environment.
Vectra is an Australian leader in security consulting, risk management, compliance, and managed services. Based in Adelaide, Vectra supports clients across APAC, the US and Europe.
Ikonix Technology engaged Vectra to undertake penetration testing of Ikonix Connect on both Android and iOS apps. Using the same tools hackers would, Vectra searched for vulnerabilities that would allow unauthorised access to data, through both automated and manual means, ensuring both random or large scale scanning, and targeted attacks would be emulated.
CyberCX is a large cyber security and cloud services firm with more than 1,300 personnel, with major public and private sector clients across ANZ.
Ikonix Technology engaged CyberCX to undertake another pass of third-party security and penetration testing. Taking their tailored, contextual approach.
CyberCX confirmed Android and IOS configuration and information returned by the API were all found to be secure.
What this means for our clients.
It’s clear that all private information, and more importantly health data, is an appealing target for malicious actors. The risks and impacts can cause poorer health outcomes in patients, cost healthcare services financially, and raise significant privacy concerns.
Ikonix Technology operates in partnership with health services to support them as they manage community health and takes security and privacy exceptionally seriously.
In developing and deploying Ikonix Connect we have built a reliable, safe, and secure way of facilitating clinical and operational communication. Any in-house development runs the risk of testing biases, which is why we proactively engaged experts in security to thorough interrogate the system before we share it with our customers, to ensure we are delivering them the very best solution.
David Fairlie-Jones
Senior Program Manager
David leads the team developing Ikonix Connect. As the product manager for the solution, he is extensively involved with our clinical and hospital operations clients. David has a keen appreciation for ensuring best practice data security.