Cybersecurity is a requisite for unleashing 5G’s potential in healthcare

| Article

Billions of connected devices, collecting and sharing information in real time, so the world can be measured, understood and managed in a more intelligent, agile and sustainable manner. All this will soon be part of our day-to-day with 5G. When applied in the healthcare area, 5G technology has the potential to significantly improve the quality of life of thousands of people.

This article aims to explain in a clear and concise manner the potential future of healthcare with 5G and what indispensable measures need to be taken now to ensure its cybersecurity and viability.

5G’s potential

5G is the fifth generation of cellular networks. It can be up to 100 times faster than 4G, has a much lower latency -- that is, less delay between sending and receiving information -- and the band spectrum can carry a much greater quantity of data. Additionally, 5G also consumes less energy and offers much greater coverage.

Exhibit 1

Speed is higher because 5G networks use higher-frequency radio bands than 4G. They have a greater capacity to transport data and provide greater connection density.

Exhibit 2

Coupled with other technologies currently being developed, such as IoT, cloud computing, artificial intelligence and advanced analytics, these 5G characteristics should help revolutionize many aspects of our lives over the next few years.

Exhibit 3

In the daily-life sphere, entertainment will become more immersive and education more engaging - virtual reality (VR), augmented reality (AR) and extended reality (XR) will become more realistic, with lighter-weight devices, and will allow for more immersive virtual meetings on the job and at school, and even sensorial experiences, like touch and smell; more stable and reliable connectivity will be possible even in a full stadium; remote spectators at live events will be able to access new angles and interactions.

For Industry, 5G is an essential lever for boosting efficiency, productivity and sustainability. Production lines that respond automatically to supply and demand; digital twins that predict failures in real machines; logistics networks that ship goods autonomously based on real-time data, with complete traceability of goods in warehouses and ports; IoT devices in agriculture that increase crop efficiency. Related innovations are already part of the day-to-day of the best manufacturing plants in the world and are being implemented at a growing number of industries.

5G also has high potential for generating social impact. The technology will allow smart grids to reduce carbon emissions; vehicles connected to traffic systems that share data to avoid collisions and accidents; sensors that can detect and warn about natural disasters before they happen; more-agile emergency services with the use of drones to assist in accidents. And if remote servicing is already revolutionizing medicine, it will be possible to go even further. IoT devices shall speed up patient diagnoses, and services that seemed futuristic in the past will become just another service mode -- in March 2019, Chinese tech companies demonstrated a remote brain surgery in China using 5G networks.

In the mobility, healthcare, manufacturing and retail areas alone, the use cases identified by McKinsey in a 2020 study could increase global GDP anywhere between USD 1.2 trillion and USD 2 trillion by 2030. The biggest portion of this value can be captured through advanced connectivity using technologies that have been available for some time already. There is huge potential available and still underutilized - and this is mainly due to five key challenges: coordination of the value chain, fragmentation of use cases, misaligned expectations and incentives, data complexity and implementation-limiting conditions. If the social impact has major potential of revolutionizing our daily lives, this is also where development is most incipient -- there is still a lot of work to be done. Now is the time to look at the potentialities and risks of these new horizons in order to establish the rules that will govern their operation and define their future adoption journey.

The potential of digital medicine

Despite the big announcement fifteen years ago about telemedicine and digital health1 as major disruptions, its adoption was minimal. Only when we had social isolation due to Covid-19, the structural barriers delaying investments in digital devices integrated with healthcare began to fall. Today, telemedicine offers significant improvements in terms of access, quality and cost-efficiency, which are the three main factors used to assess effectiveness of healthcare outcomes; for example, people with chronic diseases, reduced mobility or who live in remote regions have experienced major improvements in quality of life thanks to telemedicine234.

In addition to telemedicine, we see an increased adoption of digital care and use of the Internet of Medical Things (IoMT), which ranges from smart watches and accessories that monitor vital signs, to implanted devices like pacemakers that can be controlled remotely. Roughly 98 million people in the United States use health-monitoring devices5; 88% of US healthcare providers consider IoMT devices a priority6; and over the next five years a 16% reduction in healthcare costs is expected from the use of these devices.

Exhibit 4
Exhibit 5

Great powers, great responsibilities

This future reality will depend on the maturing of 5G, Internet of Things (IoT), technological acceleration via cloud, artificial intelligence, data analytics and geolocation sensors. And it involves a series of cybersecurity challenges to protect network security and data privacy.

At the regulatory level, there are still few laws worldwide overseeing patient privacy and setting parameters for testing new equipment and software against cyberthreats and vulnerabilities and defining how integration will take place between IoT and medical devices. In the United States, the FDA recently released a document7 on cybersecurity of medical devices to guide manufacturers. Also, in United States, they have HIPAA and MARS-E8 and in Europe they have GDPR9.

Healthcare companies handle a huge amount of highly-sensitive personal data that could be used in a discriminatory manner. Many sectors that handle sensitive data are under intense regulation scrutiny from official authorities - as is the case of the financial market, for example, where there are regulatory bodies that develop rules and regulations, and supervisory entities that supervise all players to ensure that the rules and regulations are being duly applied. In Brazil, the General Data Protection Law (LGPD) was the first step in this direction. For the healthcare devices sector to win the trust of patients and industry in general, it would be very helpful if an equivalent regulatory and supervisory framework were created to define the safety standards expected. Conditions anything less than ideal will certainly create distrust and could delay or even halt the industry.

And the cyber scenario is very challenging, since cyberattacks have caused significant losses and reputation problems for many companies. Nearly one-third of global organizations have suffered cyberattacks. In Latin America, this figure is almost 60%. Brazil is the fifth country that suffers the most cyberattacks in the world - 3.2 billion attempts in 2021, which was twice as many than in 2020. Between 2017 and 2018, when the number of attacks was lower, losses amounted to BRL 80 billion. In 2021, 90% were ransomware attacks, where data is hijacked and made unavailable. In 2021 alone, ransomware attacks cost affected companies an estimated USD 21 billion, an increase of 123% in relation to the previous year. Hospitals and healthcare companies could become prime targets as they cannot lose access to patient records - and this could put lives at risk. In the United States alone, cyberattacks exposed sensitive health data of 45 million people in 2021.

In 2007, when former US Vice-President Dick Cheney underwent heart surgery, he ordered the medical team to disable the defibrillator’s wireless feature of his new pacemaker, fearing it could be hacked by terrorists. Although it seems very unlikely, the possibility is real - in 2017, the FDA recalled half a million pacemakers due to poor cybersecurity conditions10, since it was possible for a hacker to drain the device’s batteries or even interfere with the person’s heartbeat.

From sensitive-data leaks to hacked remote surgeries, the possibilities are endless. And the healthcare industry’s current posture of low cybersecurity spend is troubling. The population and the market should demand a new attitude from the industry, requiring it to assess the possibility of each case happening, the investment/risk ratio for patients and organizations, and the reputation risk for players directly and indirectly involved.

Exhibit 6
Exhibit 7
Exhibit 8

Size of the problem

There exist vulnerabilities inherent to the use of 5G and IoT devices: the more devices connected, the greater the exposure surface and the more doors for attacks. IoT devices have a lower processing power in order to consume less power, and the direct consequence of this is less control.

Other factors add more layers of risk to data and privacy management: with all these devices collecting data 24x7, the amount of data generated is immense; a greater number of devices also generates a greater number of communication nodes, making it difficult to control data availability and integrity.

Vulnerabilities call for protective measures that mitigate risk, and this vulnerability management can be very complex. Each generation of a device has its peculiarities and, even if a developer is able to manage exposure of its own equipment, there is still the equipment’s interaction with others. Some older devices can’t even be updated, leaving them totally exposed; it can take days or even weeks for a phone manufacturer to release a patch that fixes a vulnerability.

Similar situations, with a mixture of new and old devices, can lead to a situation called Advanced Persistent Threat (APT), when one of them is hacked, the attack goes unnoticed, and the device becomes a monitoring vehicle for the hacker. If this device, for example, is a security camera, the hacker can monitor all the activity in the location and collect information such as the time people enter and leave, when they perform one activity or another, and other things. With this information, the hacker can obtain clues to access other devices and from there on the possibilities are endless: the hacker can cause all sorts of havoc, from locking devices, to threatening people in exchange for money, with ransomware, to selling this data on the deep web – health data can be 10 to 50 times more expensive than bank data, as they allow for bigger frauds, such as in life insurance.

An effort involving multiple stakeholders will be necessary for an effective patch management.

Where to begin?

For players looking to engage in these improvements, we recommend the following steps and key points of attention that healthcare and tech company CEOs should keep an eye on, together with CIOs, in order to pave the way towards the ideal horizon.

Cybersecurity in healthcare can be analyzed according to three major groups of practices:

  • The first and foremost is cyber hygiene. Just like we have daily hygiene practices that are essential for preventing or mitigating health problems in an individual or a community, there are also routine practices to mitigate cybersecurity risks in a system. When well structured, they allow you to assess the vulnerability level of a company and even partners with whom data is shared. These practices include, for example, inventorying all access points to a system and all data sets (classified according to their value), assessing and managing their level of vulnerability, patching and updating software and applications. They also include using tools like Identify and Access Management (IAM) and Multi-Factor Authentication (MFA), which allow you to eliminate outdated access privileges.
  • The second major group of practices is to establish a secure software-development process. The term DevSecOps, which stands for “Development, Security and Operations”, defines a way of developing software where security is considered from the very beginning of the process and throughout all stages, not simply a final stage or a quality test executed by a separate team. Security issues are addressed as they arise, which is when they are much easier, faster and cheaper to resolve. The DevSecOps pillars can be used in application development, cloud, devices, artificial intelligence and sensors, preventing development gaps, positioning cybersecurity controls and positively impacting data protection.
  • The third and most advanced is the zero-trust policy, which can be summarized by the phrase “never trust, always verify”. A zero-trust system assumes that every access is a potential breach, so no access is remembered, even from a recognized device. Every identity, every device, every document or software access must be verified, in order to reduce the risk of access by unauthorized persons, and the general rule is to always delegate the lowest possible access privilege to every account. When every link in a network is known and protected, the greater the control and the better-informed each network security decision becomes.

Zero-trust architecture implements zero-trust concepts in the virtual and physical network infrastructure and in access control policies. However, when there is a very large amount of data and a lot of nodes in a network, it is necessary to also include other features like encryption, artificial intelligence and automation.

  • Encryption: in healthcare, the amount of sensitive data is gigantic; said data needs to be encrypted both at rest, while archived, and in transit, during use and transfer. To move this data more securely, it is possible to create communication nodes that require constant testing.
  • Automation: the need for a large volume of testing could make zero trust impractical. With automation, it is possible to implement routine tasks like traffic analysis, network inspections and identify outdated users that offer access threats, as well as isolate information at risk.
  • Artificial Intelligence in cybersecurity: once automated, these tasks can be analyzed using an artificial intelligence tool, which acts as a network hygiene inspector, periodically reviewing data security and pointing out strange and unusual movements.
Exhibit 9

5G technology can make major contributions to the healthcare industry, adding more years and improving quality of life for the population. For this to become reality, all stakeholders must come together to ensure the safety of processes and sensitive data involved. Otherwise, gaps and the growing number of cyberattacks will slow the adoption of technology and make this vision a distant dream.

Explore a career with us