Hello everyone, and welcome to Season Two of the IEEE SA Rethink Health Podcast Series. I’m your host, Maria Palombini and I lead the IEEE Standards Association Health and Life Sciences Practice. The practice is a platform for multidisciplinary stakeholders from around the globe who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security protection and universal access to quality of care for all individuals. I would like to welcome today Ashish Mahajan, for a discussion on how cybersecurity and connected health can be an accelerator for more innovation. He is the Non-Executive Director of IoTSec Australia, and he’s Chair of IEEE SA IoT Ecosystem Security Industry Connections Program. So with that, Ashish, why don’t you tell us about the great work you do in IoTSec, and then a little bit about this industry connections program you’re leading at the IEEE SA?
Certainly. I want to start by saying the IoT space is expected to grow to 25.1 billion by 2025. And that could be worth up to 26.1 billion by 2027, with the compound growth around 19.8%. This growth we’ll see in the next five to 10 years. But what it means is that it will likely have touched every aspect of our life from our refrigerators to our shoes, to medical devices, to car automation and home automation. And of course, cybersecurity remains a key issue concerning broad technology, as well as data related activities. So while IoT devices can greatly increase the productivity of our business, there’s an old saying that new rewards come from new risks and cybersecurity of IoT devices is a big challenge for us. Now, the work that we are doing at IoTSec in partnership with IEEE is to bring them in across the community. IoTSec is a not-for-profit organization, it looks at advocacy on the research initiatives that helps to ensure the proper awareness or the awareness of the secure practices by the ecosystem and we will be working with IEEE SA to publish white paper, reports, proposals for standards, guidelines, and probably webinars to bring awareness across our community.
I know that IoT across multiple industry domains is flourishing. It’s really important to call out the fact that it’s not just about medical devices. There are so many devices on or around us that are not obviously specific for medical application, but still impact our overall wellness and daily lifestyles and things of that nature.
I always say, when it comes to IoT and security, the industry is too late to consider security and we are kind of catching up to embed security in IoT devices and also the future IoT devices.
Cyber breaches and security vulnerabilities are a major concern, when we think about the current state of connected health devices and obviously the trajectory for the future of mobile health. From your expertise and your experience, what do you consider to be some of the major impacts if cybersecurity and digital health space are not addressed effectively?
I guess there are two folds to this question – the trajectory of the future of mobile health. Now in the past few years, there has been a cultural shift and a technology shift from variables focused on promoting wellness to those designs to post real time tracking and also the monitoring of patient vital signs. According to research, the average person is likely to generate more than 1 million gigabits of health related data in their lifetime. As you can tell, this technology has huge potential to not only improve health literacy and wellness levels, but also to reduce global health. According to one estimate, remote patient monitoring might have saved nearly 200 billion across all conditions over the next 25 years. If you consider this, being able to remotely monitor patients in their home is a significant opportunity for caregivers and for industry alike. And most importantly, for the patients, this is going to change the whole gimmick of how patients will be treated at hospitals and remote patient care, not variable technology. There are agents that are also propagating a cultural shift in how conventional drugs and therapies are formulated and delivered. If I remember correctly, 2017 saw the first FDA approved pill that was packaged sensor tracking patient usage. Now that was a dramatic change in how patient care can be done. The other question is the major impact of cybersecurity challenges in the healthcare sector. The healthcare sector is going where the IoT devices are going and where the patient care is going. While IoT has opened up the door for innovation or innovative new services across industry, the adoption of the IoT system within the healthcare sector is crank. And that’s why the numbers are huge.
The other risk is that the cybersecurity risk is now among the sectors most targeted by illegal markets globally. The predicted health information is more than what you create. Now, I think the question is why, and it’s due to its immutability, the state of not changing the information exists to help data breaches of particular interests or cyber criminals because your blood type doesn’t change for your personal health information contained in your medical file along with insurance and help provide information that is not going to change. There is a higher motivation for cyber criminals to target medical databases. If you look at the most recent research in the past few years, 83% of the medical imaging devices are running on unsupported operating systems. I guess the question is why. And the answer is because healthcare is always about saving patient’s lives.
It is amazing how much data these devices can generate. And we thought the human genomes could generate that much data, but we seem to have quite a bit of a proliferation of data. But I think it’s a very important fact that you highlight, because I think people often miss is that health data is so rich with immutability that it becomes so much more appetizing for cyber criminals. It’s definitely true that a credit card, you take it, it gets stolen. You call your credit card company and they erase it and get you a new one. It’s all fixed, but who do you call to say, you know, my blood types have been breached. Like there’s just no ID help desk here. So I think it’s a very important fact. And you know, many have argued that regulators should be doing more from a point of view of requiring the developers of the hardware, the software, and connected devices with regards to building in more security and protecting those vulnerabilities from an engineering perspective. How do you perceive the problem being most effectively addressed?
Very good question, Maria. I recall giving a presentation in 2018 where I talked about that everyone has a role to play from enforcing security to devices, to understanding the basic security advice. And I’m talking from regulators enforcing security controls that enable security in IoT devices to organization and practice, they choose to make a conscious choice of that using those IoT devices. Most regulators have just started to consider recommendations in this fast evolving setting and are moving slowly. Manufacturers are creating an incredible variety and volume of IoT devices. 5G devices should be prioritizing security by design, especially considering the potential detrimental consequences of a breach. We are stepping in the right direction and I’m going to take a couple of examples. Here is the California IoT law, that requires manufacturers to equip the devices with reasonable security features, regulators shouldn’t force what needs to go bare minimum in the main IoT devices as part of their implementation. Consumers should be able to make a conscious choice. Should they be using the IoT devices without risk management? For organizations also, do you want to use the IoT device? Should we be using the IoT device? What is the consequence of using this IoT device? What if the breach happened? I think those sorts of questions must be asked. The responsibility starts from regulators. They need to enforce. Then it goes to manufacturers. From manufacturers it goes to practitioners, and practitioners could be consumers also.
Very interesting. I think it is an all hands-on effort. One of the interesting aspects is we all want to know what’s going around the globe. Do you find that what you see in Australia differentiate from other geographic regions towards addressing this issue of the need for cybersecurity and the use of IoT and these mobile health apps and wellness applications?
Today, consumers across the globe are taking an increasingly proactive approach to manage their health. And technology is playing an important role. One in six Australians use mobile apps and variable technology to track nutrition, exercise, sleep patterns, energy levels, and even stress. And with that number of connected wearable devices worldwide expect to grow over 1.1 billion by 2022. From a health care practitioner’s point of view. They’re now adopting these technologies for patient monitoring and to drive improved health outcomes. Not just in Australia, it’s probably the trend that we see across the globe.
Obviously Australia was one of the first regions of the world to come out with a contract tracing application for COVID-19. We know that COVID-19 disrupted many of our norms and introduced new ideas. Some were great. And some maybe not so great. I know that contract tracing apps globally did not do well. There were a lot of concerns with them, but were there some concerns specifically in Australia, citizens about privacy and data security? Did you see any special way of addressing and mitigating it that you would like to share with our global community from that point of view?
To answer that question, I’m probably going to talk about why aren’t COVID tracing up more widely used. As you know, we’re in the flood of coronavirus apps that were launched in the first half of 2020 across the globe to quarantine the infected individuals. That was the intent of that. And the true promise benefits of these contract tracing apps have not been realized to the full potential anywhere in the world, but the Australian government launched the COVID CFR. And there were clear concerns by citizens regarding trust, transparency, security, and privacy. Among that, user acceptance was the biggest challenge for many reasons. And if we consider from a technology point of view, there were concerns about the battery consumption now from a security and privacy. There have been serious concerns around user data. The COVID apps used to ask our users for their name, phone number, postcode, and the age range before they can register with the app.
The question was how well the application was tested in the way that data is stored? And the next question is the reliability and effectiveness of that. There is no rule for testing or approving the accuracy and reliability and effectiveness of contact tracing apps. And at the same time, I don’t think that there’s anyone to be blamed. We are facing an unfortunate global pandemic and everyone did what they could do. Some things worked and some didn’t. The one that didn’t work for us, we should take that as a learning for us.
Any final thoughts you would like to share with our audience?
Security is everyone’s responsibility. And I would like everyone when they are going out in the market and buying not just the IoT device, but any device. They should understand some basics of security to make sure our community is safe and secure.
I want to thank you for joining us today and sharing this wonderful insight, and I will thank you, the audience, for tuning in. I just want to share with you all that many of the concepts in our conversation with Ashish today are addressed in not only the IoT ecosystem security industry connections program, but we have many different industry connections programs within the healthcare life science practice. Our work in telehealth connects to the accessibility and security for all. And obviously the work we’re doing in decentralized clinical trials, as well as the work we are doing in cybersecurity. And this podcast, season two is going side by side with a full year virtual workshop series we’re doing on global connected healthcare cybersecurity. Both information on that opportunity is at ieeesa.io/cyber2021. If you want to learn more about the Healthcare and Life Science practice, get involved in any of these programs we talked about today, or you would like to instantiate a potential program, please reach out to us at, ieeesa.io/rethink. And with that, I want to wish you all to continue to stay safe and healthy and look forward to you joining us next time.
Can cracking code on cybersecurity in the connected healthcare ecosystem accelerate innovation in the world of mobilized care?
We are taking a different perspective from the land down under with Ashish Mahajan, Non-Executive Director of IoTSec Australia Inc, and Chair of the IEEE SA IoT Ecosystem Security Industry Connections Program. In this podcast, Ashish provides insights into the vulnerabilities of the entire data value chain in the IoT ecosystem that impede maximum utilization and innovation in public health, wellness, and healthcare. Hear how stakeholders in Australia are looking to live the mantra when the world gives you lemons, it’s best to make lemonade.
- IEEE SA Healthcare and Life Sciences Practice
- IEEE SA 2021 Global Connected Healthcare Cybersecurity Virtual Workshop Series
- IEEE SA IoT Ecosystem Security Industry Connections Program
- IEEE SA Transforming the Telehealth Paradigm: Security Privacy, Connectivity, and Accessibility for All Industry Connections Program
- IEEE SA Tech and Data Harmonization for Enabling Decentralized Clinical Trials Industry Connections Program
- IEEE Global Wearables and Medical IoT Interoperability & Intelligence (WAMIII) Program
About the Guest:
Ashish Mahajan is a trusted cybersecurity enabler focused on assisting organizations to build Cybersecurity capabilities and Cyber Resilience by design combining this industry exposure and thought leadership.
Ashish in the past has led various Cybersecurity greenfield opportunities including strategy development, risk management, policy development, industry compliance certifications, and regulatory requirements. Through this able leadership and guidance, he has not only delivered the projects and assisted organizations in meeting the needs of business but also has brought value to add that can be expanded to other areas of business and is adaptable to additional compliance requirements.
Ashish is also a member of the Internet of Things (IoT) community and is a frequent speaker on the risks involving threats in the IoT landscape, particularly on critical infrastructure in healthcare environments. He is also Chair of IEEE SA IoT Ecosystem Security Industry Connections Program. Ashish is also a member of the IEEE P2733 Working Group. This standard establishes the framework with Trust, Identity, Privacy, Protection, Safety, Security (TIPPSS) principles for Clinical IoT data and device validation and interoperability.
Follow Ashish Mahajan on LinkedIn.