Richard Armitage is a GP and Public Health Specialty Registrar, and Honorary Assistant Professor at the University of Nottingham’s Academic Unit of Population and Lifespan Sciences. He is on twitter: @drricharmitage
In a previous article regarding cyberattacks and primary healthcare,1 which was written in light of a recent digital assault on the NHS, I lamented the chronically neglected state of the health system’s digital infrastructure and the consequent threats to patient safety. That article called for dramatic investment to bolster the health service’s digital resilience, but recognised the limitations of finite resources, and the growing number of competing claims to access them. Since writing that article, and having read and thought more about the nature of contemporary cyber threats, an important question has naturally arisen: are some kinds of patient data – those that are often used in primary care settings – too sensitive to be digitally recorded?
Contemporary cyber-security
A ‘zero-day’ is a vulnerability – or a ‘bug’ – in a piece of software that the software developer is entirely unaware of.
A brief tour of today’s cyber-security will inevitably involve a handful of definitions. A ‘zero-day’ is a vulnerability – or a ‘bug’ – in a piece of software that the software developer is entirely unaware of. They are termed ‘zero-days’ because, once these bugs are exploited against the users of that software, the developer has zero days to fix them before the user is considerably harmed. The existence of zero-days is a product of the economic incentives of today’s digital technology market. As the world’s population becomes increasingly online and financially able to purchase digitised products, tech companies scramble to maximum sizeable market share by developing their products faster, driving down costs, and racing to implant software into every domain of life. This famously Silicon Valley-esque “move fast and break things” mentality regards the security of its products to be an optional luxury, a barrier to rapid scaling, and of secondary importance to market share capture. Tech company CEOs defend this business model by the (undeniably true) claim that it enables enormous numbers of people to acquire digital products that improve their lives through practicality, connectivity, and quality user experience. However, these vulnerabilities allow the creation of ‘zero-day exploits’ – pieces of code designed to target specific zero-days, which allow third parties to ‘get into’ the software without the user’s knowledge – which are increasingly traded in zero-day markets. Due to rapid digitisation, proliferation of software, and the widespread existence of zero-day vulnerabilities, an increasingly broad and complex ‘attack surface’ draws criminal groups, terrorist cells and nation states into this market, which enables digital espionage and offensive attacks at a fraction of the cost of more traditional methods, while minimising the risk of being discovered and held accountable.
Consequently, digital attacks using zero-day exploits are being used with escalating frequency, and are having increasing real world impacts on the physical environment. The term ‘cyber-attack’ has connotations of trivial, even humorous inconveniences, such as defacing a digital photo or inserting a political slogan. However, contemporary digital assaults can surveil individuals remotely, steal their personal data, and access victims’ finances stored in online accounts. And now, since the Stuxnet computer worm discovered in 2010, the deployment of zero-day exploits can have significant implications for the physical world, particularly when designed to target critical infrastructure. Within the last decade, cyber-attacks have been mounted on oil and gas pipelines,2 nuclear facilities,3 and electoral voting systems,4 along with health system infrastructure central to patient care. These digital onslaughts can affect millions of people and endanger their lives.
The existence of significant zero-days, and the trade of zero-day exploits, is considered to be of such enormous scale and financial value that it is assumed within the industry that every private individual, every major corporation, and even every nation state has been the target, continues to be the target, and will soon be the repeated target of a consequential cyber-attack. For individuals, this manifests as their passwords being available for purchase on dark web databases. For corporations, customer and employee data can be stolen for a fee. And for nation states, classified communications, internal policies, and even state secrets can be accessed remotely and without detection. In testimony to this situation, former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”5
The decentralised nature of shared software utilisation between public and private sectors, individuals, institutions, and nation states, renders the transparent identification and timely patching of serious zero-days an enormous challenge to global cooperation. Due to the seemingly inherent vulnerability in contemporary software, cyber-security experts are beginning to question whether certain data, that are both extremely valuable and likely to be hacked, should be considered as simply too sensitive to be digitally recorded. In this vein, I ask the same question of certain kinds of patient data.
Particularly sensitive patient data
It is vitally important to the provision of safe and effective patient care that relevant data pertaining to the patient in question is shared in a free, open and timely manner with the professionals involved in the delivery of that care. Since these data are inherently sensitive, their sharing brings into play important legal and ethical principles including consent, confidentiality, and public safety, which can make communication between clinical teams, especially those that are geographically distant, challenging to navigate without arduous trade-offs. Since the contemporary NHS, including and perhaps primarily general practice, functions atop a digital foundation, a new variable of concern is brought into play: that of digital data security.
The recent cyber-attack on NHS systems, on the background of zero-days and zero-day exploit markets, raise concern for the safety of digitised patient data. As bad actors show an increasing appetite for sensitive information, and cyber criminals demonstrate a growing willingness and capability to access it, the security of such data regarding individuals, corporations and even nation states is becoming increasingly precarious and difficult to assure. Within the realm of healthcare, sensitive information regarding the health status of patients, including their risk factors, diagnoses and on-going treatment plans, may be extremely value to nefarious actors. For example, at the least reprehensible end of the spectrum, access to such information could assist the promotion, advertisement and direct marketing of particular products determined by patients’ risk factors and diagnoses. At the more malevolent end, the same data could be used to blackmail, extort, or extract ransoms from those patients, thereby affecting their personal, family, and occupational lives as free and private citizens. Accordingly, this situation begs the question whether certain kinds of patient information should be digitised, and therefore rendered vulnerable to digital theft, at all?
Accordingly, this situation begs the question whether certain kinds of patient information should be digitised, and therefore rendered vulnerable to digital theft, at all?
In today’s NHS, certain kinds of data are not routinely shared between teams of clinicians. Details regarding attendance and treatments at sexual health clinics, for example, are not shared between the treating specialists and the patient’s GP. For primary care records to be shared between different providers, patients have to offer their expressed and informed consent. And patients can prevent their (anonymised) primary care data from being shared for research and planning purposes with NHS Digital. Despite these controls for maximising patient autonomy, they say nothing on the subject of digitising these data in the first place. Sexual health data remain within these specialised clinics in digital form. Consent determines whether digital primary care data are or are not shared with other providers. And NHS Digital be denied access to records that continue to exist unshared in their digital form. The question examined here is whether some kinds of patient data, whether sharable or not, should ever be granted a digitised existence?
Perhaps the most sensitive patient data in contemporary healthcare is the whole genome sequence of individual patients. Genomic and personalised medicine are being rapidly and increasingly embraced by health systems, industry leaders, and public alike, and the NHS Genomics Medicine Service, which was the first national health care system to offer whole genome sequencing as part of routine care, aims to sequence 500,000 whole genomes by 2023/24.6 The admirable aim of this endeavour is to ‘transform healthcare for maximum patient benefit’ through the enhanced detection and treatment of children with genetic disorders, and those with cancer and other inheritable conditions, to whom molecular diagnostics and personalised medicine will be increasingly offered. Given this intention, it is not difficult to imagine a general practice not far from now that sees the inclusion of a patient’s whole genome sequence in their primary care record in the same manner that their age, sex and list of diagnoses are currently stored. In such a world, the patient’s entire genetic code would be just as vulnerable to cyber theft as their age, sex and list of diagnoses. While the potential for genomics to radically improve patient and population health outcomes is clear, realisable, and professed with abandon,7 the potential for mistreatment of this dual-use technology is less openly acknowledged. In relation to the theme of this article, obvious causes are the risks of bad actors stealing the entire genetic codes of countless individuals, and using those data for nefarious purposes.
Want to know if your Dad is really your biological father? Want to know if your parents aren’t disclosing inheritable conditions? Want to know if your partner will pass on genetic defects to your children? All these can be revealed after payment of a fee. These examples are simple, affect only individuals, and could be easily deployed by unsophisticated criminals. In the hands of bad actors with data science skills, the application of machine learning algorithms and artificial intelligences onto large collections of whole genome sequences could be used to gain exploitable insights akin to those that benevolent data scientists strive to acquire (the latter, however, do so with datasets acquired with the participants’ consent, and with pro-social purposes subjected to medical ethics oversight).
What to do?
There appears to be trade-off: digitise patient data to maximise safety and care, and accept the inherent risk of theft and misuse of that which is sensitive. Of course, not all data are equally sensitive: a patient’s recent viral URTI is of less significance than their HIV status. The dilemma therefore pertains specifically to those data that are of a sensitive nature, which may also be defined as ‘of value to bad actors.’
What would it mean to not digitise sensitive data? The most significant effect would be on the communication of relevant patient data between clinicians within the same specialty (such as within general practice), and between different clinical teams involved with the patient’s care (such as between primary and secondary care), in both routine and emergency contexts. Undoubtedly, this would cause substantial harms to the delivery of safe and effective patient care. Recording clinical information using pen and paper, storing it in physical formats, and communicating it between teams via postal delivery service are also susceptible to pre-digital means of ‘hacking’. However, these consequences must be balanced against the harms of potential theft of a patient’s most sensitive data. It also may be the case that patient data most crucial to clinical decision-making in emergency contexts (such as whether the patient is HIV positive or receives immunosuppressant therapy) are not the most attractive to cyber criminals.
How should we approach these competing concerns and responsibilities? Perhaps, like in many scenarios in medicine involving tensions between opposing values, we should consider the patient to be a competent, autonomous, self-determining actor, and ask them to decide for themselves. After informing them of the nature of the threat, the potential consequences for both digitising and not digitising sensitive data, and the options available to them, their decision should be sought, enacted, and made possible for revision at any time in the future. This may deal with the trade-offs inherent to this problem by prioritising patient autonomy as the primary ethical principle.
For an insightful yet terrifying account of the wider subject of zero-day exploits, I recommend ‘This Is How They Tell Me The World Ends’ by New York Times cybersecurity reporter Nicole Perlroth, Bloomsbury 2022.
References
- R Armitage. Cyber-attacks and primary care: the need for digital health resilience, https://bjgplife.com/cyber-attacks-and-primary-care-the-need-for-digital-health-resilience/ accessed 23/9/22
- S Kelly and J Resnick-ault. One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators. Reuters 09 June 2021. https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/ [accessed 16 August 2022]
- JP Farwell and R Rohozinski. Stuxnet and the Future of Cyber War. Survival 28 January 2011; 53(1): 23-40. DOI: 10.1080/00396338.2011.555586
- A Abrams. Here’s What We Know So Far About Russia’s 2016 Meddling. Time 18 April 2019. https://time.com/5565991/russia-influence-2016-election/ [accessed 16 August 2022]
- CISCO. What is a Cyberattack?
https://www.cisco.com/c/en/us/products/secu rity/common-cyberattacks.html [accessed 16 August 2022] - NHS England. NHS Genomic Medicine Service. https://www.england.nhs.uk/genomics/nhs-genomic-med-service/ [accessed 16 August 2022]
- GS Ginsburg and HF Willard. Genomic and personalized medicine: foundations and applications. Translational Research December 2009; 154(6): 277-287. DOI: 10.1016/j.trsl.2009.09.005
Very important debate. As I summariser of incoming notes I have been removing any mention of termination of pregnancy from the problem lists for many years now. I have also removed photographs from the record if they are not clinically relevant . For example needed for a plastic surgery referral. Of course the digital record can never be fully deleted.