By Julian Arango | September 16, 2019
Many startups are achieving success by redefining how the economy works.
Xtechs (financial, health, insurance, among others)
are reducing operational costs and delivering more value to customers,
by leveraging on computer science and advances in electronics.
3D printing, habit-tracking apps, cheap, precise
and small measurement devices, and more, are just a few examples
of what citizens and patients are using these days from so-called HealthTech.
Additionally, within health centers
new technology is supporting more efficient and effective practices.
An explosion of new devices and interconnectedness
is driving change to new levels.
However, security threats have surrounded healthcare for years,
and the emergence of HealthTech doesn’t mean fewer risks.
Moreover, HealthTech might pose other significant challenges.
A recent publication at Maturitas (Coventry & Branley, 2018)
describes the cybersecurity challenges healthcare is currently facing.
The potential economic exploitation of medical health records,
the number of underprotected medical and non-medical devices,
as well as the increasing complexity of the digitization of medical records
calls for a more serious approach to cybersecurity in healthcare.
How to manage healthcare cybersecurity risks with this overload of interconnected devices and data? We believe organizations (specifically HealthTech companies) could learn from what has been innovative in healthcare management.
Here’s a short story:
Atul Gawande, renowned surgeon and writer
worked with the World Health Organization to address high mortality rates
within intensive care units (ICUs).
The finding: checklists reduced 40% in mortality in ICUs,
according to the evidence.
However, that’s only the medium
by which the breakthrough solution was delivered.
What was behind?
In general, Gawande says the amount of knowledge and complexity nowadays
makes our work very hard to be accomplished flawlessly,
even when we know how to do things.
In the specific case of medical professionals,
he points to overconfidence and memory limitations from surgeons:
they are pretty sure they know what they are doing.
But they also are prone to forgetting some crucial elements in surgery,
like instruments or procedures.
As simple as it appears, checklists are tools
for better performance in many contexts.
In his words:
" Checklists provide a kind of cognitive net. They catch mental flaws inherent in all of us – flaws of memory and attention and thoroughness.” (Gawande, 2009)
Dr. Gawande has gone further to improve performance, not only in ICUs.
He discussed the Morbidity and Mortality (M&M)
conferences he runs in the Brigham and Women’s Hospital
at The Knowledge Project podcast.
These meetings are aligned to the work of Amy Edmondson
in psychological safety (see for example Edmonson 1999; 2018).
In brief, it is a safe space in which medical teams
get together to discuss complications
(cases that went wrong) within medical practice, including every death.
The meeting is such that people attending are legally protected,
that is to say, people cannot be attacked
or removed from work by what they mention.
In these meetings, medical teams discuss what could have been done differently
to avoid the complications
and how to ensure it doesn’t happen in the future.
Making people feel safe to share about errors they made,
for instance, in administering a higher dose of a drug
to a patient with terrible consequences,
has led to death rates falling quickly and faster recovery of patients.
He also mentioned that, in general,
the culture this practice has fostered is invaluable:
people feel empowered and responsible,
but also willing to take some risks when needed.
For society, all these mean greater well-being.
We can see information and IT assets
as patients cybersecurity teams look after.
Similar to healthcare, cybersecurity, computer science,
and software engineering enjoy and suffer at the same time
from large amounts of knowledge.
Just like in healthcare, “necessary fallibility”
is also present in cybersecurity.
That is, despite scientific advances and the knowledge humankind has developed,
some efforts people pursue are “simply beyond” human capacity
(for example, complete security).
We will never know everything for sure,
and this is the case in cybersecurity.
As HealthTech goes mainstream,
the potential perils of such increased complexity,
interconnectedness, and knowledge should be addressed.
Healthcare, nonetheless,
is showing us that even in “necessary fallibility” environments,
there could be ways to perform better.
Particularly, checklists might be translated into cybersecurity operations.
At Fluid Attacks, we believe there is a clear link in what we do
and how organizations benefit by better managing “fallibility”.
HealthTech providers should be especially aware
of how to ensure their developments provide reliable security
for data and operations.
We have one single offering:
we attack your software.
We breach IT systems flaws with superior effectiveness before others do,
causing real harm.
We do this, in part, similar to what Dr. Gawande
and his team found to lower mortality rates in ICUs:
using checklists.
However, we go some steps further:
We are capable of continuously hacking enterprise-level systems. This is like a smart checklist. As this is continuous, our services can detect small changes that could pose risks to your business. We rely on our automated products, so nothing is left out (like with a checklist). Also, we go deeper: our security engineers are the best-trained hackers. They think and work all the time on how your system’s flaws can be combined to configure attack vectors others cannot identify.
We are also capable of assessing valuable IT
and information assets in one shot.
Again, we rely on "smart" checklists.
We automate almost everything we already know. Asserts is the product we have to assess how customers' systems are, quickly. It is like using a smart checklist, fed by all of our knowledge and experience.
All that we do gets stored, described, and tracked in Integrates, our Vulnerability Management Platform. Integrates makes it easier for our customers to keep track of their security weaknesses as well as their fixes performed.
What about what Dr. Gawande calls M&M meetings?
Well, the good news is that our approach makes you less likely
to institute a version of the M&M meetings,
as our work is proactive, not reactive.
With us, you don’t have to wait to be hacked for real,
and then discuss how to improve for the future.
We help you to anticipate those complications,
so you are better prepared, so you get more antifragile.
Do you want to share your thoughts? Do get in touch with us! We can help.
Corporate member of The OWASP Foundation
Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.
