Test, trace, isolate. Those three words tell you everything you need to know about how the world has been trying to get ahead of the COVID-19 pandemic. Now that many countries are starting to think about a return to some kind of new normal the big question is how do we prevent second waves of disease?
The answer seems to be rooted in technology and specifically, contact tracing apps. It all sounds so easy, you download an app and, by using Bluetooth proximity tracking, if anyone you’ve been close to reports suspicious symptoms or a positive test you get a notification so you can go ahead and self-isolate sparing the rest of your community from the virus. However, as we all know, nothing in life is quite that simple. Immediately, people were up in arms about the rise of big brother and how these apps would be abused for mass surveillance. There were even more fundamental issues such as whether Bluetooth was the right technology to use. How many false positives would it create? How many, dare I say, humans would we need to follow-up every potential exposure case anyway?
Now it’s right to raise these concerns but there is a much bigger cybersecurity issue at stake here. One that has a direct impact on people’s lives at scale from local hospitals to entire national health systems.
The fact is contact tracing ‘apps’ are really pretty useless if you consider them as siloed solutions. However, they can become extremely valuable when they are seen for what they really are which is real-time data sharing platforms. Now it doesn’t roll off the tongue but we should actually call them Public Health Analytics and Early Clinical Intervention Platforms. This means that all the data from every user’s app is being shared with local, regional and national health and government IT systems. It is the only way to do outbreak mapping, trend analysis, resource planning and perform early clinical interventions in higher risk exposed groups.
And therein lies the problem.
Suddenly this deep interoperability makes these platforms tremendously attractive targets to compromise. Not to steal patient data but to spread destructive malware such as ransomware to adjacent health IT systems. Ransomware has risen tremendously in healthcare because attackers have become savvier and now understand the concept of clinical urgency. They know that shutting down clinical workflows and services, putting patient safety at risk, drives the behaviour they want (i.e. ransom payments).
COVID-19 has provided the perfect cover for a massive rise in phishing attempts preying on people’s anxiety and puts clear targets on the map such as acute hospital chains, testing sites, medical device manufacturers and government agencies. It’s not a stretch to think that a newly developed platform that’s potentially connected to many key systems across a country would be a target. It’s important to note that it also doesn’t matter whether these platforms use a decentralized model (the Apple/Google strategy) or a centralized model. The fact is any version of a contract tracing platform needs interoperability to be useful. This very point highlights the issue that a myopic view on privacy risks has distracted from patient safety and national security risks that come with contact tracing.
Ultimately, healthcare is critical infrastructure and whether it’s an attack that compromises a public sector system (like WannaCry hitting the health system in England) or a major private hospital chain the damaging effects will be felt by clinicians and their patients. Contact tracing platforms can be a vector for tremendous damage if not planned correctly both holding back pandemic management while simultaneously increasing clinical risks.
I started this article with the words test, trace and isolate. Speaking as a trained medical doctor I can’t emphasize enough how important this is as a mantra. Now let’s make sure that when we bring technology into the equation we’re looking at the security risks with an eye on patient safety.