In this two-part series, we look at the challenges of managing cybersecurity, the impact on healthcare AI adoption, and potential solutions that could remove the barriers health systems face in harnessing the power of AI.
Series Part 2: Managing cybersecurity in healthcare AI, what could a solution look like?
When addressing AI security, our developer partners ask us… can’t we just do everything in the cloud? The short answer is no, and here’s why cloud-only is not the best or most secure approach.
Integrating with AI vendors in the cloud means health systems lose visibility and control of patient data once it leaves their data center. This creates problems with auditing and monitoring while increasing the chances of a HIPAA breach. AI applications and vendors are by-definition point-solutions providers. These solutions are incredibly powerful and increasingly easier to build, but they don’t have the standalone security infrastructure to scale as the AI needs of a health system grows.
To a health system, each AI vendor represents:
- PHI risk and loss of control, as hospital data is housed and managed outside of their secure environment
- An opening in the health system’s firewall that provides data access to an outside vendor with unknown security practices
- An additional group of external individuals with access to the hospital’s patient data and network, exposing an opportunity for hackers
Unfortunately, investment in security by the average AI solution provider is very low. We’ve found the overwhelming majority of the 1,200 plus AI solution providers are startups that lack both the financial resources and technical skillset to appropriately address these concerns. They tend to invest their capital in data scientists and launching new products, not on a dedicated engineering team focused on maintaining security and patching vulnerabilities.
What about de-identifying data sent to the cloud? Simply put, it doesn’t work well. Even the best efforts around the de-identification of patient data have proven insufficient for data leaving the healthcare system. De-identification also introduces an additional layer of complexity the health system IT team is then responsible for managing. For the data to be usable, they would need to de-identify the patient data, send it to the vendor, re-identify it, and place it into the appropriate workflow and interface. This is a process that is ripe for mistakes and cyberattacks.
SPOGs: almost as cool as SPACs — what does a potential solution look like?
The best way to understand what might work in terms of AI security is to look at the tools used by the industry IT teams to handle the management, configuration, and event monitoring for their enterprise devices and operating systems. Their standard solution has been to use single pane of glass (SPOG) management software, like Microsoft SCCM.
These tools create a dashboard that combines information from various devices — mobile devices, computers, laptops — into a unified display that can be used to quickly change accessibility and security settings. SPOG provides IT teams with a centralized portal that ensures role-based access and that everyone is working from the most up-to-date information.
Health systems can easily leverage their learnings from deploying SPOG to manage the increasing complexity of their AI initiatives. Going forward, they will need to support an assortment of AI vendors accessing and processing various pieces of patient data, with the output utilized by a variety of internal and external stakeholders in different workflows. The SPOG approach could manage this complexity, but has yet to be implemented for AI applications and sadly won’t become a reality if health IT blindly trusts the myriad of cloud-first AI vendors.
Cybersecurity is one of the hidden forces delaying AI adoption, and healthcare IT teams find themselves in a difficult position. They must juggle ever-growing cybersecurity risks, the diverse AI needs of their clinical and business stakeholders, along with the low-security standards and incompatibility of the typical AI vendor’s cloud-based service model. For health systems to truly harness the power of AI, these conflicting needs will have to be resolved.
Drop us a note if you’d like to discuss your experience in managing security in healthcare AI, the challenges you’ve faced, and the solutions you’ve implemented.
Pelu Tran
Pelu is a serial healthtech entrepreneur; he studied both medicine and engineering at Stanford University and was four months away from receiving his MD when he dropped out to start his first company.