Protecting your Digital Domain: Advice from a Healthtech CEO

Harry Lykostratis, the founder, managing director, and lead engineer at Open Medical, shares valuable insights on cyber security.

My background

I'm a practising orthopaedic surgeon, but I've been designing and selling software programmes since I was 14 years old. I've always had an interest in computer programming, but I've also always appreciated medicine. So I studied medicine in university and specialised in orthopaedic surgery, but I kept programming on the side, which turned out to be rather handy later in life.

I arrived at work on a Saturday in 2011 to find a blank whiteboard instead of the trauma list. It had been wiped by mistake. It made me realise the impracticality of maintaining a trauma list on a whiteboard. A week later, at the trauma meeting, I presented eTrauma, a comprehensive digital solution for trauma workflow, and it took off. Open Medical was founded 2 years after, and eTrauma and Open Medical's digital solutions are now deployed in over 100 healthcare organisations across the UK and Ireland.

Cyber threats are not just data breaches

Many companies implement security as a compliance measure, but it should be viewed as a risk management effort and allocated sufficient resources. Threats no longer consist just of data breaches and ransomware; as we shift to more sophisticated models and infrastructure complexity increases, so do the threats.

For example, at Open Medical, we recently had to migrate our systems because our primary cloud provider was going out of business. We felt an immediate threat to the service, company, and the data in our custody. Migration was executed immediately. Over 3 days, the team at Open Medical migrated 60 systems, which is an immense amount of data. We didn’t cut any corners, and data confidentiality was ensured with continuous system integrity tests. We informed the users with proper documentation, but they probably wouldn’t have realised it was happening otherwise. For us, the migration was a massive undertaking, but for the users, availability of services was unaffected.

Zero-trust environment

Systems need to adapt with security threats and always be ahead with a measured approach. Which is why tech organisations need to adopt a zero-trust environment.

Large organisations are progressively establishing a zero-trust environment; never trust and always verify. The work required to plan for inherent mistrust in technology raises the cost of transformation, engineering, and design, but it’s fundamental.

How it looks in practice

At Open Medical, we process sensitive data and are always aware of its location, nature, and destination. This has been our practice from the company's inception; it is a procedure that must be implemented very early on because it is difficult to revert. We reduce our attack surface area by employing multi-level networks and effectively concealing it within the deeper layers. We employ effective security parameters and regulate the identities of both our staff and users using adaptive identity governance, ensuring identities are never forgotten. We employ granular access control, and within our platforms, particular access has played a central role. Following the zero-trust paradigm, every data-containing request is always subject to access governance. Every time a request is made to receive or input data, our systems verify the identity and access level. Data is never stored in a database and is always accessed via a non-bypassable access system; data cannot be acquired without traversing the access layer. It is privilege access and we always vet users prior to granting access. Implementing a zero-trust environment is challenging but essential, and must consist of 3 layers.

The layers to a zero-trust environment

1. Authentication: Requiring multiple verifications depending on the circumstance or access management. It is essential to adjust authentication to the user pattern and environment, a strategy that has become widespread in industries such as banking. You know precisely who is being authenticated and if they are who they claim to be, reducing the chance of misappropriated identity.

2. Access control: Once authentication is completed, restrict user access. This must expand beyond role-based access and into adaptive and dynamic access. When a user has access to sensitive data, it is important to monitor how frequently and with what context the data is accessed.

3. Governing the access reason: This is still primitive to some degree. Identity and access can be managed, but establishing the reason for access on each occasion is extremely challenging. There are some existing methods, such as by analysing existing threat strategies. Soon, artificial intelligence (AI) will control traffic and detect threats, as well as determine the context and purpose of access to sensitive data.

AI: two sides of the same coin

Touching on AI, it is quite intriguing because, as it grows more prominent in organisations, it will also pose more challenges. AI can be used to detect threats and optimise adaptive access, but adversarial AI can also be used to organise an attack and breach a system.

One of the greatest dystopian worries is an attack on the AI itself. If the knowledge of the AI is hacked, then all of its information is compromised. Even if AI complexity increases, lower levels of AI complexity can still be jeopardised, such as corrupting the information disseminated to users. Take ChatGPT as an example. Information can be tainted, and ChatGPT will accept corrupted information as genuine and feed you the fruit from the poison tree.

The current state of threat detection is like searching for a needle in a haystack, but I expect that AI will make it easier to detect threats. There's a fine line between understanding what constitutes a threat and what does not while avoiding false positives.

Final message

Don't stop sharing; security isn't about restricting the accessibility, usefulness, or transparency of information; it's about ensuring that the correct information at the right level reaches the right people in the context in which they need it. Being secure is simple when isolated, the challenge is being secure while transparent.