Security is all about protecting all links in the “security chain,” since any weak link represents a vulnerability open to exploitation and could enable a breach or other security incident.
In this “chain and weak link” metaphor, I’m not talking about any weak link in the blocks within a blockchain. Rather, I am talking about the healthcare organizations linked together into a B2B network by the B2B middleware we call blockchain. Historically, this metaphor has often been used within the context of a single healthcare organization, or enterprise, for example, to ensure that data is protected throughout its lifecycle within the enterprise, and from client to network to servers and storage.
For example, if an organization strongly secures client devices, but leaves the network or servers or storage unprotected, then hackers tend to just shift their attention away from client devices to other more easily exploitable elements of the IT network “chain.”
Securing the Network of Healthcare Organizations
As we have seen with the alarming impact of breaches and ransomware in healthcare, many healthcare organizations are struggling to secure their own data within their own enterprise, let alone across many organizations across a B2B network.
In fairness, many breaches do already involve B2B networks, for example, healthcare organizations and their network of business associates/data processors, and these breaches don’t yet involve blockchain. That said, blockchain promises compelling benefits in transparency, efficiency, security, and so forth, and rapid adoption of blockchain across the health and life sciences industry is sure to propel B2B networks and the sharing of sensitive information across them to whole new levels.
As organizations join blockchain networks they become able to sync and source sensitive patient information to/from the blockchain, and ultimately to/from other organizations participating in the blockchain network. If any of these organizations in the blockchain network have weak security, they represent weak links in the B2B blockchain network and become potential targets for hackers to compromise not only the data of that single organization but also any data shared on blockchain across the entire B2B network of organizations.
This expands the attack surface beyond individual organizations, to the network of organizations participating in the blockchain, and any single organization that is lagging behind the others in security represents a weak link in the blockchain B2B network.
Security Needs to be Adequate, Measurable and Benchmarked
To enable blockchain to reach its full potential in healthcare, and minimize breaches and other security incidents that could tarnish blockchain and stunt its growth, there needs to be a notion of an adequacy of security for all organizations across the blockchain B2B network.
There needs to be a way to measure and benchmark the security of organizations connected or planning to connect to the blockchain network in order to proactively identify and sufficiently mitigate any weak links for the protection and benefit of the whole blockchain enabled B2B network of organizations.
Security Includes the Blockchain, Its Nodes, and Connected Organizations
In my previous blogs Healthcare Use Cases for Blockchain - 5 Key Factors for Success and Healthcare Blockchain: What Goes On Chain Stays on Chain, I discuss how blockchain and other security safeguards can work together to ensure adequate security of the blockchain.
Further, Hyperledger Sawtooth and Coco Framework blockchain platforms promise strong security and data protection, and can make use of strong hardware-enhanced security called Intel® Software Guard Extensions (Intel® SGX) that protects the confidentiality and integrity of core code and data from the hardware level, providing strong protection of sensitive code and data running on blockchain nodes.
As a side note: many attacks on bitcoin have been on the endpoints of the underlying blockchain network. Having such strong hardware-enhanced security, resilient to even sophisticated malware on the same machine, significantly improves security and suitability of the blockchain platform for sensitive patient information. These blockchain nodes are the endpoints of the blockchain network, and each can run a decentralized ledger and manage secure connectivity between healthcare organizations enterprise applications and the blockchain network.
In a sense, the blockchain nodes are the on/off ramps to the blockchain B2B network “superhighway.” These blockchain nodes can run within the DMZ of a healthcare organization, between the internal and external firewalls, or increasingly cloud deployment options are becoming available where healthcare organizations can run their blockchain nodes on a secure cloud. Regardless, typically these blockchain nodes each run outside of the internal firewall of the associated healthcare organization.
In this article, I am analyzing the attack surface beyond the blockchain network and nodes to the union of healthcare organizations connecting to the blockchain, and the enterprise applications within each of those organizations that are connecting to their blockchain nodes and thereby able to source/sink data from/to the blockchain.
Benchmarking The Security of Healthcare Organizations
The Healthcare Security Readiness Program enables health and life sciences organizations to benchmark their security against the healthcare industry and peers of a similar focus, size, and locale. This program can detect if a given organization is lagging peers or the healthcare industry in security, and if so where i.e. which specific security capabilities.
To date, this program has 150 health and life sciences organizations participating across nine countries, and more than 40 industry partners working with Intel to scale worldwide. See Healthcare Security Readiness Program Reaches 150 Health & Life Sciences Organizations Across 9 Countries for more details on this program. A peer group participating in this program could be a B2B network such as a network of health and life sciences organizations that are participating in a shared blockchain.
The Healthcare Security Readiness Program could be used to benchmark the security of each of the healthcare organizations connecting to the blockchain against the collective B2B network, detect any laggards or weak links, and enable proactive remediation. In securing blockchain it is important for each healthcare organization connecting to the blockchain network to have strong and effective privacy, security, and data protection. This requires a holistic, multi-layered, defense in depth approach to security within each organization.
Security readiness workshops assess 42 key security capabilities including administrative, physical, and technical safeguards, each with associated people, process, and technology components. These workshops are complimentary, confidential, 1 hour in duration, and can be done either in person or remotely by Intel or an industry partner. They can also be done with either one organization at a time, or in a group security readiness workshop format with multiple healthcare organizations participating concurrently.
See the Intel Security Readiness Program for a concise overview, sample report, detailed industry level results, and further information on opportunities to engage. Note that security readiness workshops are distinctly different from risk assessments, and are a security capability gap assessment benchmark against peers and the industry vs a list of risks prioritized by business impact and probability of occurrence.
Risk assessments are a very important part of an effective security program and are required by many regulations, standards, and data protection laws. This is why security readiness workshops include Risk Assessment as one of the 42 key security safeguards assessed and benchmarked against peers and the industry, but the security readiness workshop is not a risk assessment itself.
Detecting and Proactively Remediating Weak Links
By confidentially benchmarking the security of each healthcare organization, blockchain networks of healthcare organizations can ensure any weak links are proactively detected and remediated, paving the way for their safe participation in the blockchain.
Building the confidence of the overall healthcare blockchain network will enable the full benefits of blockchain to be realized while minimizing the risk of breaches and other security incidents that could quickly tarnish the blockchain, stunt its adoption by the healthcare industry, and negate its benefits.
Collaboration on Blockchain in Health & Life Sciences
If you are working on blockchain use cases in health and life sciences, we would welcome the opportunity to connect, introduce, and explore synergies and collaboration options. Message me on LinkedIn for further information.
What kinds of security vulnerabilities and solutions are you seeing in the use of blockchain in healthcare? Feel free to comment and provide feedback below.