Tele-Audiology and Security Management: Is Anyone Hearing the Threats?

Introduction

Security matters. It’s the flip-side of all the significant advances in technology, communications, business and social interactions. For every new way that society finds to make use of technology for better efficiencies and outcomes, the bad guys find a way to abuse it. This is the reason why there seems to be an endless series of new cyber-attacks, privacy breaches and organizations being compromised.

Any system can fail. This may be because of poor design, accident, human error, misconfiguration or improper use. But assuming all this is correct, then an attacker will put the system under pressure looking for just one weak point. If the attacker finds one, then there has been a security failure. With Information Technology (IT) systems, the attacker has many advantages. Attackers can attack any of the components of a system: computers, devices, networks, applications and the people and processes around them. Each of those components may have multiple vulnerabilities. Attacks can be automated and launched from anywhere in the world via the Internet. Consequently, the Internet today experiences a continuous and never-ending flood of attacks (Kaspersky, 2017). The defenders must defend everything, but the attackers just need to find the tiniest vulnerability.

Tele-audiology is a microcosm of the world of attackers and defenders. At the device level, the hearing aid and associated configuration software may have weaknesses. At the business level, the audiology practice may have weaknesses or may be connected to external IT systems that have weaknesses.

Any attack has its consequences. Attacking a medical device may be life-threatening (e.g. pace-makers, dialysis machines etc.). Attacking a business may be also be detrimental due to economic losses, loss of reputation, litigation or stress on patients with a breach of their privacy.

This chapter aims to give an overview of security and areas that need to be considered when running a tele-audiology system. Section 2 gives a background and overview to security, why it is such a difficult area and most importantly, why it matters to tele-audiology. Section 3 provides a security analysis of tele-audiology systems. Section 4 outlines a framework for security management to ensure a reasonable level of security for a tele-audiology practice and highlights important aspects that need to be considered when implementing it.

Finally, this chapter closes with some conclusions with an emphasis on the following points:

• •

  Security is not only a technical issue, it is a business concern.

• •

  Every system is breakable, but it is the weak and least defended systems that get hacked first.

• •

  Attackers go after the assets of most value. In tele-audiology, this is probably the patient data.

• •

  All aspects of all IT related systems need to be defended. This includes people and processes.

• •

  Make use of security professionals and industry best practices.

Background

Security is a vast subject. Areas include computer security, information security, physical security, national security, economic security, just to name a few. The reasons why security can fail are numerous and varied. They cut across many fields including psychology, sociology, economics, biology, neuroscience, game theory, political science, law, philosophy, theology, cognitive science, and, many others (Schneier, 2012).

This chapter limits itself to computer and information security. Even this area is huge, covering every aspect of technology, people and processes including all the computers, devices, networks, applications, operations, and all the different types of interactions between people, systems, networks and information. Clearly all of this is not going to be explained. But this section does try to give a perspective on why an understanding of security is so important.