This is Part 1 in a series exploring digital identity and security in healthcare. View Part 2 here.
Digital dilemma: The rise of AI and the challenge of online identity
2023 may be a tipping point, as advanced AI challenges the perception of online identity, particularly in the realm of health data.
The headlines are in – ChatGPT can now write effective malware.
Sad to say, but it’s completely unsurprising that some people want to use such powerful tools to defraud, attack or otherwise hack our digital world. Unsurprising, but disappointing.
The truth is that every advancement in technology – including large language models (LLMs) – comes with two sides.
The Internet becomes a global Turing test
Still, it’s no small thing to realize ChatGPT and other AI effectively supercharge bad actors. Meaning we now face a digital identity crisis of epic proportions. For a long while now, we’ve been playing a worldwide imitation game, and the robots might soon start winning.
If you’re unfamiliar; before this year’s blockbuster Oppenheimer, Hollywood gave us 2014’s Imitation Game. It’s another WWII era biopic that shares the story of Alan Turing; a genius and the inventor of the imitation game. His game has a simple premise;
Can a computer fool a human into believing they are talking to another person?
When the Imitation Game came out, the answer to Turing’s question was — thankfully — no. In fact, around the time the movie was released, the famed chatbot Eugene Goostman only managed a 33 percent success rate. To do so, it had to be presented to human judges as if “Eugene” was a 13-year-old boy.
Today? The answer’s not so clear.
And truthfully, it’s almost beside the point whether or not ChatGPT — on its own — can trick you. Because in the hands of a skilled prompt engineer, it definitely can. The magic of today’s AI isn’t the ability to replace humans, it’s the ability to augment humans.
Once we understand that, we can look at every instance of how these LLMs have improved our productivity and realize that those same gains are happening for the dark web. Suddenly, a single malicious social engineer out phishing for credentials can increase their productivity tenfold.
Without an effective, secure way to ensure digital identity, how can you be sure the person on the other end of the web is who you think they are? This new technology will run rampant across the healthcare industry in a new wave of fraud and attacks, targeting healthcare’s treasure trove of high-value patient records. This will only accelerate the already rising level of cyberattacks on health data.
In light of all of this, it’s a wonder any health executives can sleep at night. But the picture I’ve painted is exactly the world that noted cybersecurity technologist Bruce Schneier imagined in his now-prophetic 2021 article, The Coming AI Hackers.
“Artificial intelligence — AI — is…already deeply embedded into our social fabric, both in ways we understand and in ways we don’t. It will hack our society to a degree and effect unlike anything that’s come before. I mean this in two very different ways. One, AI systems will be used to hack us. And two, AI systems will themselves become hackers: finding vulnerabilities in all sorts of social, economic, and political systems, and then exploiting them at an unprecedented speed, scale, and scope.” (emphasis added)
Perhaps 2023 is simply the year that we all caught up to what the experts have been saying for awhile. The status quo has changed. We’re now far past the days of the handwritten record and on-prem security.
The new health data
How does healthcare’s data behave in 2023? Just 10 years ago, patients still had to gather scattered paper records from hospital basements across America. And you have to admit, things have gotten better.
However, I recently requested my own records from a provider and was mailed a CD. This would have been a wonderful advance in data sharing, but for the fact that in 2023 there isn’t a single device in my home with a disc drive.
But I remain optimistic. In June, I attended KLAS Research’s K2 Provider/Payer Summit. The best way to describe the event is that a group of healthcare “frenemies” (the payers and providers themselves) got together on neutral territory to talk about win/win scenarios largely centered on data exchange. You can read the details in this KLAS white paper.
Multiple groups composed of payers, providers and vendors presented. Many focused on the huge strides made in areas like prior authorization, an area in which automating processes has saved time and money for both health systems and payers. While progress is halting and trust remains a barrier, data has demonstrably shifted from a trickle to a flow in recent years.
Increasingly, health data behaves more like a chain and less like CDs in a flatpack mailer. Health data in 2023 is part of an ever-expanding, vibrant data supply chain of information that starts with patients and flows to providers, payers, regulators and back again. It’s honestly incredible, except each new link in the supply chain becomes a new attack surface to exploit.
Security and the weakest link
This may appear obvious, but as professor Stuart E. Madnick puts it, “Hackers can use data stolen from companies with weak security to target employees and systems at other companies, including those with strong security protocols.”
A seasoned CIO friend of mine shared his experience when a nearby health system was hit by a ransomware attack. “They went down for about a month and lost millions in revenue. Given the level of connection we had with them, we had daily meetings with their team to help them literally rebuild their entire system.”
In the end, he was lucky that the attack stopped at the door, but even then, his system had to overhaul their relationship with that exchange partner and reassess their own cybersecurity infrastructure.
Many aren’t as lucky, and every new third party with which they exchange data serves as a conduit for hackers to exploit. Earlier this year Community Health System had to disclose to the Securities and Exchange Commission that a breach occurred through a third-party vendor that was — ironically — a secure file transfer firm.
The question remains – what’s the fix? When the status quo changes entirely, how should we respond? What if we change the way we view digital identity entirely?
This article is part one in a three-part series on healthcare’s digital identity problem. In the next article, we’ll discuss the upcoming technologies that will build the future of digital identity online.
Jared Jeffery and Samuel Smith, Ph.D.