Healthcare is unprepared for cyber attacks and as the cybercrime threat landscape for medical devices and electronic health records is evolving at unprecedented rates this lack of preparation does not bode well. The malicious intent of financially motivated or state-sponsored cyber-criminals was best served by victimizing financial institutions, power infrastructure and the business sector.
The sheer wealth of profitable consumer information stored within the servers and IT networks powering these industry segments have attracted cyber attack interests for decades. At the same time, these industries are investing vast resources to strengthen their security posture. Cyber criminals pursuing easier targets are aiming for the healthcare industry instead, where a similarly vast deluge of sensitive personally identifiable information powers increasingly digitized healthcare services from less-secure network infrastructure.
Inherent Loopholes as Healthcare Is Unprepared for Cyber Attacks
Healthcare institutions excel in medical practices but are inherently prone to security attacks. 2017 might have seen only a limited number of successful attacks, but make no mistake that healthcare is unprepared for cyber attacks and this is a very real threat, and here’s why. The future of healthcare centers are paperless medical practices. Digital patient information stored in network-connected servers is a recipe for disaster unless strong security defense capabilities are in place to ward off sophisticated cyber attacks. And that’s precisely the problem with the healthcare industry they are woefully unprepared for technology adoption.
While the government and the industry is pushing to embrace Electronic Health Record (EHR) systems, the same attention is not given to invest in strong security solutions, technologies, and processes across the widening industry of healthcare institutions, hospitals, surgery centers and EMR/EHR management providers.
Equating Compliance to Security: Global regulatory authorities enforce strict laws to ensure security of digital health records and electronic systems used in the healthcare industry. However, these laws are designed to establish and maintain a minimum standard of security capabilities and practices. The risks could be far worse and varied. Therefore, it becomes more obvious why healthcare is unprepared for cyber attacks by maintaining compliance standards such as HIPAA do not translate into strong security capabilities.
Lack of Security Awareness: A significant proportion of life-threatening spearphishing and ransomware attacks are designed to exploit the human element. Random clicks to malicious links by unsuspecting workforce in the healthcare industry cost millions of dollars in damages. Inadequate workforce education and training on maintaining security of digitized records and new healthcare technologies is prevalent in the industry considering the simple root causes of these costly attacks.
Lack of Resources: Many healthcare institutions do not operate on the same IT security budget in comparison with financial and business organizations. A recent conducted by The Ponemon Institute finds healthcare organizations rate their ability to defend against cyber-attacks at a meager 4.9 out of 10.
Outsourcing May Alleviate Healthcare Industry Unprepared for Cyber Attacks
Healthcare institutes work to excel in the services they have to offer, and tend to outsource critical healthcare IT operations. These IT service providers are subject to strict regulations including HIPAA, whereas healthcare organizations cannot accurately assess the risk of business associates or ensure security of Protected Health Information (PHI) shared with them.
Now that we are fully engrossed in the cyber age, there are rapid advances across the board for all things connected to the Internet and IoT medical devices cyber security is no exception. These devices, often called “The Internet of Things,” or IoT, has certainly made much of life much easier. For the medical profession, it has certainly become a simple, safe and easy way to monitor patients away from a clinical setting.
This is all fine and good, but there is a fundamental question of IoT that needs answering: Are these safe and secure when away from a closed environment?This article is going to address the issues home devices face and possible ways to prevent cyber attacks and/or hacking.
Dispensing for IoT Medical Devices Cyber Security
The number one concern of healthcare professionals looking at and addressing potential problems is the HIPAA. This protection act of 1996 means patients under the care of physicians have a reasonable expectation of privacy and are protected under a patient/medical professional relationship. IoT’s are free from human intervention by and large.
This means the patient carrying the device is completely removed from interacting with it on any level. Most of the IoT medical devices are used strictly for monitoring, data collection and medical dispensing. They are passive because the medical professionals are looking for a true a baseline as possible and is only effective when the patient is at ease with or completely unaware of the device. This lack of concern in cyber security for medical devices is the problem.
ISSUES AT STAKE
The information transmitted, no matter how insignificant at the time, could be used to gain identity information. The IoT’s are often coded to the patient with a name, number and medical coding information. All that would be needed is access to the information on the device, and personal, private information is available. This includes social security numbers, medical information and possible fiscal information to boot. This compromised information is enough to wreak havoc on a medical practice, hospital or medical equipment distributor – if not all of them in conjunction – all because of a HIPAA violation.
Solutions for IoT Medical Devices Cyber Security
While computers have software to keep them from attacks, these medical devices do not. There is scant little that can be done if malfeasance is intended. A skilled and determined computer hacking specialist with the understanding of IoT’s can quickly and easily undermine its basics. Doing so would cause serious issue with the medical professional monitoring the patient and for the patient, who could, as a result, receive incorrect treatments and/or medications. Unable to track the information back to a source, this could potentially open a flood of medical malpractice suits, and there would be little the medical professional could provide as a substantial defense.
Medical administration in conjunction with information teams and network security specialists should realize there needs to be a move from the “Internet of Things” to “Security of Things” to protect themselves, their practices and patients from hacking. There are a few things that could be considered.
Safe and secure encryption should be on the forefront. As more and more medical practices move from paper to online and cloud patient records, the same can be said for IoT’s. Signed contracts with network encryption professionals about software and the devices themselves should be a first step. Each contract to include audits, verifications and regular testing to ensure the validity and security of the data on the IoT.
A Holter monitor is one of these IoT’s. Its purpose is to collect a 24 hour EKG for cardiac patients in various settings for the best possible heart function in normal settings. The contract should provide for each device to collect only the necessary information and nothing more. Systems that download, read or output the information is additionally a part of the contract.
To address needed IoT medical devices cyber security, the device should be built in a such a way that any tampering of any sort is quickly noticed and/or built in such a way that the device immediately informs the medical professionals. Patient contracts protecting the device is also a sound idea.
The physical security of the device itself also should not be overlooked. The device should be configured to prevent data storage media from being accessed or removed, and the device itself should not be easily disassembled. In short, building a strong security to protect data during transmission is undercut if the data can be removed from the device itself.
No one but a medical professional can dispense medical advice, so only those who will be reading the results need access to the data contained thereon. All information should only be retrieved under a secure server under select passwords. Focusing on cyber security for IoT medical devices, only the absolutely necessary individuals outside of those interpreting the data need access to any element of the entire procedure.
Proper training for every step only makes sense. All medical professionals are bound under an ethics code with severe penalties for infringement.There have not yet been any serious attacks on medical IoT’s.
When will it happen is the question. Ideally, every possible step should be covered; however, there is no guarantee of anything until an attack.
What are your thoughts and opinions on the issue of IoT medical devices cyber security, and what steps in addition to those mentioned would be a necessary part?