Medical devices improve and save lives, but security risks around them are increasing, putting patients and providers at risk
Medical devices help improve patient outcomes and can save lives, and dozens of new technologies are approved by the U.S. Food and Drug Administration (FDA) each year.
However, the increasing availability and use of medical devices is also leading to increased security risks. Additionally, not only are more medical devices becoming available, increasingly hackers and others intent on doing damage are developing more ways to access them, often through technology—and they are becoming more determined and sophisticated in their efforts.
What’s the incentive? Accessing a medical device gives thieves an array of information and options:
- Access to protected health information (PHI). Some estimate that having PHI is 10 times more valuable than credit card data. PHI also has a longer shelf life than credit cards, and correcting or purging fraud is more challenging with medical records than with credit cards.
- The ability to cause physical harm to a patient.
- Illegal and bogus treatment by corrupt providers or fake clinics.
- Purchase of drugs for use by addicts or resale.
- Obtaining free treatment by impersonating a health plan member.
Here are examples of some of the most vulnerable devices, and how thieves and others can access them and other related equipment in order to put patients and providers at serious risk:
- Drug Infusion Pumps: These medical devices, which are most often used to deliver morphine drips, chemotherapy and antibiotics, can be accessed remotely, then manipulated in order to change the dosage delivered to a patient.
- Implantable Cardiac Defibrillators: Many are Bluetooth-enabled, and if that Bluetooth is hacked, someone intent on doing harm can deliver random shocks to a patient’s heart, or they can stop a medically needed shock from occurring.
- X-Rays: Hackers can access a hospital’s network to damage or manipulate x-rays.
- CT Scanners: Hackers can alter configuration files and change the amount of radiation patients receive.
- Refrigeration Units: Temperature settings can be deliberately reset, in order to cause blood or drugs to spoil
- Electronic Medical Records: Can be altered, causing clinicians to misdiagnose, administer improper care or prescribe the wrong medications.
Damage Continues, Even After a Security Breach
Plus, if a security breach occurs and PHI is stolen or a patient is harmed, the healthcare organization can suffer near catastrophic damage, as HIPPA or other federal and state regulators step in to impose fines and lawyers appear to file lawsuits.
How to Begin Strengthening Security Around Medical Devices and PHI
Fortunately, there are steps a hospital or healthcare organization can begin taking today to strengthen their security around medical devices, as well as overall security related to PHI. They include:
- Inventory your medical devices
- Perform a risk analysis—and ensure it is a continued process
- Identify administrative weaknesses
- Document your policies and procedures
- Identify physical threats
- Identify and mitigate technological threats
- Build your circle of trust
- Create corrective action plans
Using VDI is One of the Best Ways to Reduce Threats Related to Medical Devices
One of the best ways for a hospital or other healthcare organization to begin to reduce medical device-related security risk is to adopt a virtual desktop infrastructure (VDI). VDI allows clinicians to securely access files, data and applications related to medical devices that are hosted on remote servers. VDI is a proven way to quickly and securely deliver applications and provide access to healthcare systems, enhancing a user’s experience and cutting costs. Cloud-based VDI has emerged as an attractive alternative to hosted on-premise VDI implementations as VDI removes the security risk resulting from lost or stolen devices.
Advantages of Cloud-based VDI
Until recently, most healthcare organizations hosted their own IT infrastructure, including client/desktops. While giving organizations control over their infrastructure, applications and information, this approach is expensive to install, manage and upgrade.
On-premise VDI removes some level of that work by eliminating the need to manage patches, upgrades and security for endpoint devices. In some cases it also extends the life of those assets since users don’t need the latest and greatest computing devices to work in a VDI environment. Yet IT is still responsible for managing the infrastructure itself – including security, which is critical in healthcare.
To save time and cost, many organizations have migrated to a cloud-based VDI – specifically Desktop-as-a-Service (DaaS) – as an attractive alternative to hosted on-premise VDI implementations. By placing VDI in the cloud, a service provider takes on the responsibility for all operational requirements, including management and maintenance of the VDI infrastructure. Thin clients are used to connect end-users to all cloud-based services.
VDI Enhances Security with Medical Devices
A cloud-based VDI approach typically is sufficient to mitigate security risks inherent in medical devices. Moving the client/desktop infrastructure to the cloud places all patient information behind an encrypted and highly available firewall. Healthcare data, however, must have additional security in order to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations considering a move to a cloud-based VDI should ensure that the security measures provided by the partner meet HIPAA requirements.
With proper security measures in place, VDI can without question improve security on the user end without IT having to secure each individual device. With cloud-based VDI, when clinicians use medical devices – they click on a desktop icon and instantaneously receive a virtual desktop running in the cloud. PHI is kept safe behind the data center firewall, and organizations are able to more easily meet compliance requirements.
The enablement of telehealth through medical devices is a major force in managing costs and improving patient outcomes. The use of cloud-based VDI can play a key role in increasing provider productivity while mitigating growing risks of HIPAA violations and other regulatory compliance concerns.
About the author
Matt Ferrari is a skilled technology veteran with more than a decade of success delivering managed hosting and secure cloud-based computing to companies around the world. As Chief Technology Officer (CTO), he is responsible for the strategy and execution of ClearDATA’s healthcare technology platform and services. In this role he oversees Engineering, Product Management and back office systems.
Matt’s HIPAA and HITECH expertise, combined with his extensive understanding of Cloud Storage and Disaster Recovery, make him uniquely qualified to build healthcare storage environments for organizations that require a high degree of scalability, data security, and regulatory compliance.