Medical devices have unprecedented power to save lives. Yet, as promising as these devices are for medicine, they open up a whole new frontier for cybercrimes.
Personal harm to a patient
While unlikely, the risk of severe physical harm to a patient, up to and including homicide, can be very real when medical devices are left unprotected. A widely-discussed Essentia Health study revealed that hospital equipment was shockingly vulnerable to hacking, including:
- Infusion pumps. These devices can be remotely accessed and manipulated to change dosages.
- Imaging equipment. Hackers can alter configuration files for radiography and CT machines to change the amount of radiation patients receive, or to manipulate results.
- Implantable cardiac defibrillators. Many defibrillators are Bluetooth-enabled, which gives someone intent on doing harm the opportunity to deliver inappropriate signals to a patient’s heart, or to stop a medically needed shock.
- Refrigeration units. Temperature settings can be deliberately reset in order to cause blood or drugs to spoil.
Medical device security risk
Some estimates say that protected health information is 10 times more valuable than credit card data. With data warehousing, siloed data from medical devices are now aggregated and more valuable. Add to that the fact that the 10 largest medical device companies worldwide have annual revenues of $10-20 billion, making them high-profile targets to cybercriminals.
Medical devices now feed information into electronic health records. If a hacker gains entry to the device, they can cause inaccurate information to be sent to the electronic records, causing clinicians to misdiagnose, administer improper care or prescribe the wrong medications, among other potentially fatal errors.
Damage continues, even after a security breach
Picture the fallout to a health care organization, medical device manufacturer or software company if a patient is harmed via a medical device hack. After considering the most important impact, which is the health of the patients, the aftermath could be near-catastrophic financially as well, with federal and state regulators stepping in to impose harsh fines. Providers can also count on plaintiffs’ attorneys presenting their demands. To prevent a breach, a comprehensive security, privacy and compliance plan needs to be in place.
Facilities should inventory all medical devices, perform a risk analysis (and make it a continuous process), identify administrative and operational weaknesses and document policies and procedures related to device procurement, implementation and maintenance. They should also identify physical and technological threats and work to mitigate them. It’s important to build a circle of trust and create corrective and proactive action plans that include a multi-layered approach to protecting data that addresses devices (both mobile and medical), physical storage network infrastructure, and application, server, data and user security.
Certified health care security and privacy consultants can help if an institution does not have the time or expertise to take on the security review and roadmap. There are also excellent resources such as those published by the United States National Institute of Standards and Technology, (NIST) that recommend ways to evaluate and secure information technologies. Many of the mitigation steps are common sense, yet often ignored. Simple steps include removing default passwords such as ‘admin’ and adding encryption and strong authentication.
A security stronghold: cloud-based health data management
Until fairly recently, most medical devices have been managed within local hospital departments. In order to improve consistency and reduce costs, current trends are moving toward more centralized IT management of medical device data.
A growing number of hospitals don’t want to take on this responsibility in-house, as it puts further pressure on already strained IT personnel. Accordingly, many organizations have migrated to cloud-based medical device data repositories, where patient health information (PHI) is encrypted and kept safe behind the data center firewall, and organizations are able to more easily comply with constantly changing regulations.
The cloud service provider takes on the responsibility for operational requirements, including management and maintenance of the IT infrastructure. Needed security patches and upgrades that often go unperformed in organizations with disjointed systems and facilities are now regularly scheduled, along with other proactive security measures.
There’s also the additional advantage of hosting data in “the cloud” — or online — as clinicians frequently need 24/7 access to a patient’s data from multiple locations, not just during their shifts at the hospital. Hackers with intent to harm a patient — or a hospital or medical device company’s reputation — can use unsecured medical devices as an access point. However, with the right cloud service partner, hospitals can manage costs, improve patient outcomes, and rely on the increasing interoperability of medical device data as a power for good, not evil.
About the author: Scott Whyte, Advisor and Former Chief Strategy Officer at ClearDATA, is a veteran health IT leader, with more than 25 years of experience serving some of the nation’s largest providers and payors. At ClearDATA, he is responsible for driving innovation, growth, and strategic partnerships. Previously, he was vice president of IT at Dignity Health and vice president and CIO at Phoenix Children’s Hospital.