Introduction
The theft of healthcare data accounted for almost half of major data breaches as
reported in 2016. Healthcare records contain a wealth of information that is useful to a hacker in the form of Personally Identifiable Information (PII), a golden reward for cyber criminals. In addition, the healthcare sector has compliance demands that require the generation and retention of records and must sustain
protection of privacy rules that long predated the concerns of the digital age. As a result, the healthcare industry has become a target for cyber-criminals. Even if the PII is not valuable on its own, it can be used to correlate information from other sources to identify individuals, their identity information, credit card numbers and transactions, other financial information including bank account numbers, and so on, giving cyber-criminals a golden opportunity to commit identity theft or launch a malicious attack.
The industry itself is in the transition from paper to digital records, and although there has been a big push to make that transition, security guidelines are not yet up to the demand. In addition, a new risk has appeared: the increasing numbers of networked devices – especially the lifesaving, important, medical devices – that use the internet to monitor, collect or send information in order to work their miracles.
Risks
Healthcare providers, whether hospitals, doctors’ offices, or insurance companies, collect and maintain an enormous amount of data, which has to be carefully managed and protected. In addition to all the other risks that big data entails, the healthcare industry has some added concerns in the form of legal compliance, privacy regulations, long supplier chains, and urgency of data access. In addition, when a nurse or doctor is dealing with a patient’s immediate health issue, IT policy is going to rank second to the care of the patient.
Other risks include
- The Affordable Care Act (ACA), by its reliance on the internet and by expanding the healthcare provider circle to include the government, is perceived to be a source of increased risk.
- Accountable Care Organization (ACO) participation is also seen as increasing risks because attaching to a larger organization means that the exchange of patient health information among participants necessarily increases.
- Health Information Exchanges (HIEs), where healthcare information is exchanged electronically across organizations within a region, community, or hospital system, is intended to help healthcare providers have access to important patient information – but again, simply through the exchange of information, such networks put that information at risk.
- As part of the digital evolution, patients now want to communicate with their healthcare providers via email, which is notoriously one of the riskiest activities on the Internet. Agari, creators of the quarterly Email Trust Index, found that healthcare performed worse in email security than any other industry in the survey. They examined 6.5 billion emails daily from eleven industries, including retail, travel, and the financial industry, to identify who was being targeted by cyber criminals, and which companies were most proactive in trying to prevent security breaches. Of the fourteen healthcare companies reviewed, thirteen were considered to have failed in basic protection and were considered “critical” by Agari.
- Mobile apps and websites have begun to play a large part in doctor-patient interactions. Apps provide convenient ways for healthcare providers and patients to exchange information and engage with each other. But speed and convenience come at a cost: attacks on mobile devices are increasing, and these apps are very hackable. Potentially, they can introduce a door into an organization’s networks and systems, risking data theft, loss, or tampering. According to Arxan's State of Mobile App Security, 90% of Android Healthcare/Medical apps have been hacked, 22% of which are FDA approved.
- Healthcare organizations rely greatly on third-party service providers. These third parties must be aware of and able to meet the increased security requirements for healthcare organizations and understand the compliance rules.
- Digital patient profiles are becoming more widespread – profiles which, if stolen, can provide cybercriminals with a huge payday.
- As in most industries, the greatest security threat comes from people inside the organization – either that with access and motivation to harm the organization, or through carelessness and lack of attention to security policies. Negligence is the biggest challenge, and as the use of personal devices in the workplace increases so does the opportunity for exploiting the complaisance or carelessness of employees.
- More and more healthcare information is stored or is passed through the cloud at some point in its lifecycle. While the cloud can offer a great deal of security, because cloud service providers must be able to offer a secure environment, a lack of attention to that issue in the cloud can increase rather than decrease vulnerability.
For any organization, security is only as strong as the weakest link, which in healthcare could be a single practitioner in an information exchange network, a service provider like a courier or business analyst, or a partner organization with less stringent security policies. However, in the healthcare field, one of the greatest risks, and the one which is growing at the greatest pace is the risk incurred by the Internet of Things.
The Coming Risk - The Internet of Things
The Internet of Things is the term for devices that are connected to the Internet – whether it’s your refrigerator, your watch, your environmental controls, industrial machines checking in for routine maintenance, or any other device that gets or reports information over the Internet. From devices that use a network time server for their LED clock to equipment that interacts constantly with the Internet like your insulin pump, more home devices besides your personal computer are making contact with the Internet. Tales of people hacking your refrigerator can be amusing, but the possibility of having your pacemaker hacked doesn’t count as funny.
Security experts realize that the more devices that hook up to the Internet, the more difficult it is to identify legitimate vs illegitimate traffic. Instead of the Internet relying on only a handful of protocols, each device type will bring along its own protocol, again complicating the issue of identification. Every connected device provides another attacking opportunity.
Medical devices are not built with security in mind, so security experts have been able to turn up a number of bugs and vulnerabilities in medical equipment that could be exploited by attackers.
In October of 2014, it was reported that the U.S. Department of Homeland Security investigated around two dozen cases of doubted cyber security weaknesses in medical equipment. The agency has dedicated support to investigate industrial hacking, called the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT. Among the devices that were investigated at that time was an infusion pump from Hospira, Inc., and implantable heart devices from Medtronic, Inc., and St. Jude Medical, Inc.,
While no individuals have been attacked through their medical devices as yet, the agency’s concern is that it is possible to do so, and this can have serious implications for the future as we become more reliant on interconnected medical devices. Threats to these devices can be due to human error, virus infections, or cyber-attacks by experienced criminals or terrorists.
As a result of the DHS investigation, the FDA published new guidelines for the safety of medical devices, but the guidelines are not yet comprehensive; they focus more on validating the safety inherent in the software than on concerns about cybercrime.
At the University of Texas MD Anderson Cancer Center, the center’s chief information security officer will ensure that all medical devices will be tested to ensure they conform to security requirements before they can be attached to the hospital's network. Although an organized attack on a hospital’s devices is a terrifying thought, most healthcare organizations are not accustomed to thinking about security to that degree. The future of healthcare will have to incorporate protections not only for patient information and privacy but for networked devices and equipment which are becoming increasingly common and necessary.
Protection Mechanisms
Some recommendations can help healthcare organizations prepare for the security threat that comes with increasing reliance on a digital environment,
- Healthcare organizations should appoint a chief security officer whose background is the security rather than healthcare, instead of relying on consultants or internal committees, or even an internal IT department.
- Use digital certificates for the Healthcare IoT network's security, which will establish trust using authentication and encryption technology to secure all communications within the network.
- Create data governance policies intended to safeguard devices and data.
- Ensure third-party suppliers and partners can manage, store, and use personal healthcare data in a way that meets all security and privacy responsibilities.
- Consider migrating to the cloud, and utilizing the security expertise of the cloud service provider.
- Ensure security measures do not add time to procedures, or they will be set aside in favor of the patient’s immediate health concerns. No matter how complex the security requirement, it must be made simple for the users to implement.
- Ensure devices meet security standards before connecting them to hospital systems.
- Use open standards such as DMARC (Domain-based Message Authentication, Reporting, and Conformance) to have a tool to safeguard your organization’s email from spoofing.
- Ensure employees know and understand what policies and procedures are in place, from email to medical devices.
Conclusion
In any new technology, there are people with the knowledge and motivation to exploit it for personal gain, or even just for kicks. However, that has never been known to stop technology! Even knowing these risks, the benefits of being able to use the vast power of the Internet, including the data-crunching abilities of cloud computing, make this next step in medical evolution inevitable.
A networked health system can provide better, faster, more complete care for a patient, and can make the difference in life or death situations. Internet-driven devices can be smart, interactive devices that are proactive in patient care. These are not opportunities to walk away from. But it is necessary to ensure there will be security sufficient to prevent privacy breaches, failures of compliance, and – possibly most of all – to ensure the integrity of network-dependent medical devices.