Yesterday morning I was doing some work on a health care procurement tool, and I received an email that contained an article about medical device cybersecurity. My face lit up - I was surprised to see it, but happy to see it at the same time.
I found it in a supply chain publication. Who knew? Sure, most of you don't read supply chain emails on a regular basis...I get that.
But this showed me that the topic is getting more mainstream, which made me happy.
Here's the piece: Cybersecurity and Medical Devices - Tackling risk calls for a team approach.
I got 6 takeaway points from the piece:
1. Breeches are possible from outdated systems.
Several different types of flaws can impact medical devices and equipment, and not always in the expected ways. For instance, there’s the accidental breach, in which a piece of malware inadvertently gets transferred to a device.
“In this case, it’s not intentionally trying to cause harm,” says Fu. “It doesn’t necessarily hurt anyone; you just might not be able to use the device.”
He says devices most at risk are those running outdated operating systems like Windows XP. Since security updates are no longer available, Fu says more recent malware five to 10 years old has no trouble getting in.
Keeping technology current is key. However, in health care, that's typically not a priority. Security, yes. Being current - not particularly. With that said, this is a very strong case for any organization to keep their systems on more recent AND current versions of software.
2. We need IT security training for health care professionals.
“It begins with good hygiene,” he says. “Any clinician knows how to properly wash his or her hands, but when it comes to cybersecurity, there’s a lack of awareness about how things spread.”
Fu uses the example of plugging unverified USB drives into medical devices, a common practice that provides an easy entry point for malware.
“You can do all the work you want on a medical device, but it doesn’t mean a thing once people start plugging them together,” he says.
To those of us who work in IT, we know what's safe and what can be challenging. We know how viruses and malware travels and how it attaches to files. This is a strong case for health care professionals to be trained in IT security. Not into the details - just in general. We are in a world where our lives are so intertwined with technology that we forget it's technology - we just use it.
And we need to remind ourselves from time to time what the technology is and how we can use it in a more secure way.
3. We need to understand what's at stake if there is a breech - accident or not.
With no guarantee that medical devices are free of vulnerabilities, it’s up to hospitals to enact additional controls. Flawed medical devices, improper use and even network vulnerabilities have the potential to compromise not only patient health, but also the organization as a whole.
Just ask Frank Platt, a Nashville-based information security consultant and Certified Information Security Systems Professional (CISSP).
“If there’s a breach, and personal health information gets out, you’ve now got a serious HIPAA violation. That can mean huge fines and criminal penalties, even jail time,” he says.
HIPAA violations are a HUGE DEAL. Just hearing that word makes me cringe. And would make me put this as an organization priority.
We need to keep this top of mind when working on medical devices - how could someone make their way through a hospital IT system. Most of this could be fixed through education and IT safety/security practices.
4. Stop the silos.
“Siloing is a huge stumbling block when it comes to security,” Platt says. “People don’t always want to give up information, and it becomes an issue because not everybody is forthcoming about what they’re trying to accomplish.”
IT needs to educate the health care professionals about basic security. Biomedical teams need to educate the IT staff about how these devices really work. We need to be a team.
This is a challenge in any industry, but with health care, the stakes are high (HIPAA).
5. Which leads to - solid security takes a village.
Management controls include things like planning and risk assessment, a crucial part of identifying vulnerabilities. Operational controls, on the other hand, help ensure internal procedures contribute to overall security.
Platt uses an example of how human resources policies can create risk for an organization. If there’s no process informing IT of role changes or terminations, hospitals can easily end up with a whole list of outdated login accounts that haven’t been accessed for months.
“If I’m a hacker, the first thing I’m going to do is figure out how to access that list and take over one of those accounts,” Platt says. “And there’s no technology in the world that’s going to tell you it’s happening, because it’s a legal account they’re using.”
This gets back to training and awareness of the implications or doing or not doing something. In this case, hacking a legal account could be close to not traceable immediately. And this is a result of siloed behavior. We need to come together as a village to have secure systems and prevent cybercrimes.
6. Again - focus on protecting patient info
“It’s a pretty expensive control. It doesn’t necessarily eliminate the ability to get into a specific medical device, but it does protect patient information,” he says.
HIPAA should be the main concern, and not just because a breech can have major implications. The biggest challenge with cybercrime is that the average person doesn't think like a criminal. I tell the story often, because it perfectly illustrates how criminals think.
As I sat next to this criminal psychologist on the plane and asked him how criminals saw the world, he told me, "You walk past a Macy's and wonder what's on sale. A thief walks past Macy's and wonders what's in there to steal."
What could these criminals do with HIPAA data? We don't know because we don't think the way they do. I'm sure they have thought of some use that's twisted that most of us would never consider.