The quickest way for hackers to harm a health care provider organization is to target patient information, and many of them target the databases that support electronic health records.
The Internet of Things has expanded the number of attack vectors to attack the operation of hospitals, doctor’s offices, outpatient centers, and other facilities. But it also creates a direct risk to patient care.
Phones, tablets, connected medical devices, and other technologies provide a side door for hackers to infiltrate networks. With many devices running outdated operating systems, patients face a unique vulnerability in that a hacker could interfere with treatment.
Many devices, such as pacemakers or implantable devices that deliver micro-shocks to the brain to treat Parkinson’s disease or other neurological disorders, are controlled by mobile apps that allow doctors to adjust treatment without resorting to surgery. The convenience offsets the risk of surgery against the risk of a hacker tampering with the treatment.
Updating the safety of these devices could require an entirely new FDA approval, a lengthy and expensive process. Some of these organizations are taking a wait-and-see approach to security, but that also reflects illusions about potentially huge vulnerabilities and liabilities.
To help CISOs, CIOs, and other health security leaders address these issues, Healthcare IT News interviewed Edward L. Goings, national pillar leader for cyber response services and global incident response leader at KPMG Global. Goings discussed the risks inherent in the Internet of Things, whether hackers can break in through implantable devices and the like, and what needs to happen to ensure security is maintained.
Q. The Internet of Things has increased the number of attack vectors to penetrate healthcare provider organizations and this can put patient care at risk. Please detail this threat.
A. The Internet of Things exponentially increases the number of access points for hackers to infiltrate systems. The availability of WiFi creates an open field for hackers to see what types of networks are available and what devices are connected. More connected devices are being used in care delivery, but they are designed for efficiency rather than safety.
Additionally, IoT is an important part of remote monitoring to help alert clinicians to key indicators of how well a patient is managing their chronic conditions. Unfortunately, many connected devices use operating systems that are more than a decade old, making them outdated when it comes to security.
The Internet of Things in a medical environment can be immensely useful, for one thing, but cybersecurity risks need to be addressed in the design of these products.
Q. Many devices are controlled by mobile apps that allow doctors to adjust treatment. Can hackers get in?
A. Yes. A patient in a hospital bed may have multiple remote monitoring devices, as well as connected devices that are implanted in the body, such as a pacemaker.
Medical device manufacturers are trying to do the right thing when it comes to allowing doctors to adjust the function of devices through an app, rather than resorting to re-surgery to implant a new device. It is much more convenient for the patient and there is less risk of causing further harm, such as infection.
However, it is conceivable that a bad actor could infiltrate the devices and disrupt overall function, whether the device is affecting heart rhythms, monitoring medication delivery, or transmitting a patient’s vital signs to a nursing station. The hacker can fool a doctor with a misdiagnosis and then ineffective or dangerous treatment.
Some of the devices may be involved in delivering small shocks to the brain to treat Parkinson’s disease or small shocks to the heart to moderate the heart rate. There are a number of devices that are also involved in drug infusion. Apps are an important part of diabetes management, and that has its own set of disease management problems, as poor medication management can lead to emergency room visits.
The questions would certainly relate to the motive for targeting patients, but the question remains what kind of risk or liability would be placed on the manufacturers of the medical devices.
Q. You have said that upgrading the security of IoT devices could require an entirely new approval from the FDA. Will this happen? And what is the danger that hospitals are waiting for this to happen to take action?
A. Medical device manufacturers have been taking a wait-and-see approach to addressing safety. Developing a medical device is an expensive process. Even updating the safety of the underlying software would require new studies to include in a new submission to the FDA. Some of the reluctance to go through this process on the part of medical device manufacturers is understandable.
Device upgrades or upgrades provide the opportunity to build security features into the design of connected devices as they undergo clinical trials. The question boils down to risk while older products are available and the gap before safer products can undergo studies before they are ready for market.
If a product turns out to be pirated and poses security concerns, it could be catastrophic for smaller medical device manufacturers and extremely costly for large device companies. The risk health care providers face is a bit different from that faced by a device manufacturer, but a patient’s attorney may try to include a hospital in a lawsuit if it is determined that the hacker infiltrated the device through of your IT systems.
Q. What are some of the ways that CISOs and CIOs of healthcare provider organizations can take action today to protect their IoT devices?
A. Health care providers are some of the best at workplace hygiene, given its importance. Applying the same standards to technology would go a long way toward prevention.
They must understand that bad actors can and will try to attack any weakness. Access management is one area that can help contain potential damage from bad actors. In health care, we don’t want to hinder access to information that saves lives.
With IoT, we connect to clinical applications and systems, but they need to connect to only minimal parts of the network where they need to work. Most of the healthcare IT infrastructure is focused on the wide web of things. From a security perspective, they are really great for penetration testing and red teaming against the mainnet.
IoT devices used in and for patients are critical, but it’s important not to overlook life-saving devices in the hospital. Most of the time, these devices are connected to the general network via WiFi and Bluetooth, and often run on older operating systems.
Attackers have started targeting these devices as network entry points, as they often do not have endpoint protection. Vendors need to focus on security testing at the IoT level. If devices cannot have endpoint security, providers must isolate devices on a separate network that has tighter security.
Information security teams should perform compromise assessments of these devices at a more frequent interval. Whenever possible, operating systems should be upgraded to a supported operating system that you can use [for] endpoint protection.
Email the writer: email@example.com
Healthcare IT News is published by HIMSS Media.