It’s all the makings of a good spy novel. Hackers and terrorists find a weakness in medical devices installed in patients, use the breech to infiltrate the highest level of data within the medical system, and do serious damage in a lot of ways. Not only can they access sensitive and sometimes top secret information, they have total control over life and death situations as well.
It may not be fiction at all.
Two years ago, 60 Minutes reported on a situation where Dick Cheney’s cardiologist ordered that the heart defibrillator’s wireless features be disabled back in 2007 for fear a hacker could penetrate the device and kill Cheney.
A few years later, security researchers began demonstrating how easy it was to hack into things like pacemakers, defibrillators, and insulin pumps. Health care providers and the FDA alike took note and started demanding change. But that hasn’t stopped the ever-growing popularity hackers have in finding weak points and penetrating them.
In today’s world, the threat extends beyond taking control over a medical device to do patients harm. Hackers can now use a medical device such as a pacemaker or a defibrillator and go straight into their networks. This means hackers – whether they are a one-person hacker seeing what they can do, or an organized crime ring with hostile or terrorist goals – can exploit security vulnerabilities to gain unauthorized access to a providers system. And once inside, they have access to medical information, financial information, and can do everything from disrupt service to commit fraud. And injure patients in the process.
As these threats become more of a reality, all medical practices from the very largest hospitals down to the sole practitioner office, must take measures to insure safety for both their data and their patients.
Inventory and keep tighter controls on all devices
Rather than leaving medical device tracking up to individual offices and/or doctors, establish a centralized unit to inventory and track all data. This inventory is essential in allowing IT to conduct routine security risk assessments as well as detect and analyze unknown risks.
Develop policies for medical device security
Health care personnel put in charge of procuring new medical technology often aren’t aware of the security risks these devices pose. To compensate, adding a security and privacy evaluation policy as a part of the procurement process can help locate vulnerabilities before investing in the product. It is especially important to map out the data flow and understand where weaknesses lie along the path. Sometime seeing where sensitive data is weakest can lead to fixing problem spots easily.
There are many people that have access to medical device data. Employees are your first level of access. They may access the system all day long for everything from patient files to billing information. From there, you may be outsourcing specific tasks for your practice, such as transcription services or medical billing tasks. Even vendors pose a risk when they provide third-party systems and programs that help you run a more effective office.
To ensure a breech doesn’t occur, it is important that sensitive data occupy its own place in the network, away from anything involved in daily operations or ongoing management of the organization. Data segregation is crucial in maintaining adequate protection against your most sensitive data. Close monitoring of vendor access is also a crucial requirement, modifying and removing programs and access once the vendor’s work is complete or you move to a new system.
The best place to start is to collaborate with the device manufacturers and learn all you can about the safety features of the product. Many companies are now implementing their own cyber security controls, offering security updates, patches, and guidance as changes are made. Through collaboration, you can quickly make these changes in-house, and make your internal data less vulnerable to outside threats.
Also realize individuals who are working hard to exploit medical devices for their own gain have time and resources on their side. The only way to safeguard data is to pool resources throughout an organization and collectively address the security risks head on. If you would like to talk further about implementing safety procedures into your own practice, give us a call.