IoT – THE INTERNET OF THINGS
Our March issue focused on the burgeoning interconnectivity of medical devices on the hospital scene. Heart monitors, medical equipment, employees and patients are all candidates for apps that connect people to devices in the delivery of health care solutions … all targeted to better, faster and cheaper health outcomes.
And that’s where the issue of cybersecurity takes center stage. As with any technological innovations, there are risk factors associated with the rapid expansion of IoT in the medical field. It is incumbent upon IT professionals to be alert to the threats and diligent in orchestrating defenses. Cyber attacks will likely accelerate as there is more potential to steal sensitive health data … often viewed by the thieves as even more valuable than financial information that is the usual target of identity theft.
Hospitals that are victimized may be denied access to sensitive patient data. Patient privacy is invaded and healthcare staff is hamstrung in the absence of patient treatment and status records. People with serious health issues could be denied care.
The payoff for the bad guys is often data held hostage for ransom to be paid by the hospital to the bandits. Last year both Hollywood Presbyterian Medical Center and MedStar Health were victimized. The MedStar hack affected all 10 MedStar hospitals in D.C. and Maryland. Its approximately 250 clinics were hacked and paid significant dollars to the cyber-attackers.
As an example of the havoc this can cause, one spouse of a MedStar cancer patient reported her husband’s daily treatments were disrupted by the hack including cancellation of scheduled appointments.
Adam Vincent, CEO of the Virginia-based cybersecurity firm ThreatConnect commented on the MedStar cyber-invasion, “… they could pay the ransom and therefore get all their computers back immediately, or they could start the process of rebuilding their networks and their computers, which could take weeks, if not months.”
Those are tough alternatives … rebuilding networks which may mean shutting down many or all hospital facilities, or pay the ransom which sends the message that hospitals are willing to pay hackers to reinstate access to their data and computers.
What though would be the real-time impact of internet muggers taking control of medical devices that monitor vital signs and deliver drugs? Smart medical devices are more and more becoming the norm. And each has an IP address which raises the security stakes even higher. A cyber-assailant who successfully acquires the IP address, makes the device fair game for hacker control … and financial demands to back off.
That means that the IoT is something that will require increased attention by hospitals to prevent patients being denied critical monitoring or required medications. By 2025, according to a McKinsey report, remote monitoring with smart devices could create as much as $1.1 trillion a year in value by improving the health of people with chronic diseases.
So, adoption of IoT is on a fast-track. New networks are being introduced to handle the increased internet traffic driven by IoT – including that attributable to smart medical devices. The accelerating proliferation and interconnectivity of smart medical devices, with yet to be developed safeguards against hacking, are likely to become attractive targets.
Traditional technology networks are generally vulnerable and lucrative to attack. Small to medium-size hospitals are marked as primary ransomware targets because their security infrastructure is often lacking.
Refreshingly, hospital leadership is becoming more alert and responsive to beefing up their cyber-security and backup of files making it more difficult to be compromised. That will have a negative (positive!) impact of decreased profitability for cybercriminals.
Help and Guidance for Hospitals
Food and Drug Administration (FDA): The FDA issued a warning about hackable medical devices. The first device to receive such a warning is an infusion drug pump used by hospitals nationally. The Agency issued a safety notice that “strongly encourage[s]” hospitals to discontinue their use of the pump.
The FDA voiced concern that smart medical device products, which are often connected to the Internet and hospital networks, can be hacked, affecting their safety and effectiveness and revealing the data they carry.
The guidance recommends manufacturers of medical devices monitor, identify and respond to cybersecurity vulnerabilities as part of routine post-market surveillance of their products. They would be required to report some of that information back to the FDA.
National Institute of Standards and Technology (NIST): In the Fall of last year, the NIST offered new guidance for strengthening hospital cybersecurity. Included was the report that the engineers are working with the healthcare community to address wireless infusion pump security in hospital environments.
The objectives of the imminent set of best practices are to help healthcare organizations become more penetration-resistant, more effective at limiting damage attackers can inflict and ultimately better able to withstand cyberattacks.
Circling the Wagons for Cybersecurity
Clearly a collaborative effort by healthcare facilities, medical device manufacturers and regulatory authorities will be the optimum long term solution to minimizing hacking of smart medical devices.
In the interim, hospital leadership must continually become more diligent in identifying network vulnerabilities and taking steps to remedy the weaknesses through increased cybersecurity and aggressive data backup protocols.