Now that we are fully engrossed in the cyber age, there are rapid advances across the board for all things connected to the Internet and cyber security for IoT medical devices is no exception.
These devices, often called “The Internet of Things,” or IoT, has certainly made much of life much easier. For the medical profession, it has certainly become a simple, safe and easy way to monitor patients away from a clinical setting.
This is all fine and good, but there is a fundamental question of IoT that needs answering: Are these safe and secure when away from a closed environment?
This article is going to address the issues home devices face and possible ways to prevent cyberattacks and/or hacking.
The number one concern of healthcare professionals looking at and addressing potential problems is the HIPAA. This protection act of 1996 means patients under the care of physicians have a reasonable expectation of privacy and are protected under a patient/medical professional relationship. IoT’s are free from human intervention by and large.
This means the patient carrying the device is completely removed from interacting with it on any level. Most of the devices are used strictly for monitoring, data collection and medical dispensing.
They are passive because the medical professionals are looking for a true a baseline as possible and is only effective when the patient is at ease with or completely unaware of the device. This lack of concern in cyber security for medical devices is the problem.
ISSUES AT STAKE
The information transmitted, no matter how insignificant at the time, could be used to gain identity information. The IoT’s are often coded to the patient with a name, number and medical coding information. All that would be needed is access to the information on the device, and personal, private information is available. This includes social security numbers, medical information and possible fiscal information to boot. This compromised information is enough to wreak havoc on a medical practice, hospital or medical equipment distributor – if not all of them in conjunction – all because of a HIPAA violation.
While computers have software to keep them from attacks, these medical devices do not. There is scant little that can be done if malfeasance is intended. A skilled and determined computer hacking specialist with the understanding of IoT’s can quickly and easily undermine its basics. Doing so would cause serious issue with the medical professional monitoring the patient and for the patient, who could, as a result, receive incorrect treatments and/or medications. Unable to track the information back to a source, this could potentially open a flood of medical malpractice suits, and there would be little the medical professional could provide as a substantial defense.
Medical administration in conjunction with information teams and network security specialists should realize there needs to be a move from the “Internet of Things” to “Security of Things” to protect themselves, their practices and patients from hacking. There are a few things that could be considered.
Safe and secure encryption should be on the forefront. As more and more medical practices move from paper to online and cloud patient records, the same can be said for IoT’s. Signed contracts with network encryption professionals about software and the devices themselves should be a first step. Each contract to include audits, verifications and regular testing to ensure the validity and security of the data on the IoT.
A Holter monitor is one of these IoT’s. Its purpose is to collect a 24 hour EKG for cardiac patients in various settings for the best possible heart function in normal settings. The contract should provide for each device to collect only the necessary information and nothing more. Systems that download, read or output the information is additionally a part of the contract.
To address needed cyber security for medical devices, the device should be built in a such a way that any tampering of any sort is quickly noticed and/or built in such a way that the device immediately informs the medical professionals. Patient contracts protecting the device is also a sound idea.
The physical security of the device itself also should not be overlooked. The device should be configured to prevent data storage media from being accessed or removed, and the device itself should not be easily disassembled. In short, building a strong security to protect data during transmission is undercut if the data can be removed from the device itself.
No one but a medical professional can dispense medical advice, so only those who will be reading the results need access to the data contained thereon. All information should only be retrieved under a secure server under select passwords. Focusing on cyber security for IoT medical devices, only the absolutely necessary individuals outside of those interpreting the data need access to any element of the entire procedure.
Proper training for every step only makes sense. All medical professionals are bound under an ethics code with severe penalties for infringement.
There have not yet been any serious attacks on medical IoT’s. When will it happen is the question. Ideally, every possible step should be covered; however, there is no guarantee of anything until an attack. What are your thoughts and opinions on the issue of cyber security for IoT medical devices, and what steps in addition to those mentioned would be a necessary part?
Click the image below to review the experience, case studies and client testimonials, and an overview of why companies large and small choose NextGen Global Executive Search as their preferred retained search and engagement search vendor. Our medical tech practice includes medical devices such as infusion therapies, blood separation, dialysis, surgical monitoring, IV fluids, imaging, electronic health records, and IoT data and devices.
Ransomware is distributed as a social engineering ploy via email, malicious links and malvertizing, among other techniques. A proactive ransomware mitigation strategy for EMR is needed as once a user falls prey to these human exploits, ransomware is downloaded to the victim’s computer to begin the malicious process.
The virus attempts to connect with encryption-key servers, takes hold of public encryption keys and uses various encryption algorithms to encrypt mission-critical data on the network.
This data typically includes file formats of PDF, JPG, and Microsoft Office extensions. Basic OS recovery and reboot systems are disabled. The compromised data is moved, renamed, encrypted, and renamed again to ensure the required data cannot be queried using actual file names when ransomware is executed, which is when ransom is demanded via Bitcoin or other digital money transfer services. At execution, the start-up screen and several basic features are also locked until this payment is processed.
Despite the prevalent security awareness, phishing schemes and drive-by-downloads remain one of the most effective techniques to deliver ransomware payloads onto target computers. To combat ransomware, a proactive ransomware mitigation strategy is to set up systematic corporate security training programs to prevent ransomware payload delivery onto your EHR systems in the first place.
Employ expert social pen-testers to phish your own staff. Emulate real-world exploits but do no ream harm to your organization or employees. Establish gamification-based rewarding programs to encourage dedicated adoption of security best practices. And yes, prior executive approval will be required to prevent awkward situations.
Secondly, it’s best to perform social penetration testing procedures on a separate, isolated network infrastructure such that sensitive data remains inaccessible and uncompromised. This strategy will essentially build the most effective line of defense against ransomware: the human firewall.
Advanced phishing attacks are known to bypass standard spam filtering standards set up by email clients. Another part of a proactive ransomware mitigation strategy for EMR is to establish strong spam filtering techniques such as blacklisting and whitelisting email and IP addresses, and real-time blackhole lists that are maintained by third-party security providers. Use content-based filters to ward off malicious content that’s most relevant to your organization.
Email validation systems such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) can prevent phishing emails from reaching your workforce. Establish strong administrative and access controls to prevent unauthorized and unintended downloads of executable files via email or the Web – even legitimate website could be compromised to deliver ransomware as downloadable content.
Strict controls that allow the absolute least user privileges to appropriate users will reduce the proportion of workforce who can inadvertently facilitate ransomware delivery to the corporate IT network. This approach will prevent anomalous and unauthorized downloads, installations, data transfer, editing and encryption from taking place.
Furthermore, streamline the updating, patching and validation processes for every tool used in the EHR systems. Most of the ransomware attacks exploit known vulnerabilities that remain unpatched. Standardizing mass rollout of updates across all systems is a time-consuming and cumbersome process if the operating systems and software are installed on local hard drives.
Organizations that maintain such systems take months and sometimes years before evaluating, authorizing and installing updates individually on each computer. On the other hand, organizations that maintain virtualized and cloud-based environments for the delivery of desktop OS and electronic heath records solutions can automate and streamline the process of software updates.
Although these measures drastically reduce the chances of successful malware delivery to your systems, your organization should be prepared to tackle the threat of ransomware infection and prevent execution of malicious programs. For instance, another proactive ransomware mitigation strategy is to limit user privileges and controls to install software against targeted file extensions.
If an installation is critical, the process should be flagged and transferred to a sandbox environment for detailed security assessment. Unauthorized changes to medical devices, files and data sharing should be blocked to prevent potential ransomware processes from executing.
Deploy advanced security solutions that would detect anomalous processes, raise the alarm and cut-off compromised systems from the network to prevent the malware from spreading. Maintain an efficient backup recovery system that performs data backup in real-time and can be used to retrieve mission-critical data in a matter of minutes, as required. Consider using differential backup techniques that preserve the only the new changes performed to data that’s already backed up.
The minds behind ransomware attacks intend to hold this data to hostage so that victims are left with no option but to process the payments. If you can access this data using alternate means within acceptable schedule, the ransomware attack is rendered useless and you can eventually get security and IT experts to clean up the infected systems.
Finally, a sound proactive ransomware mitigation strategy for EMR is to coordinate with your security solutions providers and federal agencies to report possible ransomware attacks – they may already have relevant information and could be able to crack down on the perpetrators with the additional reporting, thereby preventing future attacks from the same sources.
NextGen Executive Search as successfully recruited and placed software developers, clinical integration managers, and healthcare patient records management vendors, including medical device manufacturers for over 20 years.
Embracing next technology healthcare without adequate preparation will only open new risk avenues and threat vectors for healthcare cyber attacks. Technology is perceived as a solution to address operational inefficiencies within the healthcare industry and to expand the reach of high quality healthcare services to remote regions. But the risks are mounting.
Vulnerable Devices for Critical Medical Practices
The proliferation of smart technologies will encompass the healthcare industry in coming years. Digital devices such as smart pacemakers and insulin pumps are used widely today, and the next generation of smart technologies will cover a variety of critical cardiovascular, respiratory, and neurological medical practices. However, next technology healthcare devices aren’t immune to sophisticated attacks. In control of malicious actors, vulnerable smart medical devices can deliver the killer blow to patients instead of maintaining stable health.
Cloud connectivity is critical to access patient information anywhere-anytime, a promise that’s driving transition to the cloud for healthcare institutions. PHI data is effectively stored in off-site data centers beyond the control of healthcare providers originally in charge of maintaining patient data privacy and security. Any vulnerability in their cloud networks is an open invitation for hackers to compromise sensitive patient information.
Unlike cloud vendors subject to stringent compliance regulations, patients themselves are unable to secure IoT-connected medical devices at home. A malware infected dialysis machine could be part
of a DDoS attack intended to bring down the entire network infrastructure of a hospital. Since IoT devices come from multiple vendors, through different processes and offer different technologies, it’s not entirely possible to maintain a consistent standard and control around healthcare cyber attacks and IoT device security.
Healthcare providers adopting telemedicine practices using smartphone health apps may not realize or control the personally identifiable information shared with third-party advertisers. These apps run on mobile platforms vulnerable to security threats, especially when the OS is not updated to apply the latest available security patches.
Considering the general lack of security awareness among patients using outdated mobile app and OS versions, and fall prey to mundane social engineering ploys, the industry has a long way to go before considering mobile apps as secure channels to offer effective firewalls and security against healthcare cyver attacks.
Do you think the next technology healthcare industry is ready to take a deep dive into cyber security adoption without adequate preparation and fixing loopholes that exist within the technology itself?
Need an executive search consultant with deep knowledge and contacts in the medical field? NextGen has identified and recruited key personnel ranging from principal / chief engineers in software development, systems design, and embedded wireless to directors and VPs in sales, business development, and technology to president of business unit for medical device manufacturers, electronic health records developers, clinical integration, and bio medical research and development.
Healthcare industry unprepared for cyber attacks as the cybercrime threat landscape for medical devices and electronic health records is evolving at unprecedented rates. The malicious intent of financially motivated or state-sponsored cyber-criminals was best served by victimizing financial institutions, power infrastructure and the business sector. The sheer wealth of profitable consumer information stored within the servers and IT networks powering these industry segments attracted attacker interests for decades. At the same time, these industries are investing vast resources to strengthen their security posture. Cybercriminals pursuing easier targets are aiming for the healthcare industry instead, where a similarly vast deluge of sensitive personally identifiable information powers increasingly digitized healthcare services from less-secure network infrastructure.
Healthcare institutions excel in medical practices but are inherently prone to security attacks. 2017 might have seen only a limited number of successful attacks, but make no mistake that the healthcare industry unprepared for cyber attacks is a very real threat, and here’s why:
The future of healthcare centers is paperless medical practices. Digital patient information stored in network-connected servers is a recipe for disaster unless strong security defense capabilities are in place to ward off sophisticated cyber-attacks. And that’s precisely the problem with the healthcare industry unprepared for technology adoption.
While the government and the industry is pushing to embrace Electronic Health Record (EHR) systems, the same attention is not given to invest in strong security solutions, technologies, and processes across the widening industry of healthcare institutions, hospitals, surgery centers and EMR/EHR management providers.
Equating Compliance to Security: Global regulatory authorities enforce strict laws to ensure security of digital health records and electronic systems used in the healthcare industry. However, these laws are designed to establish and maintain a minimum standard of security capabilities and practices. The risks could be far worse and varied. Therefore, the healthcare industry unprepared for cyber attacks by maintaining compliance standards such as HIPAA do not translate into strong security capabilities.
Lack of Security Awareness: A significant proportion of life-threatening spearphishing and ransomware attacks are designed to exploit the human element. Random clicks to malicious links by unsuspecting workforce in the healthcare industry cost millions of dollars in damages. Inadequate workforce education and training on maintaining security of digitized records and new healthcare technologies is prevalent in the industry considering the simple root causes of these costly attacks.
Lack of Resources: Many healthcare institutions do not operate on the same IT security budget in comparison with financial and business organizations. A recent conducted by The Ponemon Institute finds healthcare organizations rate their ability to defend against cyber-attacks at a meager 4.9 out of 10.
Healthcare institutes work to excel in the services they have to offer, and tend to outsource critical healthcare IT operations. These IT service providers are subject to strict regulations including HIPAA, whereas healthcare organizations cannot accurately assess the risk of business associates or ensure security of Protected Health Information (PHI) shared with them.