The quickest way for hackers to harm a healthcare provider organization is to target patient information, and many of them focus on databases that support electronic health records.
The Internet of Things has amplified the number of attack vectors to target the functioning of hospitals, physician practices, outpatient centers and other facilities. But it also creates a direct risk to patient care.
Phones, tablets, connected medical devices and other technologies provide a side door for hackers to infiltrate networks. With many devices using outmoded operating systems, patients face a unique vulnerability, because a hacker could interfere with treatment.
Many devices, such as pacemakers or implantable devices that provide micro-shocks to the brain to treat Parkinson’s disease or other neurological disorders, are controlled by mobile apps that allow doctors to adjust treatment without resorting to surgery. The convenience trades off the risk of surgery against the risk of a hacker tampering with treatment.
Upgrading the security of these devices could require an entirely new FDA approval, a lengthy and expensive process. Some of these organizations are taking a wait-and-see approach to security, but that also reflects wishful thinking about vulnerabilities and potentially huge liabilities.
To help CISOs, CIOs and other health security leaders tackle these issues, Healthcare IT News interviewed Edward L. Goings, national pillar lead of cyber response services and global incident response lead at KPMG Global. Goings discussed the risks inherent in the Internet of Things, whether hackers can get in through implantable and similar devices, and what needs to happen to ensure security is maintained.
Q. The Internet of Things has amplified the number of attack vectors to break into healthcare provider organizations, and this can risk patient care. Please elaborate on this threat.
A. The Internet of Things exponentially raises the number of access points for hackers to infiltrate systems. WiFi availability creates an open field for hackers to see what sorts of networks are available and what devices are connected. Greater numbers of connected devices are being used in the delivery of care, but they are engineered for efficacy rather than security.
Also, IoT is an important part of remote monitoring to help alert clinicians about key indicators about how well a patient is managing their chronic illnesses. Unfortunately, many connected devices are using operating systems that are more than a decade old, making them obsolete when it comes to security.
The Internet of Things in a medical setting can be immensely helpful on one hand, but the cybersecurity risks need to be addressed in the design of these products.
Q. Many devices are controlled by mobile apps that allow doctors to adjust treatment. Can hackers get in?
A. Yes. A patient in a hospital bed may have several remote monitoring devices, in addition to connected devices that are implanted into the body such as a pacemaker.
Medical device makers are trying to do the right thing when it comes to allowing doctors to adjust the function of devices via an app, rather than resorting to a new surgery to implant a new device. It’s much more convenient for the patient, and there is less risk of causing additional harm, such as an infection.
However, it is conceivable for a bad actor to infiltrate the devices and disrupt overall function, whether the device affects heart rhythm, monitors the delivery of medication or transmits vital signs of a patient to a nursing station. The hacker can mislead a clinician into a faulty diagnosis and then ineffective or dangerous treatment.
Some of the devices can be involved in delivering small shocks to the brain to treat Parkinson’s disease or small shocks to the heart to moderate the heart rate. There are a number of devices that are also involved in the infusion of medication. Apps are an important part of diabetes monitoring, and that has its own set of disease-management issues, since poor management of the medications can lead to emergency room visits.
The questions would certainly tie to the motive of targeting patients, but the question remains about what sort of risk or liability would be borne on the makers of the medical devices.
Q. You have said upgrading the security of IoT devices could require an entirely new FDA approval. Will this happen? And what’s the danger of hospitals waiting for this to happen to take action?
A. Medical device-makers have been taking a wait-and-see approach to addressing security. Developing a medical device is a costly process. Even updating the security of the underlying software would require new studies to include in a new submission to the FDA. Some of the reluctance about going through this process on the part of medical device manufacturers is understandable.
Device updates or upgrades provide an opportunity to build security features into the design of connected devices as they undergo clinical trials. The question comes down to risk while the older products are out there and the gap before more secure products can undergo studies before being ready for the market.
If it turns out that a product gets hacked and raises safety issues, it could be catastrophic for smaller medical device-makers and extremely costly for the large device companies. The risk confronting healthcare providers is a bit different than what a device-maker faces, but a patient’s attorney may attempt to include a hospital in a suit if it is determined that the hacker infiltrated the device through their IT systems.
Q. What are a couple of ways healthcare provider organization CISOs and CIOs can take action today to protect their IoT devices?
A. Healthcare providers are some of the best at work hygiene, given its importance. Applying the same standards to technology would go a long way toward prevention.
They must understand that bad actors can and will try to target any weaknesses. Access management is one area that can help contain potential damage from bad actors. In healthcare, we don’t want to hinder access to lifesaving information.
With IoT, we connect to apps and clinical systems, but they should be connected with only minimum parts of the network where they need to perform. Most healthcare IT infrastructure focuses on the broad network of things. From a security perspective, they are really great at conducting Pen testing and red-teaming against the main network.
The IoT devices used in and for patients are critical, but it’s important not to overlook lifesaving devices around the hospital. These devices are more often than not connected to the overall network via WiFi and Bluetooth, and are often operated by older operating systems.
Attackers have begun targeting these devices as entry points into the network, as they do not often have endpoint protection. Providers need to focus on security testing at the IoT level. If devices cannot have endpoint security, then providers need to isolate the devices to a separate network that has tighter security.
Information-security teams need to perform compromise assessments of these devices on a more frequent interval. Where possible, operating systems should be upgraded to a supported OS that you can utilize [for] endpoint protection.