During a recent trip to the doctor’s office, other than the nurse using two fingers on my wrist and a watch to take my pulse, everything else was completely different. From booking my appointment online, to completing much of the usual paperwork from home, things have changed. For the first time, I was able to provide an actual medical history, since I was home where that information is. When I arrived at the office, I checked in on a tablet and was told the wait would be less than 5 minutes. Once the doctor entered the exam room, she had already reviewed a thorough and accurate medical history and began firing off questions about the sorts of things that happen during an active lifestyle. Although my first encounter with this provider, she seemed to know me like she’d been treating me for years. During the encounter, I was able to share with her the heart rate alerts I had received on my Apple Watch while essentially doing nothing. This type of information has been made available by the Internet of Things, or internet connected devices, both wearable and otherwise. That’s the positive side of technology’s impact on healthcare.
It’s not just our physician encounters that have changed. Medical devices have also seen great change. Not only do our elderly have access to home health monitoring equipment, but virtually every medical device being manufactured is now either connected directly to an internal network or onto the World Wide Web. These technological advancements have allowed for the flow of data into software systems that analyze, alert, and share that information with providers throughout the care chain. The result is leading to better health outcomes and improved quality of life for many of us.
Sadly, it’s not all good news. The connectivity of all these devices has created a treasure trove of opportunities for cyber criminals. The possibility of extorting someone for bitcoins or they’ll shut your pacemaker off is not an unrealistic concern. In fact, a 2017 Ponemon Institute study found that 39% of medical device manufacturers reported attackers have taken control of their devices. Additionally, 38% of care delivery organizations said inappropriate therapy/treatment had been delivered to patients because of an insecure medical device. Imagine a hacker in Romania manipulating the medicine pump connected to your arm when you’re in the hospital – this is today’s reality.
What’s being done about it?
Truthfully, not enough. Rather than pile on the device manufacturers themselves, let’s consider 3 stakeholders and where each carries a share of the burden. First, it’s the device manufacturers who’s brands are on the line, so one would think they’re doing all they can to strengthen their final products. That may not be the case. The Ponemon study goes on to state most device manufacturers have yet to adopt more stringent software and device security protocols, resulting in production devices with vulnerable code. The urge to get to market as quickly as possible often supersedes adhering to the proper process of security and vulnerability testing.
Second, one must consider the security of the facilities who house these devices, namely hospitals, other care facilities, and even our own homes. From a hackers perspective, medical devices are simply another node on a network, much like a computer or a printer. That means they’re as vulnerable as any other networked device. If medical devices are not being routinely patched and updated, whether manually or automatically, then they’re vulnerable to new threats and exploits.
Finally, the third culprit in our trio is the facilities who refuse to update their devices. Believe it or not, there are still medical devices in use today that are running Microsoft XP as their operating system. This OS became unsupported in April of 2014, which means for the past 4 plus years, any new Microsoft based attacks would find an open door to those devices. Again, to be fair, a significant reason these devices haven’t been upgraded is because the cost to small and rural facilities is prohibitive. Many of these smaller organizations, like solo providers, are struggling to stay above water in our new healthcare environment. The thought of spending $200,000 or more on a new X-Ray machine, for example, is beyond their reach and reason. This particular issue doesn’t have a simple fix.
What was left off the list?
Many industry insiders grew accustomed to blaming the bureaucratic morass as their reason for not developing and pushing out updates to their devices. However, as far back as 2005 the FDA began making allowances for security related patches and updates and this year again issued an update to this policy with the intent to streamline the process. Frankly, we can’t accuse the FDA of standing in the way on this issue.
We also omitted the fact that few IoT devices communicate their data over encrypted channels. This includes medical devices. Citing the Ponemon study, only a third of device makers built encryption into their devices and few healthcare facilities were deploying it on their own IoT devices. While the percentages have likely improved since the study was published, those devices, and the thousands produced before them, are still in use and will be in use for years to come. Lack of encryption of data in transit and data at rest violates a HIPAA recommendation and can be a source of fines from the Office for Civil Rights (OCR), so it should be implemented wherever possible.
What needs to change?
Due to these increased vulnerabilities, a paradigm shift is required and it’s as significant as the technological advancements that led to them. The traditional way of contracting with a software development team to add the soft layer on top of a device is no longer valid. Gone are the days when an offshore software team can be hired, given a functional specification, and then be released once the project is completed. Now, medical device manufacturers need to bring software development in house and incorporate it into the design cycle as early as possible. Likewise, the firmware team needs to stay intact post development and work closely with the software team to coordinate patches and updates on an ongoing basis. Needless to say, these teams aren’t cheap, nor is this talent easy to come by. As a result, it’s going to take some time for medical device manufacturers to get the right teams in place and to adjust their business models to account for the increased overhead they present.
Like all things cybersecurity related, the manufacturers can do everything right, but a secure environment is as much dependent on the training of the workforce as the hardware itself. Even today, despite the security holes that exist in the bulk of the currently deployed medical devices, the greatest source of breaches originate at the user level.
Ultimately, the costs of this shift will be borne by the consumers through increased costs of care. We can hope that more vigilant cybersecurity efforts will leverage down the risks involved, but unfortunately this new business model is here to stay.
About the Author:
Jeff Mongelli built and sold his finance company 17 years ago to GE Capital to enter the healthcare industry. As the Founder and CEO, Jeff built Acentec, Inc. into a national leader in improving the clinical and financial performance of healthcare organizations. He understands that achieving the promise of improved healthcare through aggregated data requires dedicated commitment to the protection and privacy of that information. Jeff is considered an industry expert in IT Technology & Security, HIPAA compliance, and is actively involved in the field of artificial intelligence. He is frequently quoted in the industry’s publications and is a featured speaker at national trade shows and Medical Association meetings. He’s a member of the FBI’s Infragard program and a collaborator in their Healthcare CyberSecurity Workgroup and also a member of Homeland Security’s Information Network.