Henry Ford Health System is taking far-reaching steps to block insidious cybersecurity threats against Internet of Things technologies and medical devices.
IoT and medical devices – well known to be soft spots in terms of privacy and security – are particularly tricky because most manufacturers have not yet incorporated robust security features into them.
“Organizations must examine if they have their clinical engineering department positioned correctly,” said chief information privacy and security officer Meredith Phillips. “Do they fit this department with IT or with facilities? We are at the beginning of that journey at Henry Ford. We have taken steps others are just considering.”
The big step started a year and a half ago when Henry Ford realigned internally to move the clinical engineering department – people and all the devices – out of operations and facilities and into the IT shop.
Every medical device has an IT component, and at Henry Ford Health approximately 80 percent of these devices handle or store some kind of health data. Henry Ford Health includes five hospitals, one of the nation’s largest physician group practices, a retail division, a 690,000-member health plan – and some 60,000 medical and IoT devices roaming around those.
“So we are ensuring medical devices are running across the most secure connection, are updated with patch management, and are part of our IT scope,” Phillips explained. “Prior to the move it was hit or miss. But we have taken this important step. Others are still thinking it through, and it admittedly can be daunting.”
In addition to moving its clinical engineering department under IT, Henry Ford Health System has been having in-depth discussions with the manufacturers of those 60,000 medical devices.
“We’re having very proactive discussions with our medical device manufacturers, to help them understand the pain points we go through, to help them secure and protect these devices,” Phillips said. “Many of these manufacturers have not had the opportunity to sit with their users and talk through how difficult it is for us.”
And on top of conventional medical devices comes the Internet of Things, a panoply of web-enabled devices new to the scene that introduce their own set of cybersecurity concerns.
“The Internet of Things creates an environment that is really squishy,” Phillips said. “Suddenly we have all these new connections that we did not have 10 or even five years ago. Things used to be purely streamlined in our own private network; but now patients and clinicians have multiple devices on their persons, they have devices that are implantable, and more. So it becomes more important than ever to have a plan in place that acknowledges there will always be new technology advances and that these are our methods for how to address new threats introduced by new technologies.”
Indeed, having clinical engineering report into IT also positions Henry Ford Health to better manage security around emerging threats, such as ransomware.
IT consultancy Forrester Research, in fact, predicted that this year the healthcare industry will see a ransomware attack specifically via a medical device or wearable IoT gadget.
“The rise of IoT – accompanied by its security and privacy risks – and the state of cybersecurity within healthcare today makes it a target for both data theft and extortion,” according to Forrester’s “Predictions 2016: Cybersecurity Swings to Prevention,” report. “Ransomware grew rapidly in 2015 thanks to the popularity of ransomware families like CTB-Locker, Teslacrypt and Cryptowall. Motivated by the rise of virtual currencies and the number of victims who have demonstrated a willingness to pay to regain access to their data, cybercriminals are embracing cyberextortion.”
Cybercriminals will take any vulnerability they can get, be it in a conventional network, a medical device, anywhere. And their crime du jour is ransomware. Phillips said ransomware attacks will continue to increase in number in the years to come.
“As a result, healthcare organizations have to think about education,” she said. “These ransomware attacks are using low-budget con games to poke holes in a network or exploit a vulnerability. Phishing e-mails, for example, are very low-budget and low-tech. Because they look legitimate and the hackers are very skilled, unsuspecting persons will click on links and even provide information. And then you have turned over a house key to the robber.”
Employees can be a critical vulnerability, unless they are very well educated in the ways of cybersecurity.
“You have to constantly make sure your users are given nuggets of information they can use to make better judgement calls as they vet e-mails,” Phillips said. “No amount of technology will stop a person from clicking on that link.”