Securing remote devices more important than ever
Keeping patients out of the hospital has long been a mantra of the healthcare industry. Medical devices supporting that trend have emerged in droves. Wireless devices, remote monitoring devices and smartphone-based trackers all have enabled physicians to gather data while patients live more normal lives.
The freedoms that come with these technologies, however, also bring new risks to the security of patient data and the integrity of hospital networks.
Stuart Long, CEO of Infobionic, said the kinds of intrusions these devices invite range from inconveniences to serious theft and potentially even life-threatening interference. Knowing what kinds of things hackers aim to do and which ways they might break in gives hospitals a better sense of how to develop and manage security policies.
WHY IT MATTERS
In the early days of medical devices, Long said that while they were rudimentary and didn’t have much security built in, they were “so proprietary it was hard to figure out how to get into them.”
This might have been pricey and limited in functionality, but having one device talking to another all from the same manufacturer with its own standards meant much less exposure to hacking. Now, however, things are a little easier as well as a little less guarded.
Long used as an example any generic FDA-approved remote sensor a patient may wear. It can be up to all of the industry standards of privacy and security, but it is still “using Bluetooth and talking to a phone” which in many cases is a patient’s personal device, Long explained. That phone is not held to a hospital’s security protocols and yet is feeding data in, making it an ideal target for hackers.
THE LARGER TREND
Once in, thieves could potentially have access to some of the most valuable information on the dark markets.
“On the dark net your credit card information is worth $7 and PHI is worth $70,” Long stated.
While the figures are not necessarily precise, he noted this illustrates the disparity between the financial and healthcare industries. Credit card companies, he said, are used to these sort of breaches and are so good at apprehending it that a stolen credit card number is not good for very long before it is shut down.
Healthcare lags behind in response and also has the kind of spoils that cannot be quickly changed like a credit card number can.
“If they can access your family histories, you increase the concentric rings around one individual,” whose data can be stolen, Long cautioned. “It’s not just getting one person’s PHI, it’s whatever is listed in their medical information.”
Gone are the days for devices where the mindset was that anything operating within a hospital network’s constraints was “safe enough,” Long said. As long as there is something of value that a thief might steal, someone will find a way to try to steal it.
“Anybody who wants to get at [valuable healthcare] data will evolve their methodology. It will just get more difficult” for them to do it, Long explained. With that in mind, healthcare organizations need to know they are waging an ongoing battle, not just plugging a leak once and for all.
Some of it is addressing basic level security: changing passwords, always updating software and security patches. Further than that though, hospitals need to be aware of the multiple new forms of access they are inviting to their network and must work to secure new avenues of patient interaction.
Finally, Long said adhering to as many standards as possible is something hospitals should look at from a vendor. He said that while there are many mandatory standards a hospital and vendor need to comply with, there are voluntary measures like FIPS compliance that can show an organization is serious about protecting its data.
“What do you do organizationally? Some of that is protect your IT infrastructure,” Long stated. “You don’t want to paint a target on your backs.”
Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media.