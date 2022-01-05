The fastest way for hackers to harm a healthcare provider organization is to target patient information and many of them focus on databases that support electronic health records.

The Internet of Things has amplified the number of attack vectors to target the operation of hospitals, doctors’ practices, outpatient centers and other facilities. But it also creates a direct risk to patient care.

Phones, tablets, connected medical devices and other technologies provide a side door for hackers to break into networks. With many devices using outdated operating systems, patients face a unique vulnerability because a hacker can interfere with treatment.

Many devices, such as pacemakers or implantable devices that provide micro-strokes to treat Parkinson’s disease or other neurological disorders, are controlled by mobile apps that allow doctors to adjust treatment without resorting to surgery. Convenience is exchanged for the risk of surgery with the risk of a hacker confusing treatment.

Improving the safety of these devices may require a completely new FDA approval, a lengthy and expensive process. Some of these organizations are taking a wait-and-see approach to security, but this also reflects the desired thinking about potentially major weaknesses and obligations.

To assist the CISO, CIO, and other health security executives in addressing these issues, Health care IT news interviewed Edward L. Goings, head of the national pillar of cyber response services and global incident response manager at KPMG Global. Goings discussed the inherent dangers of the Internet of Things, whether hackers could gain access through implantable and similar devices, and what should happen to ensure security.

Q. The Internet of Things has amplified the number of attack vectors to infiltrate healthcare providers and this could jeopardize patient care. Please elaborate on this threat.

A. The Internet of Things exponentially increases the number of access points for hackers to infiltrate systems. WiFi availability creates an open field for hackers to see what types of networks are available and what devices are connected. A larger number of connected devices are being used in the delivery of care, but they are designed for efficiency rather than safety.

The IoT is also an important part of remote monitoring to help clinicians warn of key indicators of how well a patient is managing their chronic illness. Unfortunately, many connected devices use operating systems that are more than a decade old, making them obsolete when it comes to security.

The Internet of Things in a medical setting can be extremely rewarding on the one hand, but cyber security risks need to be addressed in designing these products.

Q. Many devices are controlled by mobile applications that allow physicians to adjust treatment. Can hackers enter?

A. Yes. A patient in a hospital bed may have some remote monitoring devices in addition to the connected devices that are inserted into the body, e.g. a pacemaker.

Medical device manufacturers are trying to do the right thing when it comes to allowing physicians to adjust the function of devices through an app, rather than using a new operation to implant a new device. It is much more convenient for the patient and has less risk of causing additional damage, such as an infection.

However, it is conceivable that a bad actor would infiltrate equipment and disrupt overall function, regardless of whether the device affects heart rate, monitors medication delivery, or transmits vital signs to a patient at a nursing station. The hacker can deceive a clinician into a misdiagnosis and subsequently an ineffective or dangerous treatment.

Some of the devices may be involved in delivering small strokes to treat Parkinson’s disease or small strokes to moderate the heart rate. There are a number of devices that are also included in the infusion of medicines. Applications are an important part of diabetes monitoring and this has its own set of disease management issues, as poor medication management can lead to emergency room visits.

The questions would certainly be related to the patient’s intent motive, but the question remains what kind of risk or responsibility would medical device manufacturers face.

Q. You have said that improving the security of IoT devices may require a completely new FDA approval. Will this happen? And what is the risk of hospitals waiting for this to happen to take action?

A. Medical device manufacturers have taken a wait-and-see approach to addressing safety. Developing a medical device is a costly process. Even updating basic software security would require new studies to include in a new FDA submission. Part of the reluctance to go through this process on the part of medical device manufacturers is understandable.

Device updates or enhancements provide an opportunity to build security features in the design of connected devices as they undergo clinical trials. The question goes down as the older products are there and the gap before the safest products can undergo studies before they are ready for the market.

If a product turns out to be hacked and raises security issues, it can be catastrophic for smaller medical device manufacturers and extremely costly for large equipment companies. The risk faced by healthcare providers is slightly different from that faced by an equipment manufacturer, but a patient’s lawyer may try to include a hospital in a suit if it is determined that the hacker has infiltrated the device through their IT systems.

Q. What are some ways healthcare providers organizations CISO and CIO can take action today to protect their IoT equipment?

A. Health care providers are some of the best in occupational hygiene, given its importance. Applying the same standards in technology would go a long way towards prevention.

They need to understand that bad actors can and will try to target any weaknesses. Access management is an area that can help prevent potential harm from bad actors. In healthcare, we do not want to impede access to life-saving information.

With IoT, we connect to applications and clinical systems, but they only need to connect to minimal parts of the network where they need to perform. Most healthcare IT infrastructure focuses on the broad web of things. From a safety standpoint, they’re really good at performing pen and red team testing against the main grid.

IoT equipment used in and for patients is critical, but it is important not to overlook rescue equipment around the hospital. These devices are most often connected to the general network via WiFi and Bluetooth, and are often operated by older operating systems.

Attackers have started targeting these devices as access points to the network, as they often do not have endpoint protection. Providers need to focus on security testing at the IoT level. If devices cannot have security at the endpoint, then providers must isolate the devices on a separate network that has stricter security.

Information security teams should conduct compromise assessments of these devices at a more frequent interval. Where possible, operating systems should be upgraded to a supported OS that you can use [for] endpoint protection.

Tweet:@SiwickiHealthIT

Email the writer: [email protected]

Healthcare IT News is a publication of HIMSS Media.