Organizations that work with electronic protected health information (ePHI) must carefully weigh the risks and benefits of adopting new technology. From the internet of things (IoT) in hospitals to wearable medical devices to bring your own device (BYOD) policies, each endpoint represents a potential network vulnerability. Avoiding the adoption of new technology is not the answer. Instead, consider the value in education, secure IT solution providers, and security policies to minimize risks.
IoT in Healthcare: Devices That Transmit ePHI
The term IoT refers to the ability of devices to communicate with one another across internet connectivity, without the need for human intervention. Devices can include sensors, computers, communications devices, and mechanical devices that send and receive data. In the healthcare industry, new devices arrive in the marketplace on a regular basis, such as:
- Patient data-gathering telemetry devices, like wearable heart rate and blood pressure devices
- Connected onsite equipment used for diagnostics, pharmaceutical dosing, and to assist physicians during procedures
- Medical implants (the first wireless pacemaker was implanted in 2009)
According to 2016 projections, analysts expect the market for IoT in healthcare to reach a valuation of $410 billion by 2022. The industry includes the devices themselves, software, hardware, and services.
“Cyber-physical systems could save $63 billion in healthcare costs over 15 years with a 15-30% reduction in hospital equipment costs and a 15-20% increase in patient throughput,” according to Healthcare IT News
IoT solutions are projected to increase in 2017, across all industry segments. In healthcare, IoT will potentially improve response times, diagnostics, and overall health outcomes while saving money and optimizing healthcare workflows. As the usage of IoT and the development of new tech continues to grow, however, so do the risks of cyberattacks.
Trends in Healthcare Cybersecurity
A cyberattack of any size can cause severe and permanent damage—particularly for organizations that store, transmit or manage ePHI. Hackers can even potentially use code to take someone’s life! While, to date, no one has reported a medical-device related murder, the possibility exists. In 2015, students at the University of South Alabama successfully simulated a wireless hack and “killed” a patient.
More commonly, attackers use associated devices or access points (i.e., mobile devices, diagnostics equipment, and employee email) to find “back doors” into a facility’s network. From these access points, they can compromise millions or billions of patient records and put healthcare organizations at risk for HIPAA violations. Ransomware, denial of services attacks (DoS) attacks, and other cyber threats are par for the course today.
To put the threat landscape into context, consider the following statistics:
- The Office for Civil Rights (OCR), part of the Department of Health and Human Services (HHS), reported of 243 healthcare data breaches in 2016 by mid-October. More than 14.3 million records were taken or exposed by that point in the year.
- Healthcare has been at the top of the list of most frequently attacked industries since 2015.
- According to an earlier report from the OCR, the loss or theft of devices storing electronic protected health information (ePHI) and physical records was reported as the top contributing factor to data breaches.
- Since late 2015, the OCR collected over $16 million in fines/settlements associated with five organizations involved in ePHI breaches.
A strong cybersecurity strategy reduces the likelihood that an organization will join the list of those breached and in trouble with the OCR.
Identifying Vulnerabilities in IoT Devices
“A lot of adversaries aren’t looking at it as ‘let me go and attack your toaster.’ They’re looking at it as ‘let me attack your toaster to use it as a way to get into the rest of your network,’” says President of IP Architects John Pironti
Something seemingly as innocuous as a smartwatch can create vulnerability if connected to a network housing sensitive data. For organizations that embrace using multiple personal devices onsite, any connected device represents a vulnerability. Beyond the devices themselves, software and user practices create vulnerabilities.
Sensitive data requires full time management and monitoring, which is often easier said than done. There are dozens of reasons why your organization can have network vulnerabilities; to simplify the major causes, we divided them into two categories: business and technical. Figure one below outlines the causes of a weak infrastructure, so you can evaluate your own efforts against these factors:
HIPAA regulators outline the basics of healthcare best practices, but do not provide clear standards for software and hardware protections. Every ePHI data handler must take steps to protect their data and manage the risks associated with the IoT to the best of their ability.
Evaluating Connected Devices ePHI in the IoT
Use the following questions to determine the security of each connective device within your network:
- Does the device store & transmit data securely?
- Does it accept software security updates to address new risks?
- Does it provide a new avenue to unauthorized access of data?
- Does it provide a new way to steal data?
- Does it connect to the institution’s existing IT infrastructure in a way that puts data stored there are greater risk?
- Are the APIs that connect the software and devices secure?
Aligning your internal teams—C-level leadership, security and IT departments, specifically—and any vendors and service providers that touch your network, is critical to winning the battle against cybercrime.
Any party that comes into contact with ePHI connectivity may knowingly or unknowingly contribute to vulnerabilities, including insurers, information handling service providers, and healthcare professionals. In many cases, product manufacturers themselves need to take a stronger approach to data privacy and device security.
In addition to regulatory compliance, your organization must develop internal standards for proactive security management, data privacy, and incident response and relay those to any outsiders that affect your network. Stay tuned for Part 2 of our series on protecting your ePHI in the IoT and BYOD landscape, specifically as it relates to cybersecurity. We’ll go further into detail about BYOD and address best practices for policies and control.
Additional Resources on This Topic:
Internet of Things in Healthcare Market Is Anticipated to Witness an Upsurge in Demand for Technologically Advanced Medical Devices Till 2022
What You Need to Know About HIPAA Compliance and Increasing Enterprise Mobility Security
Major 2016 Healthcare Data Breaches: Mid Year Summary