We’re Still Not Doing Enough to Keep Patient Data Secure

A recent report points out that providers are not taking the necessary steps to secure the mobile devices connected to their network.

By John Halamka, M.D., president, Mayo Clinic Platform, and Paul Cerrato, senior research analyst and communications specialist, Mayo Clinic Platform

To say that cybersecurity attacks put patients at risk is no exaggeration. A new report from Cynerio and the Ponemon Institute states that 56% of healthcare organizations have experienced one or more cyberattacks in the past 2 years that involved either Internet of Medical Things (IoMT) or Internet of Things (IoT) devices. More than half of the survey respondents say these cyberattacks increased mortality rates. These devices can include infusion pumps, glucose meters, pacemakers and a long list of other vulnerable items that may be connected to a hospital’s network. In addition to posing a threat to people’s lives, these breaches come with a heavy financial toll. Forty seven percent of the organizations experiencing an attack were forced to pay a ransom to retrieve their stolen data. The report finds that “32% of the ransoms paid fall in the range of $250,000 to $500,000.” The report also found that only about 1 in five (21%) organizations said they had a mature system in place to proactively address security issues, despite the risks.

Several roadblocks make it difficult to shore up the security of these devices. Many still rely on outdated operating systems. An international survey involving 600 health care IT professionals in 2019 found more than one out of four organizations were still running Windows 7 on their medical devices. The danger posed by this practice may not be immediately obvious to most clinicians, but many older OSs are no longer supported by their manufacturers and security patches are not available to block newly designed digital threats.

Even health care providers currently running supported operating systems can fall victim to cyberattacks if they fail to install security updates as soon as they become available. That’s how the infamous WannaCry ransomware worm was able to penetrate the NHS and numerous other networks; it affected more than 200,000 computers worldwide in 150 countries. Microsoft had already issued a security patch before the WannaCry incident, but many organizations had neglected to install it in time.

Another problem is that updating a medical device technology may require the manufacturer to submit a new application to the FDA for approval, a time consuming process that smaller companies are less inclined or resourced to do. And if health care providers want to update a device’s technology on their own, they run into a problem with the manufacturer, which has the primary responsibility for keeping the device safe. Most devices are black boxes in the sense that the manufacturer does not allow users to touch the software; doing so without the company’s permission usually voids the warranty. That makes it virtually impossible for a hospital or medical practice to install security updates to legacy OSs, even when they are available. If the device manufacturer is cooperative, it may be possible to have their technicians do these updates. When that’s not an option, segmentation becomes all the more important.

Fortunately, many device manufacturers are now beginning to realize that their reputations depend upon developing machinery that is not just clinically functional but hardened to cyberattacks. Many new devices come with a Manufacturer Disclosure Statement for Medical Device Security (MDS2) that spells out the security protocols used on the device, whether anti-malware software has been installed, and whether it should even be connected to the Internet.

One reliable method of improving a device’s security is to perform penetration testing. As we explain in our primer on protecting patient information, it involves hiring someone to put on the “black hat” and try to break into the organization’s computer system as an unauthorized user to see how easy it is to gain access to protected health information. The relevant HIPAA standard, 164.308(a)(8), states that you need to “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this [Security] rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information…” Some HIPAA standards are accompanied by implementation specifications that dictate how the standard should be carried out. This standard has no such specifications. But it is worth noting that the National Institute of Standards and Technology (NIST), in its guide to implementing HIPAA’s Security Rule, recommends penetration testing to fulfill this particular standard if it “has been determined to be reasonable and appropriate.”  

While there is no such thing as a foolproof security system, failing to take the necessary steps to keep IoMT and IoT devices protected is like making sure your front door is locked and bolted while keeping one of the back windows unlatched. It usually spells trouble.