Hospitals and the IoT: When your MRI machine is a welcome mat (for hackers)

Connected devices, often referred to as "Internet of Things" or "IoT" devices, are a double-edged sword for hospitals: On the one hand they are delivering major improvements in efficiency as well as patient care and safety.

On the other hand, they present a massive and rapidly growing cyber threat that hospitals need to consider in their cybersecurity planning.

Cyber threats are not a new phenomenon for U.S. hospitals, but the type of threat they face has morphed into something different. Hospitals have been aware of the need to guard protected health information (PHI) for years. However, they have only recently and painfully become acquainted with the reality that hackers can threaten their operations and possibly disrupt patient care. For decades now hackers have successfully sold PHI for monetary gain. But now, with the emergence of ransomware, hackers look to monetize hospital hacks by disrupting hospital operations in exchange for payment. Hospitals are now confronting this extremely serious new dimension of the cyber threat. Last week's WannaCry ransomware, which crippled numerous hospital systems and impacted more than 150 countries, is a sobering example of precisely what we are dealing with.

A little over 20 ago, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which established a set of national standards for the use and disclosure of individually identifiable health information. In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, which created a new category of protected health information called electronic personal health information (ePHI) and defined who was responsible for protecting that information ("covered entities"). Every American who has ever walked into a doctor's office and been presented with a small packet of privacy notifications (and a flower pen), or tried to get medical test results for a relative, has felt the very significant impact of these two laws.

But these laws are not new, and hospitals and health insurers have had many years to develop programs and procedures to protect health information. They've beefed up their cyber defenses, including how they prioritize it in their budgets and governance structures. They implemented a wide range of cybersecurity tools to ensure that, as best they are able, no unauthorized person is able to access ePHI on their systems. Cybersecurity tools such as firewalls, data loss prevention systems, two-factor authentication and encryption are all now commonplace in hospitals' environments. These tools protect ePHI and of course minimize the chance of penalties associated with its theft.

Enter IP-enabled hospital equipment.

In a hospital, it's hard not to notice the flashing, beeping equipment and cables all over the place. Today, almost every piece of equipment – dispensing cabinets, heart monitors, X-ray machines, infusion pumps, and on and on – is connected to the network. But, in reality, the IP-enabled equipment on hospital networks is only marginally more secure than the cheap cameras made famous by Mirai, the malware behind last fall's massive denial of service attacks. The U.S. Food and Drug Administration (FDA) has issued guidelines for manufacturers producing and hospitals operating this equipment so that it is not as susceptible to hacking as, say, the army of surveillance cameras exploited, infamously, last fall by Mirai. The Department of Health and Human Services' Office of Civil Rights (OCR) has also become more active in overseeing the risk introduced by devices to hospitals' environments. While these requirements have raised the level of attention this issue gets, there has not yet emerged a true consensus for what is "best practice" for hospitals in securing their growing inventory of devices.

The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology (NIST) is trying to help with this and has published a helpful infusion pump use case, which takes a more holistic view of the medical device on the network and highlights which NIST controls are particularly important. The FDA requires manufacturers to be "vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity." Medical device manufacturers must comply with federal regulations, including the quality system regulations (QSRs).

The FDA expects medical device manufacturers to take steps to limit unauthorized device access; for example by allowing and using authentication, and to protect individual components from exploitation, having methodologies for patching and software or firmware updates. And per the FDA's post-market guidelines, hospitals must be vigilant about maintaining and monitoring their equipment. And yet, medical devices are still a major source of risk to both network security and patient safety for the hospital enterprise. Just recently, a major pharmaceutical and medical device manufacturer received a letter from the FDA outlining findings that the company failed to maintain and implement proper procedures related to product design and correcting and preventing device problems.

Why is this the case? The reason is pretty straightforward. Even when manufacturers can be incentivized or coerced into producing better software and hardware, there will still be vulnerabilities – just like there are in the laptop or tablet you are reading this on. And patching for medical devices is unlikely to be any better than the patching methodologies we use for computers and other traditional networking equipment. So, no matter what, security is going to need to be managed to a great extent by the enterprise itself – the hospital that runs the equipment. And this necessitates a slightly different conversation.

Stay tuned for Part 2 of this piece in which Katherine examines how hospitals can tackle IoT device security - out next week.

Katherine Gronberg is vice president for government affairs at IoT security company ForeScout Technologies. She is based in Washington, D.C., where she works closely with policy makers and U.S. federal agencies on IoT security initiatives and programs. Prior to joining ForeScout, she was a professor at Georgetown University, teaching classes in cybersecurity and business-government relations. Katherine formerly was staff member on the Senate Appropriations Committee handling annual appropriations for a wide range of federal agencies.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Learning Opportunities

Featured Whitepapers

Featured Webinars