By Mike Kijewski, CEO, MedCrypt.
Advancements in medical device technology has allowed for services, initiatives and changes in healthcare delivery to evolve at a break-neck pace. Smartphones are increasingly integrated into patient care planning, providing internet connectivity to share data to healthcare delivery organizations (HDO), doctors and researchers. It is unfortunately also true that as the medical treatment landscape has evolved, it has been challenged by cyber-attacks. While shows like Homeland have portrayed the vice president’s wireless pacemaker introducing a vulnerability that can be used in an assassination attempt, individual patient harm is not the common scenario HDOs and patients face.
Instead, as a recent report from Positive Technologies indicates, healthcare hackers seem motivated to seek sensitive information and control over a system, compared to stealing financial information, or even money. How does this motivation impact a defense strategy in the already complicated healthcare ecosystem?
Location of care delivery
Let’s begin by understanding the volume of the situation. The average hospital bed has 10 to 15 devices connected to it. With the American Hospital Association count of hospital beds above 6,000 in 2019, this is in the frame of 900,000 devices inside U.S. hospitals. These devices often have Bluetooth or wireless capabilities. An adverse player in the ecosystem can potentially exploit this connectivity with the intention to expand into the HDO network, hospital/device database or elsewhere.
Healthcare has been shifting outside of the HDO to accommodate increasing costs in care delivery, remote patient geography and to accommodate populations that are unable to access an HDO on an ongoing basis. These changes have been great for patients and providers, enabling ongoing monitoring of patients even when they’re not in the HDO. But it also means that some connected devices operate outside of the secured and monitored HDO network, while sending data back to providers within the HDO network. The introduction of these connection points also serve as the introduction of additional threat vectors that need to be managed.
Types of data available
It’s not immediately obvious what data used in clinical care could be used by hackers to elicit monetary benefit for themselves. The idea of a blood pressure or ECG reading doesn’t exactly bring dollar signs to mind.
HDOs and care providers regularly obtain patient social security numbers (SSN), which can be relevant for billing purposes, or in an attempt to share data between HDO systems. This same data can be used by a malicious actor to commit requests for loans, prescriptions or insurance claims, open bank accounts, perform online transactions and even file taxes or claim rebates. Imagine the SSNs from a pediatrician’s office being sold and the fraudulent activity going undetected for a prolonged period, or the SSN of a deceased person that can be used with zero concern for active monitoring by the individual.
Records can also include communication methods for patients, such as email and phone numbers, which can be used for spreading spam/malware with the intention of running phishing campaigns. This is to say nothing of personal distress that can be introduced if patient medical conditions are known by individuals without the patient’s best interest in mind.
Individuals who use commercial trackers to identify fitness patterns and metrics to discuss with providers have intentions of bringing more data to a potentially difficult diagnostics. However they are also capturing information that can be correlated to determine physical location. The army base location that was disclosed because of GPS-related workout data demonstrates how different types of information can appear unrelated, yet end up unintentionally giving something crucial away.
Broader system penetration
As mentioned, there are multiple modalities in which connected devices operate, including both within the HDO network and outside of it with connections back. In both instances, the HDO network is included in the operational model. The matters because a hacker can exploit a device vulnerability as an entrance point into a HDO network to then deploy a ransomware campaign. This will compromise an HDO’s network, inhibiting its ability to update electronic health records and use devices that rely on connectivity for making calculations (such as devices used in radiation oncology and sophisticated surgical robots).
While this may seem like a delay in the delivery of elective procedures, it can also result in a re-routing of patients who have emergent needs. Research shows a 13.3 percent higher mortality rate for patients experiencing an acute myocardial infarction or cardiac arrest who received a delay in care of four minutes, which was attributed to a marathon taking place that day. When applying this finding to a delay in care due to a network takeover by hackers, one can imagine an increase in mortality rates far greater than 13.3%.
We have still seen evidence of negative outcomes for patients in facilities with a historic breach, even in scenarios where an HDO restored operations and enhanced security controls after a cyberattack. The 0.04% increase in mortality rate observed is the equivalent of the 0.04% increase in positive outcome for patients based on enhanced treatments.
The impact of this exploitation warrants device connectivity to be carried out with intentionality. Rather than “perfect security,” this means applying a robust framework, such as NIST, when considering how these devices operate. This can include an HDO procurement strategy, taking clues from industry leader Mayo Clinic’s vendor packet, which considers security that has been designed into devices. Taking the FDA’s premarket guidance draft (October 2018) into consideration brings an additional layer of security to devices, including data encryption, cryptographic signatures for sensitive data, monitoring of devices for known vulnerabilities and notifications abnormal device actions.
A robust hospital IT strategy could also include applying security changes as devices are loaded onto a network (such as changing vendor provided passwords), tracking devices connected to the HDO, appropriate network segmentation and patching devices in an ongoing and consistent pattern.
The human factor is also important – overly complicated authentication mechanisms that lead to shortcuts in practice, such as taping passwords onto a device, should be guarded against. Rather than listening to the narrative that clinicians introduce weakness into a security program, clinicians should instead be equipped with the ability to diagnose a potential cyber attack the same way they run differentials on patient treatment.
Layered security is a proven technical approach for building safety into a sustainable program. Security will never be ‘done,’ but through the appropriate application of practices and tools by the relevant medical device manufacturers and HDOs, it can be implemented in a scalable and efficient way.