Tag: healthcare IT security

Do You Know If Your MRI Is Secure From Hackers?

By Leon Lerman, CEO and founder, Cynerio.

Leon Lerman

Data driven medical care with connected devices is now the norm. Patient monitors, IV pumps, MRI machines, and infusions pumps all behave like computers with the ability to monitor patient conditions in real time, share data and even automatically adjust dosages. Although all of these innovations are improving in-patient care, their ability to communicate over internal computer networks has introduced new vulnerabilities to cyber attacks.

The health risks are high. Hackers can infiltrate devices and tamper with doses or even make devices show false data, leading doctors to the wrong diagnosis. Attackers can also hold electronic medical records ransom, causing delays in procedures required to treat patients.

The invisible threat

The biggest obstacle to securing medical devices is the simple fact that many of them are hidden. Hospitals often don’t have full visibility into which medical devices they have, so they aren’t aware of all the vulnerabilities. You can’t tell if your MRI is insecure if you don’t keep a full inventory of all the medical devices and all information necessary to assess the relative security risk.

Some hospitals rely on manual methods such as Excel spreadsheets to maintain an inventory of medical equipment. However, electronic files maintained by humans can’t keep pace with the growing number of the devices, and all the changes and updates that occur on an ongoing basis.

Often medical devices are added to the network without notifying security professionals and going through the necessary cautionary procedures. Many departments add equipment with the noble aim of improving patient care without notifying IT, since they are simply following the doctor’s orders and doctors are king. Something as simple as browsing for a local restaurant at a nurse’s station can put the hospital at risk if the computer isn’t adequately secured.

Continue Reading

Tips for Risk Assessment in Healthcare IT Security

Lysa M.
Lysa Myers

Guest post by Lysa Myers, security researcher, ESET.

Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.

How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.

How to do an EHR risk assessment

There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.

Continue Reading