Health knows no bounds
Managing healthcare cybersecurity risk
With information flowing throughout their organizations and patients reliant on connected devices for their healthcare needs, hospital CIOs are battling the rise of new security challenges that connected healthcare brings.
“Dealing with security of data, and the equipment that we have at the hospital, is an ongoing concern,” says David Higginson, Chief Information Officer (CIO), Phoenix Children’s Hospital. “There’s many nights I am up worrying about it, and there isn’t a year that goes by where there isn’t a new threat that comes along.”
The value of healthcare data
The proliferation of connected devices in healthcare has enabled new and innovative ways to deliver healthcare: mobile-enabled health devices can track a patient around the hospital or monitor them at home; a connected device can also be implanted under the skin, or in the heart. Hospitals are a prime target for cybercriminals as personal health information can be worth hundreds or thousands of dollars on the black market1. In the space of a few years healthcare has become the world’s most cyber-attacked industry, with data breaches occurring on an almost daily basis2. Threats vary in sophistication too. At the most destructive end of the spectrum a cyberattack can bring down whole systems, compromising patient records and crippling a hospital’s operations. The 2017 ransomware strain known as WannaCry spread around the world in a matter of hours and led to more than $4 billion in damage3. Clinicians were forced to use pencil and paper to record clinical data, attempt medical care without access to patient records, and use their personal mobile phones and tablets. In some cases, hospitals had to turn patients away.
Medical devices: the new frontier
Protecting electronic information is a central role of the CIO, and as quickly as each new security threat emerges, their task is to evaluate and assess the risk it presents to their organization to avoid patient information being compromised. The ongoing expansion of health systems is a big challenge to ensure security in and of itself. With rapidly growing integration and interconnection of disparate medical technology devices and systems where medical data is being increasingly exchanged, security threats grow. A new security frontier is connected medical devices, such as a cardiac defibrillator or an insulin pump. Hospitals and similar healthcare organizations have more medical devices4 with more automation, increasing amounts of healthcare data collected, analyzed and stored in these devices. “What really is the most concerning part to me is medical devices or medical equipment. We’ve been very focused in the past on our networks and our servers and our desktop computers. What people haven’t been as focused on is those pieces of medical equipment that have some kind of computing device or some kind of network connectivity in them,” says Mr.Higginson.
Stress-testing systems and devices
The need for more co-ordination between providers and manufacturers to deal with security concerns is a central plank of the response to new threats, particularly around medical device cyber security. Organizations such as HIMMS convene security working groups highlighting best practices, responses and responsibilities, and the legal and regulatory framework in which issues must be addressed. At Phoenix Children’s, regular security checks and simulated cyber-attacks are performed on medical equipment to test the robustness of systems and devices, to find where weaknesses might exist in their network. “We have to keep one step ahead,” says Vinay Vaidya, Chief Medical Informatics Officer at Phoenix Children’s, “We have drills, we have exercises, we have phishing attacks that we launch internally to see and check for vulnerabilities in our system, and we want to keep one step ahead of the criminals, to safeguard the health of our children.” It is critical for IT leaders to constantly assess their exposure. The US Food and Drug Administration’s (FDA) rules for cybersecurity are aimed at aiding manufacturers of medical devices in managing cybersecurity risks and call for manufacturers to create built-in security for all of their devices at all levels5. Hospitals need assurance regarding the security and privacy protection of medical devices. As such, technology partners must be committed to rigorous and comprehensive security plans that assure patient data is safe and connected devices are cyber resilient.
Share this page with a colleague
1 Forbes, ‘Your Electronic Medical Records Could Be Worth $100 to Hackers’ 2 HIPAA, Breach News 3 Reuters, ‘More Disruptions feared from Cyber Attack’ 4 Deloitte 5 Norton, ‘The Risks of Connected Healthcare Devices’
You might also be interested in:
What people haven’t been as focused on is those pieces of medical equipment that have some kind of computing device or some kind of network connectivity in them”
David Higginson
Chief Information Officer at Phoenix Children’s Hospital
Meeting the top
challenges in
health informatics
Read more stories and articles
Five tips for managing healthcare cybersecurity risk and protecting healthcare data
Building partnerships.
Breaking barriers.
We work in partnership with health systems to help drive innovation, support their financial and operational goals, and enable their transformation in a value-driven era. The result can be both operational excellence and more connected, predictive and personalized care delivery.
