Connected medical devices are transforming how patient care organizations deliver care and monitor patient health, with the potential to improve care and lower costs. However, networked medical devices, if compromised, can pose significant risks, both to data security, and potentially, to patient safety, if a device’s normal operation is disrupted.
As clinical medical devices, such as cardiac devices or wireless glucose monitors, become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, many security experts warn. Additionally, the exploding proliferation of the Internet of Things (IoT), in conjunction with the lack of security on these devices, also poses a serious risk.
“IoT devices, for the most part, are fairly new. You’re seeing a lot of things in the commercial world or in the public space, where things are just coming to the market very, very fast, and a lot of these organizations that are building these devices are trying to be first to the market. When that happens, usually what we see is those organizations tend not to think too much about security, it slows the process down,” says John Petersen, senior manager with The Chartis Group, a Chicago-based consulting firm. For instance, many IoT products, such as fitness wearables, and even some clinical medical devices were developed without the capability to change default passwords. “That’s a huge risk to any organization, as that’s a starting point for really any type of breach into the network, a device that has a password that’s easily accessible,” says the Albany, N.Y.-based Petersen, who leads cybersecurity capabilities in the informatics and technology practice at The Chartis Group.
There have been a number of events just in the past year that should be wake-up calls to the industry about the security vulnerabilities of connected devices and the role of IoT in cyberattacks. Back in October, there was a massive distributed denial-of-service (DDoS) attack on Internet-infrastructure provider Dyn. According to security experts, a botnet made up of 100,000 compromised gadgets knocked Dyn partially offline, ultimately causing a long list of high-profile websites to temporarily disappear from the Internet. Meanwhile, specifically, within healthcare, the U.S. Food and Drug Administration (FDA) issued a safety communication in January that identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and home transmitters. The vulnerabilities, if exploited, could allow an unauthorized user to remotely access or influence the patient’s radio frequency-enabled implanted cardiac device by altering the transmitter, according to the FDA. In response, St. Jude developed an updated software version for the transmitters.
In November, two panels of the U.S. House of Representatives Energy and Commerce Committee—the subcommittee on commerce, manufacturing and trade and the communications and technology subcommittee—held a hearing to explore issues about the cybersecurity of connected devices. In a statement to House committee members, the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) stated that “tens of thousands of medical devices can be used throughout large healthcare systems, many of which are connected directly to the patient or serving to provide information to inform clinical decision making.”
“The highly interconnected nature of medical devices, combined with the constraints of inconsistent patching cycles, has created an ecosystem ripe with technical vulnerabilities that cannot be managed with standard processes and procedures,” CHIME said in its statement.
At Salt Lake City-based Intermountain Healthcare, a 22-hospital integrated system considered a pioneer in care transformation, there are currently more than 80 projects that involve mobile or connected device technologies, such as telehealth and telemedicine initiatives, according to Karl West, chief information security officer (CISO) at Intermountain, and the security of those connected devices is paramount to West and his security team. West says security leaders need to proactively accept the proliferation of connected technologies and work with clinical and operational leaders to integrate these devices, safely, into the health system.
“These devices are being largely driven by transformation and innovation of care, which are good things. At Intermountain, we are trying to recognize that the care practices and models of the past are not going to be sufficient in this new world. We have to be supportive and we have to enable, as opposed to becoming a barrier,” he says. And, to that end, West says IT security “sits right at the front of those discussions with both our transformation teams as well as the partners and vendors.”
Tackling the Challenges
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.