Week three of Cybersecurity Awareness Month is themed “Securing Internet-Connected Devices in Healthcare.” (This is our second blogpost in a series of three for Cybersecurity Awareness October 2020 – our first post presented “Questions to Ask When Purchasing or Subscribing to IoT Products and Services” while our final and our third post is about “The Future of Connected Devices.”)
Healthcare technology is changing in major ways. In the past decade, healthcare has accelerated into the digital realm with conversion from paper to electronic health records (EHR). More recently, the Internet of Medical Things (IoMT) has been used to monitor and treat health conditions. In the treatment of cancer, smart technology “helped simplify care for both patients and their care providers by enabling emerging side effects to be identified and addressed quickly and efficiently to ease the burden of treatment.” From digital healthcare apps and monitoring devices used by patients to the healthcare information technology doctors carry on their phones, greater connection may improve access to healthcare and the quality of healthcare itself.
But – connectivity and accessibility to health data has brought higher cybersecurity risk into the medical field. The global internet of medical things (IoMT) market is expected to rise to a $158 billion valuation in 2022, up from $41 billion in 2017 – a staggering 285% increase in just a 5 year span. Meanwhile, 41.4 million patient records were breached in 2019 which marks a 49 percent increase in hacking (Protenus Breach Barometer). By comparison, the industry saw 15 million records breached in 2018. In 2019, for the first time ever, there were incidents of hackers attempting to extort money from breached patients, not just the affected healthcare organizations.
The biggest healthcare breaches in 2020 (as detailed in this report) indicate a significant upward trend from 2019, revealing that providers and the medical device industry “still have a great deal of work to do when it comes to securing remote connections, properly disposing documents, and educating users to prevent the frequency of successful phishing attacks – as well as delays in detection and breach notifications.”
The medical device industry, along with healthcare delivery organizations, constitutes part of critical national infrastructure and should be treated as such. Healthcare delivery organizations should demand better security from medical device manufacturers (MDMs). Christopher Gates, a principal security architect in the MDM industry, says this request should include “secure procurement processes and contract language for MDMs that address the cybersecurity of the device itself, secure installation, cybersecurity support for the life of the product …liability for breaches caused by a device not following current best practices, ongoing support for events in the field, and so on.” (See full article here.)
Here are three comprehensive resources to help implement cybersecurity in the healthcare space:
- Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group best practices and recommendations. (The Cybersecurity Working Group of HSCC is a partnership of healthcare organizations, including over 250 medical device and health IT companies. The work of this group has resulted in a resource bank designed specifically for the healthcare sector.)
- US Food and Drug Administration (FDA) Medical Device Safety Action Plan
- Health and Human Services (HHS) outline of security methods to cost effectively reduce cyber risk within health organizations