HEALTHCARE CYBERSECURITY
WHAT WANNACRY TAUGHT US
ABOUT THE IMPORTANCE OF
HEALTHCARE IT SECURITY
With the rise in threats and the increased exposure healthcare facilities face, cybersecurity investments need to be mandated and enforced
By Karin Ratchinsky
WHEN HEALTHCARE LEADERS THINK ABOUT A SECURITY BREACH, HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT COMPLIANCE VIOLATIONS TYPI- CALLY COME TO MIND. HOWEVER, THANKS TO THE RAM- PANT DIGITIZATION OF CARE-CRITICAL TOOLS AND APPLICATIONS, A CYBERATTACK ON A HEALTHCARE ORGANIZATION’S COMMUNICATIONS INFRASTRUCTURE OR COMPUTER SYSTEMS CAN NOW JEOPARDIZE MUCH MORE THAN PATIENT DATA.
The recent WannaCry ransomware attacks compromised an estimat- ed 200,000 systems across 150 countries, including the United King- dom’s National Health Service system. This breach came uncomfortably close to a life-or-death situation when 16 hospitals were unable to access patient data and diverted ambulances to other facilities.
The scariest thing about the WannaCry attack, from a healthcare policy perspective, is that the NHS was not specifically targeted. Doz- ens of hospitals across England were brought down simply because their IT systems were vulnerable to malware, which placed the lives of their patients on the line.
More than 6 billion devices (including wearable sensors and personal health monitors) were connected to the Internet of Things by the end of 2016. IT research company Gartner, Inc. expects that number will sur- pass 20 billion by the year 2020. While protecting confidential patient information remains important, the focus of healthcare IT security pol- icy is going to have to shift more toward protecting and ensuring the performance of digitized mission- or care-critical applications.
A GROWING CONNECTION BETWEEN
HEALTHCARE DEVICES
The potential of internet-connected medical devices combined with the power of artificial intelligence in healthcare is exciting. Some devices already allow pharmacists to research patients’ allergies or other medications before dispensing pharmaceuticals. Others allow nurses to better monitor patients in ICU environments and speed response time when digital monitors indicate vital signs are deteriorat- ing. This is the tip of the iceberg that digitization and artificial intelli- gence bring to medical innovation.
Although the IoT and AI are still relatively new in healthcare, their capabilities have already helped systems scale and provide better care. Other exciting developments include mobilizing care to patients’ homes and alerting patients of impending seizures, low blood sugar levels, heart arrhythmias, and more.
Care delivery organizations are becoming more dependent on digi- tal information, tools, and applications. Because of this dependence, it has become exponentially more important for IT security to protect the performance and continuity of these tools.
Zephyr_p/Shutterstock.com
A SPECIAL SECTION TO SECURITY TODAY AND THE JOURNAL
NOVEMBER 2017 | WWW.CAMPUSLIFESECURITY.COM CS33
CAN HEALTHCARE POLICY PROTECT US?
Last year, 114,000 diabetic patients were notified that their insulin pumps were vulnerable to being hacked. Attackers could breach the devices, disabling them or altering the dosage, which forced the prod- uct’s manufacturer, Johnson & Johnson, to issue a notification, along with ways for patients to mitigate the risks.
Kevin Fu, director of the University of Michigan’s Archimedes Cen- ter for Medical Device Security, pointed out that the manufacturers “did not anticipate the cybersecurity risks” when they first designed the product. Even if they had, the product was designed nearly 10 years ago, and hackers’ capabilities have advanced significantly since then.
The truth is that any internet-connected electronic device could eventually be broken into, and there is no 100 percent guaranteed way to secure it. However, policies can be implemented at organizational, state, and federal levels to help ensure that healthcare organizations are able to proactively take necessary security measures.
Government lawmakers can facilitate this change by devising appro- priate standardized protocols that will greatly reduce the risks of patients’ care falling victim to another ransomware attack. Here are three areas where policymakers should focus their efforts in this regard.
UPDATE AND IMPROVE SECURITY POLICIES.
It is evident that healthcare security policy needs to encompass rules and
CAMPUS SECURITY & LIFE SAFETY