Devices & Diagnostics, Health IT, Hospitals

Deloitte report: Device makers and hospitals have a lot of holes to patch in the data network

Remember when you first heard about phishing? And you had to evaluate every e-mail and […]

Remember when you first heard about phishing? And you had to evaluate every e-mail and wonder who it was really from? A list of medical device security risks in a new report from Deloitte Center for Health Solutions reads like a the risks that Web sites and network managers faced in the mid-2000s. Now that hospitals and the medical devices in them are becoming more more interconnected, the risks of security breaches is rising too.

Today the Deloitte Center for Health Solutions released a report on medical device security. “Networked medical device cybersecurity and patient safety: Perspectives of health care information cybersecurity executives” is a report based on in-person interviews with nine executives representing academic medical centers, regional not-for-profit health and hospital systems, Catholic hospital systems, and for-profit hospital systems between May and December 2012. The interviews focused on identifying the extent vulnerable networked medical devices, current and future risks to patient safety and the group(s) responsible for health care organizations’ security/risk management policies and procedures. The report includes the latest FDA guidance and an analysis of the biggest risks to providers and patients.

Report authors Russell L. Jones, CISSP, CIPP/G and Sheryl Coughlin, PhD, MHA shared these actual incidents that they found while conducting the interviews:

  • An entire monitoring system being taken offline for several hours because it was infected with the Conficker virus
  • A wireless IV pump being affected by “wireless chatter,” ultimately impacting the dosage rate for the pump
  • A medication management automated dispensing system becoming infected with malware and being taken offline for several hours

The report also included a scary list of “intentional threats” as outlined by the latest FDA guidance about premarket submissions for management of cybersecurity in medical devices (June 2013):

  • Malware and viruses infecting medical devices
  • Organized crime attacking a VIP patient’s personal medical device
  • Hackers/nation states targeting Distributed Denial of Service (DDoS) attacks against a hospital network
  • Organized crime conducting exfiltration attacks against hospital medical devices for ePHI
  • Hackers testing their skills against a hospital’s vulnerable network (including networked medical devices)
  • Disgruntled employees uploading Trojan horse code to networked medical devices

The report has a long list of potential security problems, including these security and privacy vulnerabilities:

  • Misconfigured networks or poor security practices
  • Failure to install timely manufacturer security software updates and patches to medical devices and concerns about causing service disruptions to functional devices
  • Improper disposal of patient data or information, including test results or health records
  • Uncontrolled distribution of passwords, such as employee carelessness in leaving a password unattended in public, disabled passwords, or hard-coded passwords for software intended for privileged medical device access (e.g., to administrative, technical, and maintenance personnel)
  • Manipulation, theft, destruction, unauthorized disclosure, or lack of patient data availability to providers
  • Spyware and malware
  • Unauthorized device setting changes, reprogramming, or infection via malware
  • Denial-of-service attacks
  • Targeting mobile health devices using wireless technology to access patient data, monitoring systems, and implanted medical devices

To start to address these issues, the authors recommend assessing governance, risk identification, and risk management relative to an organizations current and desired state, then mapping a pathway forward.

Veronica Combs

Veronica is an independent journalist and communications strategist. For more than 10 years, she has covered health and healthcare with a focus on innovation and patient engagement. Most recently she managed strategic partnerships and communications for AIR Louisville, a digital health project focused on asthma. The team recruited 7 employer partners, enrolled 1,100 participants and collected more than 250,000 data points about rescue inhaler use. Veronica has worked for startups for almost 20 years doing everything from launching blogs, newsletters and patient communities to recruiting speakers, moderating panel conversations and developing new products. You can reach her on Twitter @vmcombs.

Shares0
Shares0