What Wannacry Taught Us About The Importance Of Healthcare IT Security

With the rise in threats and the increased exposure healthcare facilities face, cybersecurity investments need to be mandated and enforced

WHEN HEALTHCARE LEADERS THINK ABOUT A SECURITY BREACH, HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT COMPLIANCE VIOLATIONS TYPICALLY COME TO MIND. HOWEVER, THANKS TO THE RAMPANT DIGITIZATION OF CARE-CRITICAL TOOLS AND APPLICATIONS, A CYBERATTACK ON A HEALTHCARE ORGANIZATION’S COMMUNICATIONS INFRASTRUCTURE OR COMPUTER SYSTEMS CAN NOW JEOPARDIZE MUCH MORE THAN PATIENT DATA.

The recent WannaCry ransomware attacks compromised an estimated 200,000 systems across 150 countries, including the United Kingdom’s National Health Service system. This breach came uncomfortably close to a life-or-death situation when 16 hospitals were unable to access patient data and diverted ambulances to other facilities. The scariest thing about the WannaCry attack, from a healthcare policy perspective, is that the NHS was not specifically targeted. Dozens of hospitals across England were brought down simply because their IT systems were vulnerable to malware, which placed the lives of their patients on the line.

More than 6 billion devices (including wearable sensors and personal health monitors) were connected to the Internet of Things by the end of 2016. IT research company Gartner, Inc. expects that number will surpass 20 billion by the year 2020. While protecting confidential patient information remains important, the focus of healthcare IT security policy is going to have to shift more toward protecting and ensuring the performance of digitized mission- or care-critical applications.

A GROWING CONNECTION BETWEEN HEALTHCARE DEVICES

The potential of internet-connected medical devices combined with the power of artificial intelligence in healthcare is exciting. Some devices already allow pharmacists to research patients’ allergies or other medications before dispensing pharmaceuticals. Others allow nurses to better monitor patients in ICU environments and speed response time when digital monitors indicate vital signs are deteriorating. This is the tip of the iceberg that digitization and artificial intelligence bring to medical innovation.

Although the IoT and AI are still relatively new in healthcare, their capabilities have already helped systems scale and provide better care. Other exciting developments include mobilizing care to patients’ homes and alerting patients of impending seizures, low blood sugar levels, heart arrhythmias, and more.

Care delivery organizations are becoming more dependent on digital information, tools, and applications. Because of this dependence, it has become exponentially more important for IT security to protect the performance and continuity of these tools.

CAN HEALTHCARE POLICY PROTECT US?

Last year, 114,000 diabetic patients were notified that their insulin pumps were vulnerable to being hacked. Attackers could breach the devices, disabling them or altering the dosage, which forced the product’s manufacturer, Johnson & Johnson, to issue a notification, along with ways for patients to mitigate the risks.

Kevin Fu, director of the University of Michigan’s Archimedes Center for Medical Device Security, pointed out that the manufacturers “did not anticipate the cybersecurity risks” when they first designed the product. Even if they had, the product was designed nearly 10 years ago, and hackers’ capabilities have advanced significantly since then.

The truth is that any internet-connected electronic device could eventually be broken into, and there is no 100 percent guaranteed way to secure it. However, policies can be implemented at organizational, state, and federal levels to help ensure that healthcare organizations are able to proactively take necessary security measures.

Government lawmakers can facilitate this change by devising appropriate standardized protocols that will greatly reduce the risks of patients’ care falling victim to another ransomware attack. Here are three areas where policymakers should focus their efforts in this regard.

UPDATE AND IMPROVE SECURITY POLICIES.

It is evident that healthcare security policy needs to encompass rules and best practices that go above and beyond protecting the privacy of confidential patient data. Protection of protected health information, per HIPAA mandates, remains important, but instating rules and policies that ensure organizations invest in tools and best practices that maintain the continuity of care-critical tools and applications is long overdue.

The impact WannaCry had on 16 U.K. hospitals is a wake-up call and highlights the ubiquity of cyber threats and their impact on delivering care. These threats are real and constantly evolving. Lives depend on organizations taking a deeper look at how they can ensure care continuity with comprehensive security policies and procedures.

We can look to the financial services industry as an example of a field that has strict data privacy requirements in place, especially the requirement of a response plan. The Federal Deposit Insurance Corporation, for example, requires secure logins with government-issued IDs to access its computers, as well as a third-party end-to-end assessment of security and privacy protocols.

Cyber threats are constantly evolving and becoming more sophisticated, so having an institutionalized response plan is critical in the event that a breach that they are not proactively prepared for takes systems down.

SCRUTINIZE DEVICE SECURITY AT THE FDA LEVEL.

To deter cyberterrorism, the U.S. Food and Drug Administration needs to hire highly skilled security personnel and instate strict rules and regulations on devices to ensure that security protocols are in place. Just as the FDA requires drug trials before approving prescription and over-the-counter medications for use, it should also take measures to confirm that devices released to the market are secure and that manufacturers have invested in certain best practices and upgrades. This type of policy is needed to prevent breaches such as the Johnson & Johnson insulin monitor hack from occurring in the future and ensure the continued safety of patients relying on care-critical devices and connected applications.

Fortunately, legislators at the federal level have taken note and are now taking action. In July, a bipartisan group of senators announced plans to introduce a bill that would help shore up defenses against vulnerabilities posed by IoT devices. This legislation would require vendors to ensure that all connected equipment they provide to the government conforms to new security standards with patchable products.

The bill includes new policies that aim to address the market’s failure to incentivize manufacturers to focus on stronger security features in new product designs. It will provide ongoing recommendations to improve the security of federal networks.

INCENTIVIZE COMPLIANCE.

Compliance requirements and financial incentives are necessary for healthcare systems to adopt and implement adequate security parameters. Otherwise, budget-constrained healthcare providers will often choose to invest in a revenue-generating, care-providing system, like an MRI machine, rather than a seemingly preparatory IT security initiative.

Incentives can combat this behavior by appealing to the natural human (and business) urge to prioritize investments offering tangible returns. Facilities that have never experienced the effects of a breach will find it even more difficult to invest in security without proper incentives.

Currently, there is too much focus on the compliance side of the house. Healthcare organizations need to consider care continuity for digital tools as well as the need for IT security systems to disclose certain breach types—not just whether data has been compromised, but whether systems have been.

With the rise in threats and the increased exposure healthcare facilities face, these types of investments need to be mandated and enforced. If they’re not, healthcare organizations and hospital systems that are reluctant to allocate budget toward bolstering and upgrading their defenses will find themselves in the same predicament in which the WannaCry attack placed the NHS earlier this year.

This article originally appeared in the November 2017 issue of Campus Security & Life Safety.

Digital Edition