What Wannacry Taught Us About The Importance Of Healthcare IT Security
With the rise in threats and the increased exposure healthcare facilities face, cybersecurity investments need to be mandated and enforced
- By Karin Ratchinsky
- November 01, 2017
WHEN HEALTHCARE LEADERS THINK ABOUT A SECURITY
BREACH, HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT COMPLIANCE VIOLATIONS TYPICALLY
COME TO MIND. HOWEVER, THANKS TO THE RAMPANT
DIGITIZATION OF CARE-CRITICAL TOOLS AND
APPLICATIONS, A CYBERATTACK ON A HEALTHCARE
ORGANIZATION’S COMMUNICATIONS INFRASTRUCTURE
OR COMPUTER SYSTEMS CAN NOW JEOPARDIZE MUCH
MORE THAN PATIENT DATA.
The recent WannaCry ransomware attacks compromised an estimated
200,000 systems across 150 countries, including the United Kingdom’s
National Health Service system. This breach came uncomfortably
close to a life-or-death situation when 16 hospitals were unable to access
patient data and diverted ambulances to other facilities.
The scariest thing about the WannaCry attack, from a healthcare
policy perspective, is that the NHS was not specifically targeted. Dozens
of hospitals across England were brought down simply because
their IT systems were vulnerable to malware, which placed the lives of
their patients on the line.
More than 6 billion devices (including wearable sensors and personal
health monitors) were connected to the Internet of Things by the end of
2016. IT research company Gartner, Inc. expects that number will surpass
20 billion by the year 2020. While protecting confidential patient
information remains important, the focus of healthcare IT security policy
is going to have to shift more toward protecting and ensuring the
performance of digitized mission- or care-critical applications.
A GROWING CONNECTION BETWEEN
The potential of internet-connected medical devices combined with
the power of artificial intelligence in healthcare is exciting. Some
devices already allow pharmacists to research patients’ allergies or
other medications before dispensing pharmaceuticals. Others allow
nurses to better monitor patients in ICU environments and speed
response time when digital monitors indicate vital signs are deteriorating.
This is the tip of the iceberg that digitization and artificial intelligence
bring to medical innovation.
Although the IoT and AI are still relatively new in healthcare, their
capabilities have already helped systems scale and provide better care.
Other exciting developments include mobilizing care to patients’
homes and alerting patients of impending seizures, low blood sugar
levels, heart arrhythmias, and more.
Care delivery organizations are becoming more dependent on digital
information, tools, and applications. Because of this dependence, it
has become exponentially more important for IT security to protect
the performance and continuity of these tools.
CAN HEALTHCARE POLICY PROTECT US?
Last year, 114,000 diabetic patients were notified that their insulin
pumps were vulnerable to being hacked. Attackers could breach the
devices, disabling them or altering the dosage, which forced the product’s
manufacturer, Johnson & Johnson, to issue a notification, along
with ways for patients to mitigate the risks.
Kevin Fu, director of the University of Michigan’s Archimedes Center
for Medical Device Security, pointed out that the manufacturers
“did not anticipate the cybersecurity risks” when they first designed
the product. Even if they had, the product was designed nearly 10 years
ago, and hackers’ capabilities have advanced significantly since then.
The truth is that any internet-connected electronic device could
eventually be broken into, and there is no 100 percent guaranteed way
to secure it. However, policies can be implemented at organizational,
state, and federal levels to help ensure that healthcare organizations are
able to proactively take necessary security measures.
Government lawmakers can facilitate this change by devising appropriate
standardized protocols that will greatly reduce the risks of patients’
care falling victim to another ransomware attack. Here are three areas
where policymakers should focus their efforts in this regard.
UPDATE AND IMPROVE SECURITY POLICIES.
It is evident that healthcare security policy needs to encompass rules and best practices that go above and beyond protecting the privacy of confidential
patient data. Protection of protected health information, per
HIPAA mandates, remains important, but instating rules and policies
that ensure organizations invest in tools and best practices that maintain
the continuity of care-critical tools and applications is long overdue.
The impact WannaCry had on 16 U.K. hospitals is a wake-up call
and highlights the ubiquity of cyber threats and their impact on delivering
care. These threats are real and constantly evolving. Lives depend
on organizations taking a deeper look at how they can ensure care
continuity with comprehensive security policies and procedures.
We can look to the financial services industry as an example of a
field that has strict data privacy requirements in place, especially the
requirement of a response plan. The Federal Deposit Insurance Corporation,
for example, requires secure logins with government-issued
IDs to access its computers, as well as a third-party end-to-end assessment
of security and privacy protocols.
Cyber threats are constantly evolving and becoming more sophisticated,
so having an institutionalized response plan is critical in the
event that a breach that they are not proactively prepared for takes
SCRUTINIZE DEVICE SECURITY AT THE FDA LEVEL.
To deter cyberterrorism, the U.S. Food and Drug Administration needs
to hire highly skilled security personnel and instate strict rules and regulations
on devices to ensure that security protocols are in place.
Just as the FDA requires drug trials before approving prescription
and over-the-counter medications for use, it should also take measures
to confirm that devices released to the market are secure and that manufacturers
have invested in certain best practices and upgrades. This
type of policy is needed to prevent breaches such as the Johnson &
Johnson insulin monitor hack from occurring in the future and ensure
the continued safety of patients relying on care-critical devices and
Fortunately, legislators at the federal level have taken note and are
now taking action. In July, a bipartisan group of senators announced
plans to introduce a bill that would help shore up defenses against vulnerabilities
posed by IoT devices. This legislation would require vendors
to ensure that all connected equipment they provide to the government
conforms to new security standards with patchable products.
The bill includes new policies that aim to address the market’s failure
to incentivize manufacturers to focus on stronger security features
in new product designs. It will provide ongoing recommendations to
improve the security of federal networks.
Compliance requirements and financial incentives are necessary for
healthcare systems to adopt and implement adequate security parameters.
Otherwise, budget-constrained healthcare providers will often
choose to invest in a revenue-generating, care-providing system, like an
MRI machine, rather than a seemingly preparatory IT security initiative.
Incentives can combat this behavior by appealing to the natural
human (and business) urge to prioritize investments offering tangible
returns. Facilities that have never experienced the effects of a breach
will find it even more difficult to invest in security without proper
Currently, there is too much focus on the compliance side of the
house. Healthcare organizations need to consider care continuity for
digital tools as well as the need for IT security systems to disclose certain
breach types—not just whether data has been compromised, but
whether systems have been.
With the rise in threats and the increased exposure healthcare facilities
face, these types of investments need to be mandated and
enforced. If they’re not, healthcare organizations and hospital systems
that are reluctant to allocate budget toward bolstering and upgrading
their defenses will find themselves in the same
predicament in which the WannaCry attack
placed the NHS earlier this year.
This article originally appeared in the November 2017 issue of CSLS.