Incidents of cyber attacks against medical devices are inevitable, and healthcare providers are not prepared for the eventuality. In fact, in general, healthcare organizations are focusing all their efforts of protecting the wrong thing.
Keeping patients safe should dictate providers’ security efforts, but healthcare organizations are more likely to take steps that protect data so they can meet HIPAA requirements, said presenters last week at a security session at the annual meeting of the Society for Imaging Informatics in Medicine.
“Threats to patients and patients’ health are becoming more real,” says James Whitfill, MD, chief medical officer for Innovation Care Partners, a provider organization in Arizona.
The recent WannaCry ransomware attack helped to show the vulnerability of radiology equipment and other devices, Whitfill says. The attack encrypted Bayer MedRad devices at two U.S. healthcare organizations; the devices are power injector systems that monitor contrast agents that improve the quality of imaging scans.
“As providers, we should be concerned with actual patient health, not just protected health information (PHI),” Whitfill says. “We need to be making a shift from not worrying about policies and procedures to when our patients might be targeted by potentially harmful events.”
Research already has show that insulin pumps and infusion devices could be compromised, but cyber attackers might be able to exploit systems that influence patient care, such as computerized provider order entry and pharmacy systems. “What happens if someone gets into those systems that destroys inventory, changes records of patients’ allergies?” Whitfill says. “Or with surgical systems, what if attack damages equipment? There are a lot of potential threats here that could cause harm or death to patients.”
Provider security efforts need to take a fresh look at what attackers are looking to achieve, says Ted Harrington, executive partner for Independent Security Evaluators, a research firm that has taken an intensive look at security practices in healthcare.
“We look at things from the perspective of the adversary,” Harrington says. “A lot of security in healthcare is focused on compliance. WannaCry demonstrated that there are some real security issues in healthcare and other industries as well. Ransomware is not just a data issue – it does inhibit the ability to access data, but it is fundamentally a patient care issue.”
Harrington believes healthcare organizations need to refocus security efforts on protecting patient health, evolving away from a pure focus on protecting data that helps them to comply with HIPAA statutes.
“Protecting patient data along is insufficient to protect patient health,” he says. “For example, if you could attack something that could influence the way a physician behaves (such as information systems), that could compromise patient health. Some information systems are well protected, but there are so many different ways that someone could work his way through these layers of defense without even touching the things that are well protected.”