Managing the Internet of Healthcare
Electronic Medical Devices (EMD) are the computerized instruments and apparatuses that come into direct contact with patients are and used to diagnose and/or treat. The proliferation of these devices across the entire healthcare industry has provided extra convenience for both organizations and patients alike. New applications have facilitated the collection, sharing and analysis of patient data, with the goal of more coherent, comprehensive care. In 2015, the United States medical device market was valued above $140 billion, which accounted for nearly 45% of the global market.
The value of how these connected devices are helping to better manage our healthcare is in many cases priceless. The caveat to all this, however, is that the attack surface for cyber thieves has never been wider, calling for organizations across the healthcare ecosystem to take a closer look at the deployment and management of them to ensure they are mitigating the risk of a breach. Not unlike the healthcare industry overall, which has lagged behind when it comes to data security, medical device manufacturers have also not made security a top priority.
Code Blue: You’ve been hacked
Hackers are taking advantage of security holes on devices at an alarming rate, causing concern on multiple levels: a need to protect patients from being hacked on their device that could put their life in jeopardy, as well as medical devices that connect to a wide array of sensors and monitors, making them vulnerable points of entry to hospital networks. The latter of which could lead to massive ransomware attacks and theft of personal health information. Unlike servers, which are usually physically protected behind doors or even cages, medical devices are usually right out there in the open.
To better understand the potential for exposure, according to research from Internet of Things security firm, Zingbox: U.S. hospitals currently average 10 to 15 connected devices per bed with a typical large hospital having more than 5,000 beds. The report goes on to state that for the past three years the healthcare sector has been hacked even more than the financial sector with more and more hacking incidents targeting medical devices.
Defending Your Devices
Considering how integrated these devices are with the overarching health infrastructure, as well as the vast caches of data they store, it is hardly surprising that their benefits are accompanied by significant security risks. The cart the nurse or PA rolls up to you to measure your vital signs is itself an access point for malicious agents. Security thus becomes of the utmost importance to everyone involved: from the providers to the device manufacturers, from regulators to the patients themselves.
When there is a data breach, medical information inevitably shows up on the black markets of the dark web. Consider this:
- In 2016, healthcare data was among the highest valued of stolen loot, where medical records went for about $50 each.
- Approximately 112 million medical records were compromised in 2015 alone; the health information of almost half of all Americans.
- For the breached providers, the consequences can be severe, whether they be legal or reputational.
The Food and Drug Administration, which allow medical devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks, began developing a more detailed process for evaluating device cybersecurity as a criteria for product approval in 2013. They have based their guidance in large part on the National Institute of Standards and Technology’s 2014 Framework For Improving Critical Infrastructure Cybersecurity. The FDA’s recommendations for mitigating and managing cybersecurity threats include:
- Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards.
- Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
- They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Hospitals and health care facilities should evaluate their network security and protect their hospital systems.
NetLib Security: Your Preferred Provider for Medical Device Encryption and Security
For more than twenty years, NetLib Security has been a leader and pioneer in data security. We recognize the importance of managing and defending your personal health information (PHI) and electronic health records (EHR) in order to maintain business stability, reputation and compliance.
Our patented, high performance data security platform, Encryptionizer, is easy-to-use and deploy, transparently encrypts your data across physical, virtual and cloud environments while maintaining business stability with virtually no impact on performance. It supports the AS provisions of HIPAA Omnibus by encrypting PHI and EHR. Encryptionizer has become an increasingly integral component for companies executing HIPAA Omnibus and HITECH compliance strategies.
At NetLib Security, we understand cybersecurity threats cannot be completely eliminated; however, working with hospitals, providers, healthcare organizations, and device manufacturers, we provide you with the tools to protect, manage and defend against them.