As new variants emerge, COVID-19 continues to have healthcare providers’ top focus. Knowing this, criminals are using the pandemic as cover to inundate hospitals, health systems and other providers with surge after surge of cyberattacks. In August 2021 alone, there were 26 suspected cyberattacks under investigation by the U.S. Department of Health and Human Services Office for Civil Rights.
For example, in August, a health system in Ohio with three hospitals was forced to revert to paper records and cancel radiology studies and urgent surgical care due to a cyberattack. Earlier in the month, an attempted ransomware attack on a health system in Indiana forced that provider to divert ambulances to other hospitals while also shutting down its electronic health record (EHR) and email systems. Fortunately, in the latter attack, no protected health information (PHI) appears to have been compromised.
This recent cybercrime spree prompted the Healthcare and Public Health Sector Coordinating Council, a coalition of hundreds of hospitals and other healthcare groups, to issue a letter to President Biden requesting more federal assistance in protecting healthcare organizations under siege from attackers.
“The healthcare industry faces relentless cybersecurity threats that have grown in magnitude and complexity year after year,” the letter states. “These threats to the technology that is integral to patient care have worsened over the course of the pandemic, especially in the proliferation of ransomware attacks.”
Network Expansion Poses New Threats
Healthcare organizations eager to safeguard PHI are seeking new methods to prevent unauthorized access to their networks, including extensive training for clinicians and other staff to avoid and report suspicious emails and to always protect network security credentials and other login information.
Hospital networks, however, are large and ever-expanding. Networks connect EHR systems to a wide variety of devices, including smartphones and tablets, used by clinical staff as well as monitoring and patient care equipment used at the bedside. These medical devices may have unsecured connections with the hospital network, which could enable a cybercriminal to gain access through the device, steal data or even gain control of the equipment. In 2019, for example, IBM discovered a vulnerability in software used across several industries to wirelessly connect devices over the Internet. This “Internet of Things” software flaw could conceivably enable a cybercriminal to gain control of, for example, an infusion pump, resulting in the over- or under-administration of insulin and endangering the patient’s health. One major manufacturer alerted customers to such a vulnerability that same year. Unauthorized control of monitoring or therapy-delivering medical devices can have dire consequences, especially when those who take control have malicious intentions.
Secure network connections to hospital monitoring devices are not required by Health Insurance Portability and Accountability Act (HIPAA) privacy regulation, although covered entities under the law are required to safeguard PHI from unauthorized access. Such regulation, however, may be approaching. The Singapore government in 2019, for example, enacted sweeping changes around employee training, but also network security infrastructure, after a highly coordinated cyberattack compromised 1.5 million patient records, including that of Singapore’s prime minister. Whether similar action will occur in the U.S. is unknown, but the Food and Drug Administration has already taken stronger security steps regarding medical devices, including hiring an acting director of Medical Device Cybersecurity at its Center for Devices and Radiological Health to help carry out some of the recommendations described in the agency’s Medical Device Safety Action Plan.
The first step to ensuring that patient data and medical devices are protected is to perform an audit of equipment capable of collecting, storing or transmitting PHI. Once identified, the hospital should determine if devices are accessible from an internal network or the Internet. If they are accessible, the simplest course of action should be to disconnect from the network those devices where data does not need to be collected. If a network connection is required, how are the devices protected from cyberattack? Some medical devices may still be running on operating systems with old security protocols that are easy for cybercriminals to breach (or bypass).
Replacing unsecured (or vulnerable) devices may be required in certain instances. In other cases, simply reconfiguring hospital networks so the devices are connected through secure clinical computing hubs, such as Capsule’s Neuron, instead of directly to the main network can safely extend the longevity of trusted bedside tools. Not all clinical computing hubs, however, can connect to a wide range of medical devices. Some hubs, for example, lack appropriate device driver interfaces (DDI), which enable the device to communicate and share data with the hub and then to downstream systems.
Our Medical Device Information Platform (MDIP) on the other hand, supports more than 1,000 DDIs to interface with a variety of medical devices and access their data, which, in turn, enables providers to securely connect more devices and systems. MDIP powers the Capsule Neuron 3, a fully encrypted clinical computing hub that securely captures medical device data, either wired or wirelessly, and helps turn complex data into actionable insights, while keeping the information secure.
With each new device added, the attack surface for cybercriminals continues to grow. Network infiltration through email continues to be the main point of entry, but medical devices could become a new target if left unguarded. Taking precautionary steps now by ensuring a secure data connection between devices and various downstream systems can help thwart attacks for years to come.
This article was originally published on the Capsule Technologies blog and is republished here with permission.