Now is the Time to Secure Medical Devices and Strengthen BYOD Protocols

October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.

Follow us this month as we engage our health IT community in cybersecurity awareness as we are all trying to meet the new challenges of working from home and through the pandemic.

This is week 3 and the theme is Securing Internet-Connected Devices in Healthcare. We have engaged EHNAC to share insights on this week’s theme.

By Lee Barrett, Executive Director and CEO, EHNAC
Twitter: @EHNAC

The COVID-19 pandemic has changed the healthcare industry as we know it – from the physical way care is administered to the adoption of emerging technologies used to triage and monitor those infected. While provider organizations and those on the front lines have put great focus on responding to this global health crisis, many have unintentionally taken their “eye off the ball” when it comes to cybersecurity and risk mitigation infrastructures and we understand why. As a result, cybercriminals have been ramping up their sinister efforts at finding new points of penetration to get their hands on patient data – most notably, when it comes to attacks aimed at ransomware and medical device and “bring your own device” or BYOD protocols.

The Internet of Things (IoT) has undoubtedly helped healthcare organizations deliver high-quality, more patient-centric and affordable care. However, by introducing these various internet-connected devices into a healthcare environment, hospitals and other provider organizations have exponentially increased the level of connection points, which in turn raises the level of exposure (threat vectors) and heightens risk of compromise or breach.

Cybercriminals can strike when hospital employees, through their cell phones or tablets, connect into an EMR system, informatics or data exchange, unintentionally or intentionally infecting the hospital’s enterprise infrastructure with malware. Earlier this year, Interpol issued a warning that alerted the industry as to how cybercriminals were using ransomware – a type of malware – to target healthcare organizations already overwhelmed by COVID-19. Think of the impact a cybercriminal could have if they were to control medical devices. In 2017, we learned of a security risk in a Boston Scientific medical device that communicates with implanted pacemakers and defibrillators. Late last year, Medtronic warned patients about a potential hacking risk to their insulin pumps. Johnson & Johnson’s insulin pumps were the target of a similar attack a few years earlier.

These are real instances of medical devices being compromised by the ever-evolving cybercriminal. Our industry needs to make protecting these devices and the patients they serve a priority in 2018. The Federal Drug Administration (FDA) has recently developed some medical device guidelines which are a start, but we still have a significant delta to continue to develop further policies, procedures, controls and industry best practices and guidance.

The bigger issue at play is the interoperability between the Internet of Things(IoT)/medical devices and EHR vendors in this still evolving COVID-19 environment. ONC’s 21st Century Cures Act and TEFCA, now set to be implemented in 2021, aim to increase connectivity and interoperability. However, they should expect to do so with COVID-19 still impacting our industry. A recently released report revealed major security issues related to several social media platforms, including Facebook and YouTube apps, running on MRI and CT machines, to medical devices operating on legacy platforms which had been recalled by the FDA. This is why healthcare organizations must continue with a high level of rigor as more medical devices are added and mobile applications are built by third-party developers. In fact, more than 1M healthcare apps are developed worldwide on an annual basis. Unfortunately, only a small percentage of those new applications go through a security type review before being launched to the consumer or other stakeholder. As a result, organizations should not let up on the rigor of third-party entities and evaluate and review them holistically and ensure that all of the touch points and risk vectors have the same level of stress testing and review that they did pre COVID-19.

Today’s cybercriminal has evolved into a dangerous entity, capable of bringing an organization’s enterprise and business operation to a halt, compounded by long-term financial and credibility/reputational hardships. At a bare minimum, hospitals and health systems should have sufficient rigor and meet industry standards for adhering to HIPAA requirements, mitigating cybersecurity risks, and assuring that all portal and exchange connection points are secured – this includes taking a hard look at medical devices and BYOD protocols within their security frameworks as they present a whole set of data security challenges in this COVID-19 world. The failure to do so can bring devastating consequences.