October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness as we are all trying to meet the new challenges of working from home and through the pandemic.
This is week 3 and the theme is Securing Internet-Connected Devices in Healthcare.
We asked our experts: What advice can you give hospitals and care facilities using telemedicine devices how to reduce their risk from cyber-attacks with these internet connected devices?
To protect internet-connected telehealth devices, make sure that video streams are encrypted end to end. Modern standards for web-based streaming encryption include AES, HTTPS/SSL/TLS, DTLS or SRTP. Secure, hardened data centers should be used to ensure that all core infrastructure is protected and that access to devices and all relevant patient data is restricted. All access to systems and data should be logged, tracked and audited wherever possible. Use randomized virtual session IDs that are unique to every call, eliminating IDs after sessions so they cannot be reused. No recordings or patient details should be retained. Leverage continuous uptime monitoring, monthly security and vulnerability scans and routine privacy and security audits by a trusted third party to maintain a secure a secure network.
The advent of internet connected devices has been a tremendous boon for patients and providers, certainly, but has also offered a new vector of attack for criminals. For patients and for providers that makes being informed and aware about cybersecurity practices that much more important. This is especially true in an era in which telehealth has become a primary channel of care for so many patients. One of the major elements of protection that I would recommend is having strong identity authentication in place. Multi-factor authentication, in which the user (patient or provider) logs in with standard credentials like user name and password, but also has to enter another code that is provided either by a text from the provider or using something like Google Authenticator. Of course, an underrated security control is training and awareness. Providing training for healthcare workers on how to practice good security and privacy hygiene can help to protect both patients and hospitals or care facilities. Even providing some security tips to patients can go a long way to helping them ensure they’re doing their part to protect their health data.
Telehealth is more pervasive now than ever before due to the current state of the COVID-19 pandemic. As a result, cybersecurity has become critically important for the millions of Americans using telehealth as a means of effective communication with their providers. Providers using telehealth platforms need to take additional steps to make sure they have a strong security program in place, including creating a culture of security through educational training, monitoring and auditing as well as modern standards-based practices of identity management and encryption. Telehealth users are putting their personal health information in the trust of these platforms – which is why the technology needs to deliver when it comes to meeting stringent privacy and security protocols and procedures.
It is time to reassess all controls, verify they are working as intended, and to reassess their ability to support the emerging clinical and business operations. The favor that COVID-19 should have presented to hospitals and care providers is that it gives every healthcare executive the opportunity to ask: 1) “Are we investing enough in security”, and; 2) “Are we making the right investments?” After that, it really gets pretty simple: The “new normal” should be what we should have always been doing in security: Providing the appropriate controls and training to support the business and its changing operating model.
All devices provide an information tunnel, sending patient and device health details to practitioners, and treatment or dose changes back to the device. But as we know, anything that connects to the internet can be exploited by hackers. In this case, connected telehealth devices can give hackers an inroad to a hospital’s larger data network. The adoption of connected medical equipment and devices for telehealth delivery are helping doctors and patients better manage chronic conditions through these uncharted times, but they can also increase the risk of compromise.
Regulators like the U.S. Food and Drug Administration (FDA) and device manufacturers recognize the risk and are taking measures to make security inherent at design, which basically strengthens and encrypts that information tunnel, making it harder for a hacker to access a device and its data. However, hospitals and care facilities have to assume greater accountability for the things that use healthcare delivery and are potentially life impacting. Healthcare providers need to consider every device they’re using, how the information that transmits to and from the medical devices we use and what’s being done to protect that data. Many of these devices connect patients over home networks, and unlike in hospitals and clinics, the security of the network needs to be assumed to be limited or weak. Therefore, ensuring that patient data is secure from the device to the intended physician or practitioner becomes critical. Devices need to encompass technology to store, communicate and update securely without a dependency of the network to be secure.
As telemedicine and associated backend infrastructure have produced an influx of devices and applications that now access the network, they are at risk for being exploited as part of a targeted attack campaign. It is critical that they are appropriately assessed for OS and application vulnerabilities and dormant threats so that those systems are prioritized for patching and remediation.
Under normal circumstances, the rollout of internet-connected devices in healthcare would follow a logical path of administrative, physical, technical and organizational risk assessment, management and controls, with oversight from internal and/or external cybersecurity subject matter experts. The difference with the 2020 rollout of telemedicine devices, in many instances, was the lack of time available to fully vet the devices on a logical path due to the need to complete implementations in a short timeframe. Attackers know that the crunched timeframe created potential vulnerabilities that they can exploit. For healthcare organizations that have not fully vetted their telemedicine device implementations, the sooner they do so, the better.