Justin Reilly, CEO at Impero Software01.14.22
Healthcare is becoming increasingly digitized, and - like the rest of the world - is simultaneously more distributed and interconnected than ever before. For all the good it has done by raising facility management and patient care to new heights, this accelerating digitization has also opened doors to considerable risks. Personally identifiable information, especially plucked from a medical setting, is among the most tantalizing prizes for hackers. So long as technology is woven into the healthcare sector carefully and thoughtfully, it has the power to protect and enhance our lives, but cybersecurity will be a crucial piece of the puzzle going forward.
The connections transforming healthcare are most visible through the propagation of Internet of Medical Things (IoMT) devices, which have been established as a norm for modern healthcare facilities. A majority of the industry agrees that IoMT is synonymous with the future of healthcare. In 2019, a survey by Gartner showed that 86 percent of healthcare providers were already using IoMT devices - and the digitization of the industry has only grown faster since then.
IoMT devices - and the connections they bring - are a key component of streamlining modern medical facilities from top to bottom. They have also paved new roads for care extending well beyond hospital doors, including telehealth and telemedicine services that have soared in popularity since the advent of the COVID-19 pandemic. A report by Fortune Business Insights predicts that telemedicine’s market size will reach $185 billion by 2026.
While these digital transformations can have profound effects on both the efficiency and profitability of healthcare systems, every connected device is also a security risk. Over the last decade, these risk factors have led to hundreds of millions of patient records being compromised by data breaches, many of which were attributed to poor security measures for IoMT devices. The hardships brought on by the pandemic aren’t winning any truces from malicious actors, either - quite the opposite. Reports from the height of the pandemic in 2020 showed cyber attacks against healthcare organizations rose by as much as 55 percent. Hackers aren’t in the habit of showing mercy when presented with a “soft” target, so it’s up to healthcare organizations and device manufacturers to address their own rising security needs.
In today’s digital world, medical devices in a given system can be spread across many different settings, such as in medical facilities, in doctor’s offices and even in patients’ homes. For practitioners to make quality patient care decisions, it’s important to centralize the information gathered by all of this widely distributed equipment.
Consider a large hospital campus with myriad devices such as x-ray machines, MRIs and blood gas analyzers all spread out across different floors, if not different buildings. Realistically, these devices need to be connectible – that is, not completely “air-gapped” or unplugged – to have any kind of efficient operation. Even if each device has only a single strand of connection – say, between it and the IT person down the hall – that connection needs to be known, strategized, documented and carefully controlled with the proper policies so it can be secure without losing the efficiency it brings to the table.
Too often, however, these devices are less secure than they should be, given what can happen if they’re compromised. Personally identifiable information, especially in a medical context, is a veritable holy grail for hackers. Captured medical information can be used against individuals in extremely targeted ways, making it easy for criminals to steal a patient’s identity or scam them using inside knowledge, such as the fact that they’re diabetic.
Despite these risks, remote access to medical devices is too large of a boon for any modern healthcare organization to ignore, but common approaches to security remain scattered. Many organizations will bring in several different security vendors to work on different types of machines, hampering overall communication while leaving exploitable gaps in network security.
This lack of security creates two issues: one of compliance and one of trust.
HIPAA compliance is - or should be - of the utmost concern for any healthcare organization or device manufacturer that has fallen behind the curve on cybersecurity. Though medical devices don’t directly store any patient information, they serve as one of the easiest entry points for hackers to enter the wider network, as they aren’t typically as well-shielded as other potential network access points.
Palo Alto Networks reported in 2020 that 50 percent of cyber threats to healthcare organizations specifically involved imaging devices. Of those, 83 percent were running on unsupported operating systems - a relatively simple security gap to address that ended up putting patients’ records at risk.
The cost of falling short of HIPAA compliance can quickly add up for healthcare organizations, which very often end up paying hefty fines before immediately having to invest in the cybersecurity measures they should have had in the first place. Finances aside, there’s another price to be paid for such negligence: patient trust.
Any successful interaction in the healthcare sector is underpinned by trust. Whether in the ER, the clinic or the office, patients are in a uniquely vulnerable situation, and need to be able to trust both the medical devices they’re engaging with and the organizations making use of them. Furthermore, these organizations need to be able to confidently allay any patient concerns regarding privacy, ensuring them that their trust is well-deserved.
In every facet of the healthcare industry, technology has the capacity to make our lives both easier and safer, but it will continue to create new problems if it’s not deployed in a secure manner. Device manufacturers and facility operators don’t have the luxury of placing cybersecurity as a secondary concern - it must be paramount as we continue towards the digital future.
The connections transforming healthcare are most visible through the propagation of Internet of Medical Things (IoMT) devices, which have been established as a norm for modern healthcare facilities. A majority of the industry agrees that IoMT is synonymous with the future of healthcare. In 2019, a survey by Gartner showed that 86 percent of healthcare providers were already using IoMT devices - and the digitization of the industry has only grown faster since then.
IoMT devices - and the connections they bring - are a key component of streamlining modern medical facilities from top to bottom. They have also paved new roads for care extending well beyond hospital doors, including telehealth and telemedicine services that have soared in popularity since the advent of the COVID-19 pandemic. A report by Fortune Business Insights predicts that telemedicine’s market size will reach $185 billion by 2026.
While these digital transformations can have profound effects on both the efficiency and profitability of healthcare systems, every connected device is also a security risk. Over the last decade, these risk factors have led to hundreds of millions of patient records being compromised by data breaches, many of which were attributed to poor security measures for IoMT devices. The hardships brought on by the pandemic aren’t winning any truces from malicious actors, either - quite the opposite. Reports from the height of the pandemic in 2020 showed cyber attacks against healthcare organizations rose by as much as 55 percent. Hackers aren’t in the habit of showing mercy when presented with a “soft” target, so it’s up to healthcare organizations and device manufacturers to address their own rising security needs.
In today’s digital world, medical devices in a given system can be spread across many different settings, such as in medical facilities, in doctor’s offices and even in patients’ homes. For practitioners to make quality patient care decisions, it’s important to centralize the information gathered by all of this widely distributed equipment.
Consider a large hospital campus with myriad devices such as x-ray machines, MRIs and blood gas analyzers all spread out across different floors, if not different buildings. Realistically, these devices need to be connectible – that is, not completely “air-gapped” or unplugged – to have any kind of efficient operation. Even if each device has only a single strand of connection – say, between it and the IT person down the hall – that connection needs to be known, strategized, documented and carefully controlled with the proper policies so it can be secure without losing the efficiency it brings to the table.
Too often, however, these devices are less secure than they should be, given what can happen if they’re compromised. Personally identifiable information, especially in a medical context, is a veritable holy grail for hackers. Captured medical information can be used against individuals in extremely targeted ways, making it easy for criminals to steal a patient’s identity or scam them using inside knowledge, such as the fact that they’re diabetic.
Despite these risks, remote access to medical devices is too large of a boon for any modern healthcare organization to ignore, but common approaches to security remain scattered. Many organizations will bring in several different security vendors to work on different types of machines, hampering overall communication while leaving exploitable gaps in network security.
This lack of security creates two issues: one of compliance and one of trust.
HIPAA compliance is - or should be - of the utmost concern for any healthcare organization or device manufacturer that has fallen behind the curve on cybersecurity. Though medical devices don’t directly store any patient information, they serve as one of the easiest entry points for hackers to enter the wider network, as they aren’t typically as well-shielded as other potential network access points.
Palo Alto Networks reported in 2020 that 50 percent of cyber threats to healthcare organizations specifically involved imaging devices. Of those, 83 percent were running on unsupported operating systems - a relatively simple security gap to address that ended up putting patients’ records at risk.
The cost of falling short of HIPAA compliance can quickly add up for healthcare organizations, which very often end up paying hefty fines before immediately having to invest in the cybersecurity measures they should have had in the first place. Finances aside, there’s another price to be paid for such negligence: patient trust.
Any successful interaction in the healthcare sector is underpinned by trust. Whether in the ER, the clinic or the office, patients are in a uniquely vulnerable situation, and need to be able to trust both the medical devices they’re engaging with and the organizations making use of them. Furthermore, these organizations need to be able to confidently allay any patient concerns regarding privacy, ensuring them that their trust is well-deserved.
In every facet of the healthcare industry, technology has the capacity to make our lives both easier and safer, but it will continue to create new problems if it’s not deployed in a secure manner. Device manufacturers and facility operators don’t have the luxury of placing cybersecurity as a secondary concern - it must be paramount as we continue towards the digital future.