From the March 2015 issue of HealthCare Business News magazine
by Scott Whyte
Medical devices have unprecedented power to save lives.
Yet, as promising as these devices are for medicine, they open up a whole new frontier for cybercrimes.
Personal harm to a patient
Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
While unlikely, the risk of severe physical harm to a patient, up to and including homicide, can be very real when medical devices are left unprotected. A widely-discussed Essentia Health study revealed that hospital equipment was shockingly vulnerable to hacking, including:
• Infusion pumps.
These devices can be remotely accessed and manipulated to change dosages.
• Imaging equipment.
Hackers can alter configuration files for radiography and CT machines to change the amount of radiation patients receive, or to manipulate results.
• Implantable cardiac defibrillators.
Many defibrillators are Bluetooth-enabled, which gives someone intent on doing harm the opportunity to deliver inappropriate signals to a patient’s heart, or to stop a medically needed shock.
• Refrigeration units.
Temperature settings can be deliberately reset in order to cause blood or drugs to spoil.
Medical device security risk
Some estimates say that protected health information is 10 times more valuable than credit card data. With data warehousing, siloed data from medical devices are now aggregated and more valuable. Add to that the fact that the 10 largest medical device companies worldwide have annual revenues of $10-20 billion, making them high-profile targets to cybercriminals.
Medical devices now feed information into electronic health records. If a hacker gains entry to the device, they can cause inaccurate information to be sent to the electronic records, causing clinicians to misdiagnose, administer improper care or prescribe the wrong medications, among other potentially fatal errors.
Damage continues, even after a security breach
Picture the fallout to a health care organization, medical device manufacturer or software company if a patient is harmed via a medical device hack. After considering the most important impact, which is the health of the patients, the aftermath could be near-catastrophic financially as well, with federal and state regulators stepping in to impose harsh fines. Providers can also count on plaintiffs’ attorneys presenting their demands. To prevent a breach, a comprehensive security, privacy and compliance plan needs to be in place.
Facilities should inventory all medical devices, perform a risk analysis (and make it a continuous process), identify administrative and operational weaknesses and document policies and procedures related to device procurement, implementation and maintenance. They should also identify physical and technological threats and work to mitigate them. It’s important to build a circle of trust and create corrective and proactive action plans that include a multi-layered approach to protecting data that addresses devices (both mobile and medical), physical storage network infrastructure, and application, server, data and user security.