“Hospitals needs to ensure that the staff is trained to work with the IT department to build secure networks for medical devices and include cybersecurity considerations in their buying decisions,” says Atul Anchan- Director- Systems Engineering, India, Symantec. In conversation with Ankush Kumar, Anchan talked about the increased seriousness for combating cyber security threats in the healthcare industry and also shared his key recommendations to mitigate the risks.
What are the areas in Healthcare that are more prone to cybersecurity breaches?
The healthcare industry is going digital with massive amount of patient data stored and shared among organizations. 2015 was the changeover year for the healthcare industry with more targeted attacks. With emerging technologies such as the Internet of Things (IoT), the industry faces concerns like hospitals breached via medical devices and how consumer health IoT devices can be susceptible to data loss. Medical devices are the original IoT devices. Today more medical devices are being networked but also have USB ports that make them open for malware attacks.
Within the healthcare industry, there are medical devices that use off-the-shelf (OTS) software found vulnerable to viruses, worms and other threats. Examples include systems that communicate pictures on networks (ultrasound), systems that monitor patient activity, and systems that communicate with clinical laboratory analyzers.
According to the 2016 ISTR, researchers have found potentially damaging vulnerabilities in dozens of devices such as insulin pumps, x-ray systems, CT-scanners, medical refrigerators, and implantable defibrillators. With the burgeoning complexities of attacks, and interest of the cybercriminals, security is slowly becoming a top concern for the healthcare industry globally.
How fatal could be the consequences in case of a security breach in the healthcare sector?
Cybercriminals are usually driven by the prospect of financial gain. By infringing into health care systems, they can access to private medical data and hospital records which often amount to a much higher payout than financial information. Medical devices are notoriously insecure and easy to hack, as has been demonstrated for pacemakers and insulin pumps, as well as surgical and anesthesia devices, ventilators, infusion pumps, defibrillators, patient monitors, and laboratory equipment. There are multiple reasons why medical devices are highly vulnerable, like long lifetime, 24×7 usage which restricts the possibility of upgrades and removal of malware from the compromised devices since these devices are constantly in and out of hospitals.
Information security breaches in the health care industry can carry much heavier consequences than financial losses. Unlike cyber-attacks on other industries, a breach on medical providers can be deadly for patients. The danger of a hack on health care IT systems where codes are altered or data is corrupted can lead to wrong medication which could lead to the loss of patient lives and the associated hospital can lose its brand and its reputation.
For practical and regulatory reasons, the responsibility for securing the actual device lies mainly with the manufacturers. However, hospitals as well need to ensure that the staff is trained to work with the IT department to build secure networks for medical devices and include cybersecurity considerations in their buying decisions.
What could be the impact on Indian Public healthcare facilities? How do you access the current regularity policies related to this?
The cybersecurity posture of medical devices has increasingly become a concern to healthcare providers, device manufacturers, regulators, and patients. Due to their long useful life, unique care-critical use case, and strict regulatory oversight, these devices tend to have a low security maturity, significant vulnerabilities, and an overall high susceptibility to security threats.
Healthcare institutions globally follow three main cybersecurity regulations i.e. the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). As medical devices now integrated with an increasingly digital healthcare infrastructure, they are exposed to the same security threats as any other IT component. Yet, defenses of these devices, as well as their integrated ecosystems, are far less mature.
Healthcare organizations have also reported medical devices being shut down due to malware outbreaks — but not because they were targeted, rather because of their broad vulnerabilities that fit the malware’s target profile. The possible consequences resulting from a medical device security incident can be severe and complex, with broad implications for patient health, care delivery, hospital revenue, manufacturer reputation, law suits and fines, and decision-making by patients about treatment options.
Increasing concerns are leading to mounting pressure to address these availability, integrity, and confidentiality challenges through a combined approach of technical, regulatory, and process measures. To address these issues, stakeholders must take a two-pronged approach that includes protecting the legacy devices used by hospitals and patients today and building security and information privacy measures into new devices and evolving mHealth care models.
With continuous increase in cyber security vulnerabilities what could be your key recommendations to the healthcare institutions?
Healthcare data is unique, which makes its privacy and security critical. Owing to advancing technology adoption, the intensity of threats and its impact will continue to increase. Healthcare reform and new reimbursement models require complex IT infrastructure, which needs to be reliable and secure and built on an extensible platform that addresses today’s most pressing needs and will support future technology investments.
Key considerations for a security environment that meets today’s need for reliability and can withstand the onslaught of increasingly sophisticated cyber threats are:
Prioritize security infrastructure: Breach economics present a dire situation for affected hospitals. In addition to the public relations challenges and loss of patients and public trust, there are the high costs associated with remediation, notification costs, apart from the risk of fines and lawsuits. A comprehensive risk analysis should be all inclusive and encompass all devices and device types, including medical devices, photocopiers, and HVAC and other operational systems.
Invest intelligently: Hospitals and health systems should select security solutions that not only allow them to meet current security requirements but also offer extensible functionality to support a growing IT infrastructure, new devices and applications, and threats as they arise.
Make security a business priority: Security concerns today do not just impact technical and operational aspects of the organization but also the larger business in the context of their compliance strategy. Healthcare organizations must elevate security to an executive and strategic level to ensure that infrastructure and information security is given the attention it deserves.
Security for a healthcare provider is not only a compliance issue, but also an assurance issue. While technology plays a vital role in furthering healthcare security, the focus will shift to the people and policies that generate, use and manage the data and information required for care and related processes.