When one thinks about hackers going after electronic health information for identity theft or other nefarious purposes, one thinks about them attacking the electronic health record or the overall hospital or physician practice data base. But unfortunately, hackers are adaptable, and just because you have the best physical and technical security on your EHR or patient accounts records doesn’t mean that you are immune from a successful hack attack.
One of the new versions of hacking attacks involves medical devices. Unless a covered entity has done a complete risk analysis that includes medical devices and implemented reasonable and appropriate security measures, it is at risk for the damage from a successful attack on medical device data.
Admittedly, no such successful attacks have been reported to DHHS to date, but many health care security experts believe that it is just a matter of time. Some health care providers have experienced medical device downtime as a result of the recent ransomware attacks.
Unlike an attack on a hospital’s billing department electronic records, which would most likely pose only a financial risk, an attack on a medical device could also threaten patient health and perhaps even result in death. Consider a ransomware attack that encrypts the medical device or the system that serves it and the hacker will not provide the decryption key unless the facility pays a six- or seven-figure ransom. Could a medical device fail to give a warning of a cardiac incident during the period in which the hospital or other practice assesses the threat and decides whether to pay the ransom? And paying the ransom is no guarantee that the hacker will free up the data. In one case, after a hospital paid a million dollars, the hacker demanded another $500,000 to provide the decryption key.
A survey, Medical Device Security: An Industry Under Attack and Unprepared to Defend at https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/may2017/cs2017_0199.pdf., posits that both device manufacturers and health care organizations are concerned that medical device attacks will occur. Indeed, 67% of medical device manufacturers and 56% of health care delivery organizations believe that a cyberattack on a medical device at their organization is likely to occur in the next 12 months. But even with this awareness, only 17% of device manufacturers and 15% of providers are currently taking actions to reduce the risk of cyberattacks on medical devices that they use. The survey found that manufacturers believe such devices are difficult to secure and that approximately half of the device manufacturers don’t perform any security tests.
The takeaway from this blog post is that, if your practice uses such devices, you must consider them as part of your initial and any follow-up risk analyses and implement reasonable and appropriate security measures to protect the devices.