By Matt Skoufalos
In private life, identity theft can be a devastating experience, having affected some 17.6 million Americans in 2014, according to a study from the U.S. Department of Justice. The average impact totaled more than $1,300 per person and took more than a month to resolve.
In the health care field, data breaches can carry even more significant consequences for the facilities affected by them. Protenus, a data security firm based out of Baltimore, Maryland, estimates that the health care industry averaged at least one health data breach per day in 2016, with the cost of the average breach hit $4 million last year, according to an IBM-sponsored study from the Ponemon Institute.
That’s thanks, in part, to the increasingly stringent regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA Title II outlines rules for the standardized exchange of sensitive patient data, mandates penalties for failure to comply with them, and outlines guidance for investigating violations. It also stiffens the financial impact for organizations that violate the terms of the law to a maximum of $1.5 million per incident. Typically, the threat of significant losses or of federal legal entanglements are deterrents enough to shape institutional policy in favor of enhanced security, and HIPAA places much of the onus on actual users to follow the law.
But that doesn’t mean that breaches don’t happen. In February 2017, the Children’s Medical Center of Dallas, Texas was fined $3.2 million for failing to resolve compliance risks from unencrypted personal electronic devices that were later stolen. Weeks earlier, Memorial Health Care System of Hollywood, Florida had paid $5.5 million to settle a case involving compromised data in which tens of thousands of patient records were accessed remotely because a former employee’s login credentials had not been revoked upon termination.
Data breaches from compromised login credentials or stolen devices are one thing, but of comparable concern is whether devices that collect patient data are web-enabled. With a premium being placed on the economic value of technologies that can gather and distribute information for a variety of purposes, the makers of those devices also risk the downside of their products having those benefits.
As the Internet of Things (IoT) expands to a projected 26 billion devices by 2020 (according to market researchers Gartner), any device that connects to the Internet can be a viable entry point for a hacker. According to an October 2016 market report from Forrester, half-a-million “smart” devices will be breached in 2017 – things like security cameras, thermostats, printers, and light bulbs as well as health care-specific wearables, implants, and remote monitoring equipment. Even if those technologies do not directly contain or transmit patient health information, they can potentially be used to shut down hospital Internet services as part of a larger distributed denial of service (DDoS) attack.
“Everyone’s interested in Internet of Things; shipping the data anywhere,” said Bruce Swope, VP of engineering at Sterling Medical Devices, a medical device engineering and product development firm based in Rochelle Park, New Jersey.
The trouble comes when “shipping” personally identifiable patient data puts an individual’s privacy at risk.
Cybersecurity risks lurk in lower-tech places, too; everywhere from digital copiers and scanners to older capital equipment that may not have undergone a thorough hard drive cleanout before being decommissioned. At a minimum, Swope recommends that any old equipment with onboard memory should have that memory erased or replaced before it changes hands.
“There’s no magic just because it’s medical,” he said. “It’s the same kinds of things you’re doing for your cellphone or your [personal] computer.”
Likewise, whenever a new (or new-to-the-department) piece of equipment is brought into service, Swope said it’s often the job of the biomed team to analyze the robustness of its security functions along with all its other abilities. The overall value of a piece of technology can be undermined if it poses a risk to the security of patient data; simply put, he said, “sometimes, it might not be designed for these types of things.” As a rule of thumb, anything that’s been approved by the FDA in the last three to four years should be compliant with the agency’s cybersecurity protocols, Swope said, but any piece of medical equipment “that’s at least as old as your first smartphone” could contain vulnerabilities. While the newer models may cost extra, the additional price tag may carry additional benefits, of which security can be high on the list – particularly when weighed against the cost of a data breach.
“You’d be amazed, if you go into a hospital, how many old computers are sitting around in a corner somewhere in a lab that have been around forever, and nobody’s done anything to maintain them,” Swope said. “The IT world has been fighting this for a long time, and the medical world just needs to apply the lessons that IT has learned.”
When buying a new piece of equipment, Swope said purchasing decision-makers should ask its vendors if the device is capable of handling sensitive data, and in what ways. If the device doesn’t need to connect to a medical records system for its core functionality, don’t allow it to; if it doesn’t need to go online, then it can be protected from intrusions by keeping it offline. If the system connects to the Internet, it should be protected by a firewall and antivirus and malware-prevention software. Each has ways it can be compromised, but by establishing strong internal policies and procedures, the human error around them can be minimized.
“Focus to make sure you’re not sharing any patient identifiable data that you don’t have to; if you do, take reasonable security precautions,” Swope said. “You won’t get a get-out-of-jail-free if you haven’t kept up with best practices. And your vendor may not be [keeping up] either, but you can’t hide behind the vendor; you’re supposed to know how things work.”
Companies that aren’t confident in their internal security policies or their ability to develop them may hire third-party auditors to review their internal concerns annually or semi-annually. When such an audit is undertaken, Swope said the kinds of things that a consultant will consider include technological as well as social vulnerabilities.
“Usually by asking questions, you can find out everything you need to know,” he said. “You interview the nurses, the RNs, the lab techs, just wandering, looking for a focused effort. You’ve got to break barriers down on one side or another.”
Some of the FDA rules around cybersecurity are designed to address OEM product life cycles after their initial shipment, said Eric Soederberg, President of Sunrise Labs Inc. of Auburn, New Hampshire. In January 2016, the FDA issued a guidance document for the postmarket management of medical device cybersecurity that encourages device-makers to adopt “a structured and systematic approach to risk management and quality management systems” and to “respond in a timely fashion to address identified vulnerabilities.” That’s a departure from the traditional agency stance that encourages device-makers to get their products airtight for approval, and then discourages them from modifying any of their functions afterwards.
“It’s a new culture,” Soederberg said. “We’re used to shipping a product once and never touching it because it takes so much effort to get documentation that’s acceptable to the FDA. [But] connected medical devices need to be updated consistently. What’s new here is requiring manufacturers to work together to share data about their vulnerabilities.”
Soederberg points out that the chief concern of the FDA is typically patient safety over patient data; here, the agency’s priorities diverge from those of hospitals and health systems looking to avoid HIPAA violations. At the confluence of these concerns is the establishment of policies designed to secure institutions holistically and thereby their component assets. FDA guidance around the issue follows the 2014 Framework for Improving Critical Infrastructure Cybersecurity established by the National Institute of Standards and Technology (NIST), which encourages organizations to align their cybersecurity aims with their “business requirements, risk tolerances, and resources” as part of a larger risk management approach.
“FDA recognizes that medical devices and the surrounding network infrastructure cannot be completely secured,” the FDA guidance document notes. “The presence of a vulnerability does not necessarily trigger patient harm concerns. Rather it is the impact of the vulnerability on the safety and essential performance of the device which may present a risk of patient harm.”
“Hospitals are policing this by doing audits of cybersecurity before they put [a device] on their networks,” Soederberg said. “If your device gives somebody a conduit into their network, that’s a big risk. Just somebody finding the data on a particular device is not that interesting to a hacker, really, and trying to hurt an individual doesn’t pay much. It’s really less about the FDA and hospitals not wanting to lose personal health care information.”
Like Sterling Medical Devices, Sunrise Labs also assists medical device developers in bringing their products to market and navigating through FDA approvals. Swope and Soederberg have the unique opportunity of considering the technologies with which they work equally holistically, particularly in the dual contexts of security and functionality. As Soederberg points out, nobody has yet died from a medical device attack. But in considering the potential outcomes that could come from compromised technology – fines, legal charges, or time and money spent correcting breaches or replacing medical equipment that’s lost, stolen, or damaged – the guidance with which developers work can come from thought leadership as well. That’s why Sunrise Labs participates in best-practices panel discussions with technology leaders from major vendors to smaller start-ups as well as supporting organizations like the MITRE Corporation and NIST, which advocate for greater standards interoperability.
“We’re asking vendors what are they doing within their companies, and how can smaller companies learn from that to develop robust medical devices,” Soederberg said. “We point to the frameworks that are out there to use as guidelines for help addressing [cybersecurity]. Generally speaking, there are these frameworks that have been put together by the government, and then joining an ISAO (Information Sharing and Analysis Organization) to have a peer group for dialogue.”
Sunrise Labs also helps with threat modeling, a form of risk management that involves internal auditing, self-diagnosing, and trying to test the vulnerabilities of a medical device before advancing its development. Tests include checking (and securing) device connectivity options, from physical interface standards to wireless and networked options; following the path of data into and out from the device, whether into physical or distributed storage; encrypting and encoding that information; and access and credentialing, from login to passcodes to biometric identifiers. Soederberg describes the approach as “look[ing] to properly secure that data both in motion, across the network, and at rest, where it’s being stored.”
“The tradeoff becomes availability versus security,” he said. “If you’re making a piece of emergency equipment, you don’t want the patient to die while you’re logging into it. But the biggest issue is really opening up networks to personal health information (PHI). If somebody’s using something in the field, it doesn’t really have to collect PHI. You can be smart about what data is being used where.
“The old stuff, they weren’t thinking about cybersecurity when it was developed, and the FDA didn’t require manufacturers to consider it,” he said. “Today, the manufacturers have to mind that.”
As in any field, health care has its leaders in cybersecurity; Soederberg knows of hospitals with small departments of IT experts who specialize in establishing bulletproof policies. There are others who are responsible for device maintenance who don’t have any specific security training. Depending upon organizational priorities, he recommends contracting with risk management experts or developing internal candidates to address those concerns.
“If anyone has any significant amount of personal health care information, they really ought to find someone to do an audit of their exposure,” he said.