Healthcare IT: When TV drama meets real-life medical device security
“‘Murder by pacemaker’” isn’t a real thing, is it?” my friend asked. She’d been binging on Netflix and caught a TV drama in which the victim’s pacemaker was hacked. From a remote location, the hacker—a murderer for hire—was able to access the device, accelerate the victim’s heart rate, and cause cardiac arrest.
“I don’t think it’s happened in real life—yet,” I told my friend, “but it is possible.”
The Internet of Things is enabling previously unimaginable change in our everyday lives. We inhabit smart cities where we can use IoT to get data about available parking spaces or to pay our taxes. We work in smart buildings where IoT sensors adjust lighting and thermostats to conserve energy in empty conference rooms. We live in homes where IoT-connected devices monitor our security, simplify the way we watch TV or listen to music, and track our every step.
Similarly, connected medical devices—like pacemakers, medical infusion pumps, CT scanners, and insulin pumps—are even helping many of us enjoy a better quality of life.
Made-for-TV crime has real-life implications
The advances made possible with IoT and other innovations are not without risk, and cyber threats against organizations of all types are on the rise—but healthcare is particularly vulnerable. The U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force found that “healthcare cybersecurity was in ‘critical condition,’” noting other industries were outpacing healthcare when it came to preparing for, and responding to, cyber threats. And in healthcare, the task force noted, a failure to put safeguards in place could truly mean life or death.
Healthcare organizations face a range of cyber threats, and those against connected medical devices and IoT devices are among the most common security challenges. In fact, healthcare organizations face billions of attacks each year, and many attacks go undetected for months. The potential for threats against medical devices (and the subject of my friend’s inquiry) was highlighted in the FDA’s first-ever recall of a medical device—a pacemaker—due to cyber risk.
Securing life-critical devices
Across all industries, device security is a complex problem, and in healthcare, addressing the challenge is especially difficult, in part because older medical devices use software that’s vulnerable to viruses and worms or rely on out-of-date operating systems that are impossible to patch or update.
Technology is an obvious solution to device security challenges, but surprisingly, not the critical first step.
Begin with the basics: your teams are your foundation
Ensuring a holistic, effective device security strategy should be a priority organization-wide. Your employees—from IT staff to clinicians to administrative teams—are your most important guardians. Make sure that organizational structure isn’t impeding success: do teams work together with a shared goal in mind? Breaking down silos can often improve security awareness. So too can developing a process for responding to a cybersecurity event. You’ve documented response plans for other emergencies, like natural disasters or mass casualties, and a cybersecurity response plan is essential too.
Ingrain security into your organization’s culture. Just as your employees serve as your front line of defense, they may also be your greatest potential risk. To be more efficient, clinicians and others may try to take advantage of security workarounds. When the potential for risk is clearly understood—and security tools are easy to use—everyone is more likely to play their part.
Understanding your capabilities and adding a technology layer
Strengthening your cybersecurity posture can begin with something as basic as conducting a security audit using the HIMSS Analytics Infrastructure Adoption Model (INFRAM). With this assessment, you can determine your current security capabilities and identify gaps in your strategy to create a roadmap.
Would you like to learn more?
Join us for a health IT webinar to learn how Mercy—one of healthcare’s “most wired” organizations—is prioritizing security and driving innovation. And read this analyst paper, Security priorities for IoT and connected healthcare.
Connected devices of all types are changing our lives in myriad ways, including improvements to patient health and the way we deliver healthcare. Yet, the specter of cyber threats is a real obstacle. Fortunately, there are services and tools available to meet the challenge.