Whether it’s one of those cases where the truth is stranger than fiction is a matter of opinion, but one thing’s for sure, the network security gurus who relentlessly preach the inevitability of being hacked are consistently proven correct.
Cyber attacks are particularly common among healthcare providers with a reported 62% experiencing an adverse event in just the past year. And when you dig-in for the details, yet another cyber-axiom is quickly revealed: while outside attacks continue to be of primary concern, more than half of the reported incidents are the result of employee maliciousness and/or negligence. Although patient medical records, billing information and clinical research may still represent the hacker’s most popular targets, the paths to new forms of expensive, if not frightening disruption are exploding. Case in point; every single medical device that is connected to a network is a breach opportunity. Put another way, every single medical device that can be operated remotely presents unthinkable possibilities. Can you imagine the look on former Secretary of Defense Dick Cheney’s face when he was told the Wi-Fi broadcast feature on his pacemaker needed to be disabled? What about the IT professional who notifies his/her leadership that the system’s million dollar per day MRI network must be shut down pending a security upgrade? Of course, the point is, why should any of us be surprised? The industry’s digital transformation is in high gear, as reform has made it a matter of economic necessity. Technology continues to expand the care continuum. Supply chains are playing catch up. While digital monitoring has long been a fact of life inside the walls of a hospital, the care networks that now rely on devices capable of remotely packaging and transmitting data are everywhere. We even wear them. While investments in analytic tools designed to make sense of it all are booming, and while securing the data that fuels them may be covered under existing security schemes, what about the devices themselves? And if they’re not secured (literally millions of devices are not) whose responsibility is it to make sure that they are? According to surveys conducted by the Ponemon Institute, 67% of surveyed hospital network security specialists answered “no” or “unsure,” when asked if medical device security was on their short list of concerns. More shockingly, about a third of respondents made it clear that they hadn’t even contemplated the issue in their budgeting processes. So is our government stepping-up? Surprisingly, HHS has been all over the problem dating back to 2014. But not surprisingly, legislation has gone nowhere. The device suppliers are not required to provide detailed bills of material that would help hospital supply chain professionals (and their IT counterparts) assess device-based network security risks. Of course, it’s one thing to not know the device’s operating system. It’s quite another if you didn’t feel the need to ask. Fortunately, the medical device manufacturers have taken the hint (perhaps assessed their potential liabilities) and in many cases, are making their devices more network secure. But their measures are often designed to check the box, as the best they can do is provide a solution that exists in a device-centric vacuum, which is clearly not ideal. Regardless, they can’t do anything about the legacy medical devices that are already in use. In an interview with David Sinnott, an industry veteran and founder of Proactive Networks & Security, Inc, he mentioned the difficulties in solely identifying the at-risk devices on a hospital’s network. “You can’t solve this problem without first classifying and then understanding device protocols, their expected performance metrics and related workflows. Known and unknown threat detection requires a contextual understanding of the operating environment —how things are supposed to work— otherwise, there can be no real solution, no human nor machine-based learning and no useful threat detection and management automation.” Given how hot is the current market for software solutions that monitor other forms of risk, one might think, at a minimum, that millions of unsecured medical devices should warrant more attention than, for example, monitoring unflattering social media. While risk avoidance has always been a tough sell, this is a case where the chances of an adverse event are roughly the equivalent of correctly calling a coin toss. Bottom line, working to secure networks containing private patient data and then not securing the devices that intersect with those same networks is simply not good practice. The accidents are waiting to happen.