The internet of things to hack into
For health systems,
all internet-connected devices pose security risks. Those devices include internet-connected tools patients use in nonclinical environments, including in their homes, for remote patient monitoring.
If data are not sent securely from these devices to hospitals’ own systems, they could come in incorrectly. Or, in theory, hackers could sneak in on the coattails of the data, gaining access to entire networks through individual devices.
“In general, clinicians in the medical community are slow to realize how vulnerable we are,” said Dr. David Slotwiner, chair of the cardiology division at New York Presbyterian Queens. “We’re vulnerable because our systems are so interconnected and are so complex.”
To keep those systems safe, both the sending and receiving devices must be secured, said Anura Fernando, principal engineer for medical software and systems at UL. “Starting to build a baseline of cybersecurity hygiene for these products builds confidence.”
It’s not just wearable devices that are at risk. Perhaps more alarmingly, implantable devices could be hacked too (though they are not known to ever have been). In early 2017, the Food and Drug Administration found security vulnerabilities in some St. Jude Medical implantable cardiac devices that could have opened the door to hackers.
Since then, the FDA has released its Medical Device Safety Action Plan, which has suggestions for greater security, including by tracking products’ safety throughout their life cycles. It also announced plans to update security guidance before the end of 2018. The agency’s current regulatory framework for devices dates from the mid-1970s.
Healthcare organizations, for their part, should have teams dedicated to cybersecurity, many in the industry said. That includes someone specifically in charge of information security rather than relying on the chief compliance officer or chief privacy officer.
Despite the risks, connected devices of many stripes have great benefits, said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association. “The benefit of these remote-monitoring devices to outcomes certainly outweighs the cyber-risk,” he said, “which can be managed if properly acknowledged and if the mitigating controls are put in place.”
Those controls include encryption of the data from the device and segmented networks—networks separate from those that email runs on, for instance—on the receiving end.
Patients also need to be diligent. “If a patient is using their home router as the internet connection back to the provider, and that home router is not secure, the patient actually introduces the vulnerability,” Riggi said.
Designing security into the devices themselves could help mitigate risks—a move that could be increasingly necessary, Riggi added. “The issue will only become more important as the move toward remote monitoring and value-based payment systems continues.”