In this Help Net Security interview, Brett Harris, Cybersecurity Officer for the Americas at Siemens Healthineers, discusses the long-term impacts of cyberattacks on healthcare institutions and what healthcare providers can do to protect patients’ personal data and medical devices.
Can you explain how the various hospital information systems (EHR, e-prescribing systems, practice management support systems, etc.) might be vulnerable to cyberattacks?
Anything connected to a network is potentially vulnerable to cyberattacks, but the risk varies from device to device. There are three major types of risks that need to be considered. First and foremost are devices directly interacting with a patient, such as infusion pumps or X-ray machines. These pose a direct patient safety risk if there is a compromise.
The next major category would be systems that contain large amounts of data, such as Electronic Health Record (EHR) systems and Picture Archiving and Communications Systems (PACS). These pose more of a risk to confidentiality than directly to patient safety, but because the large amount of data poses a risk to a large number of people, they are associated with potentially hefty fines.
Finally, everything else can be a gateway to further attacks on a hospital. A single entry point could be the start of a massive ransomware attack at an institution that hasn’t properly implemented network controls.
Could you elaborate on the long-term impacts of significant cyberattacks on healthcare institutions?
Cyberattacks on healthcare have been on the rise the past few years, and we don’t see any indication that they are going to slow down. Healthcare institutions need to start dedicating larger budgets to cybersecurity, at least in the short term to get proper medical device security programs in place. There is a huge backlog of systems at nearly every institution that needs to be managed for risk. In the long term we will likely see stricter requirements from the FDA and HHS, and every institution running a dedicated medical device security program, either internally or outsourced.
How can patients ensure their personal information is safe when interacting virtually with healthcare providers?
Right now, patients don’t have a lot of control over the matter. There isn’t good visibility into which healthcare institutions are doing a good job protecting their patients’ data, and in most regions, one institution dominates the facilities in that area. The best that individual patients can do right now is to always use their institutions’ secure portals to communicate information, and never use email.
What critical steps can healthcare organizations take to ensure that medical devices are adequately secured and risk-assessed before deployment?
Healthcare organizations should be checking that the products they buy have the security they want before purchase. Optimally, there is a product on the market that meets their clinical needs and has good security. It isn’t always possible to buy a very secure product for every clinical application, so that process should be geared towards identifying what compensating controls need to be put in place given the security controls within that medical device.
Every question should be actionable, geared to answer either “Should I buy this product?” or “What concrete action do I need to take if the manufacturer lacks security in this particular area?”. Even just reviewing the product’s Manufacturer Disclosure Statement for Medical Device Security (MDS2) will answer most of these questions. This is a great way to stop the inflow of new insecure devices, but organizations also need to deal with the risk from all their existing devices.
How should healthcare organizations handle the decommissioning and disposal of medical devices to ensure no sensitive data is left behind?
This should be an easy one! Anything that has the potential to store patient information – even temporarily – needs to be securely erased. That means either using a tool that meets NIST standards for secure erasure or physical destruction of the containing media. If the organization is using a third party to decommission the device, they should require a report of secure erasure or attestation to that fact.