By K Richard Douglas
Recently, Banner Health, based in Phoenix, announced that it had been hacked. The cyber attack is thought to have affected 3.7 million “patients, health plan members and beneficiaries, food and beverage customers and physicians and health care providers,” according to the Phoenix Business Journal. The health system offered those impacted a free one-year membership in a monitoring service.
The attackers went after payment card data. Payments made for food and beverages were affected, but payment cards used to pay for medical services were not. Also, according to Banner’s website, patient information may have been compromised which included “patients’ names, birthdates, addresses, physicians’ names, dates of service, clinical information, possibly health insurance information, and Social Security numbers if one was provided.”
While this attack doesn’t appear to be related to medical devices in any way, when attackers can engage in identity theft and Medicare fraud, the temptation to go after health care data sources is great.
Hollywood Presbyterian Medical Center paid cyber attackers $17,000 when the hospital was hit with a ransom ware attack. This hospital made the information public, which isn’t always the case when a company, organization or health system falls victim to this kind of attack. During 2013, this kind of attack increased six-fold in just that year alone.
Major hotel chains like Marriott, Hyatt and Intercontinental have also had a data breach with hackers suspected of accessing payment card data from tens of thousands of transactions. The attack is thought to have originated with malware on payment systems earlier this year and during much of last year.
These incidents, and others, point to the vulnerabilities that exist when personal information is stored on servers and people with nefarious intent target that information. In other cases, just the connection between a business’s network and the Internet is enough to invite trouble. Unfortunately, it is a profitable business for the bad guys – referred to as malicious threat actors – who can sell personal information from medical records for top dollar. The EHR has revolutionized health care, but it has also opened a security vulnerability door that did not exist at one time.
Ironically, the requirements under Medicare and Medicaid for the adoption of electronic records, and the penalties for non-adoption, have caused health care providers to open that door to the malicious threat actors more so than in the past.
New Responsibilities for HTM
Responsibility for systems is usually determined by the point where the data enters the network. A server specifically intended for medical use is often the responsibility of clinical engineering, such as an infusion server or a patient monitoring database server. The HTM professionals, along with their IT counterparts, have a litany of regulations to consider today.
“Medical device cybersecurity has been a topic of debate since FDA released theguidance document for off-the-shelf software use in medical devices in 1999. A lot has been discussed regarding premarket and post-market management of cybersecurity in medical devices,” says Priyanka Upendra, BSBME, MSE, compliance manager in Clinical Engineering, Intermountain Support Services/Supply Chain at Intermountain Healthcare in Midvale, Utah.
“Healthcare Technology Management (HTM) professionals work tirelessly to make sure the diagnostic, monitoring, and therapeutic devices are available for safe and high-quality patient care. Keeping these devices safe from cyber attacks is a shared responsibility between the manufacturers, healthcare delivery organizations (HDOs), regulatory agencies, and law enforcement,” she adds.
The Problem and Response
The threat of cyber attacks on health care facilities has become such a concern that the Healthcare Information and Management Systems Society (HIMSS) Foundation’s Institute for e-Health Policy and the College of Healthcare Information Management Executives (CHIME) recently held a briefing on Capitol Hill titled “Hacking Healthcare: The Cybersecurity Threat Landscape.”
The briefing featured “a panel of leading hospital Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and healthcare data security experts,” according to HIMSS. In a recent article, Lorren Pettit, HIMSS North America vice president of HIS and Research wrote; “over 85 percent of the respondents to our study claimed cybersecurity efforts within their organization were elevated as a business priority during the past year,” referring to the organization’s 2016 Cybersecurity Study.
“Not only is losing a bunch of patient records catastrophic enough, but then the Office for Civil Rights (OCR) could add insult to injury by assessing a five- or six-digit HIPAA breach fine to boot,” says Jeff Kabachinski, MS-T, BS-ETE, MCNE, senior director of Technical Development for ITD (Independent Technical Development) in North Carolina.
“Did you know that an electronic protected health information (ePHI) record can be sold for 50 times a valid credit card number on the black market?” he asks. “It’s lucrative to exploit healthcare IT.”
Kabachiniski has written about the efforts of the National Institute of Standards and Technology (NIST) and the Cybersecurity Framework that the NIST has developed. That framework, first established in 2014, was then refined with feedback from participants in industry, government and academia.
NIST will soon offer a tool that will allow organizations to assess its cybersecurity risk management process. For the health care sector, the Health Information Trust Alliance (HITRUST) has developed a model implementation of the NIST Cybersecurity Framework, which is discussed in a white paper. (https://hitrustalliance.net/content/uploads/2015/09/ImplementingNISTCybersecurityWhitepaper.pdf)
According to HITRUST, the number of cyber attacks targeting “health care entities” has been on the rise. They cite a 2013 study that found that health care data breaches exceeded those in “credit, finance and banking.”
With the changing role of the biomed comes new concerns and areas of training that address privacy concerns and nefarious activities that can compromise patients. It’s not enough anymore to address electrical malfunctions or mechanical malfunctions that might harm patients; there is data that must be protected, deleted, secured or monitored. This new kind of harm doesn’t end when the patient walks out of the hospital door.
Maintaining Device Safety
Cybersecurity has been a buzz word in the health care community out of necessity. Patient information is ripe for the picking by scam artists in the next city or on the other side of the earth. While IT plays a major role in protecting servers and acting as gatekeepers on the connection to the outside world, the HTM department has an ever-growing role at the device level.
“The HTM and Information Security (IS) folks provide a safe infrastructure for medical devices while maintaining clinical workflows that don’t hinder effectiveness of the care we provide to our patients,” Upendra says.
“The development of standards, policies, procedures, processes, and awareness campaigns goes a long way towards a successful medical device cybersecurity program,” she adds. “As a HTM professional working in a HDO, I would recommend all HTM teams to work alongside information security, risk management, clinical staff, facilities, and supply chain departments at HDOs to build a robust and effective medical device cybersecurity program.”
It is the HTM professional who is the medical device expert. When it comes to networking a new device, it is HTM that is most familiar with it.
“We support Scripps cybersecurity efforts best by being subject matter experts and liaison for medical devices in the clinical environment,” says Scot Copeland, BSITSec, MCP, Sec+, medical IT network risk manager for Scripps Health in San Diego, California.
Copeland says that there are several things that biomeds can do to keep devices safe and help aid in prevention of cyber attacks.
“Help coordinate vulnerability scanning of medical devices and verify all of the latest OS patches, security updates and malware definitions are up to date on the medical devices that support those capabilities,” he says.
On this point, the HIMSS survey found that many organizations’ procedures were woefully lacking. “Only 61.3 percent of acute care providers and 41.9 percent of non-acute providers admit to having a patch and vulnerability management program,” according to their findings.
Copeland also says that the HTM department should provide input to the IT department regarding the network/ePHI capabilities of medical devices and to participate in IT Due Diligence and Technical Reviews of incoming medical equipment and systems so that networking vulnerability, privacy issues and other risks are known before the acquisition process begins.
“Provide the on-site security incident response to research the device in the clinical area,” Copeland says “Maintain networking properties of all networked medical devices in the CMMS and apply all hospital information security policies for networked equipment to medical devices as much as can be supported by the manufacturer and regulatory agencies,” he adds.
“New incoming medical devices need to include cybersecurity documentation in addition to the incoming quality checks that our technicians and engineers perform,” Upendra says.
“At the very least, this cybersecurity documentation should include the operational and network configurations, Manufacturer Disclosure Statement for Medical Device Security (MDS2), hazard mitigation considerations, recommended compensating controls, and manufacturer guidance on vulnerability disclosure and patch management,” she adds.
She points out that policies that govern acceptance testing of new incoming medical devices, and disposal of old devices, should be included in HTM workflows. It is also necessary to communicate this information to the clinical staff – physicians, surgeons, and nurses – so they are aware of the risks that arise from connected medical devices.
Upendra says that HTM teams need to establish a service model with IS teams where: New medical devices are inspected for cyber-hygiene, existing medical devices have PHI and facility information wiped out before they are shipped for service operations and old medical devices have PHI and facility information wiped off and drives re-imaged before disposal.
“Risk assessments should be performed on any and all medical devices that are capable of connecting to the network,” Upendra says. “Stand-alone medical devices, that capture and/ or store PHI, should be inspected for local tampering. The information from these risk assessments need to be communicated to the leadership teams on a quarterly basis so they are aware of the ‘health’ of medical devices in their facilities.”
To keep track of acceptable medical devices, Upendra says that developing a catalog that can be used in the procurement process is important.
“Medical devices that do not meet the organizational standards need to have appropriate compensating controls that are reviewed on a regular basis,” she says.
“I would also recommend HTM departments to develop a standard catalog of acceptable medical devices. This catalog validated and signed off by the clinical and IS staff will serve as a reference guide to the purchasing department(s) and the leadership when acquiring medical technologies, new facilities and outreach clinics,” she adds.
Disposing of Old Equipment
“By maintaining the ePHI and network risk level data in the CMMS and screening all medical devices before disposal. We have a policy and process that assesses the ability to contain ePHI and/or connect to the network and such devices have their ePHI media removed and destroyed prior to disposal,” Copeland says. “There is an audit trail that can identify networked/ePHI medical devices and track all the way to proper disposal. The effectiveness of that audit trail is verified annually.”
The procedure for ascertaining that a device does not contain any sensitive facility information or patient information has a solution that might seem counterintuitive in some instances.
“By removing and destroying all ePHI media before disposal,” Copeland says. But, he concedes, “yes, this causes a problem sometimes with trade-ins and as you can imagine precludes donation of a working device,” he says.
Copeland says to use a service that can be relied upon to properly dispose of equipment and devices.
“We use a certified equipment recycler that properly dismantles and recycles all devices in an environmentally friendly and cost-effective manner,” he says. “Any equipment that goes back to a manufacturer or distributor for trade-in has either had its ePHI media removed and destroyed or there is a legal Business Associate Agreement on file to protect our liability.”
“Prior to these open-source tools, health care organizations were on their own when it came to ensuring cybersecurity compliance,” says Kabachinski of the tool provided by the National Institute of Standards and Technology and HITRUST.
“It was up to individual facilities to stay on top of all the current regulations and keep their frameworks up to snuff,” he says of the environment before these tools became available. He says that they have now “created a viable, robust CSF template that maps to all the current regulations and helps ensure cybersecurity protection levels remain high. Both organizations allow you to customize a framework that best fits your needs and budget. This grassroots, community-driven approach to cybersecurity is long overdue,” he adds.
In this regard, the HTM department must join IT in creating a unified and informed environment that keeps the bad actors out and patient information in. In a connected world, the challenges increase right along with the convenience.
For more information: HIMSS Cybersecurity Survey can be downloaded at: http://www.himss.org/hitsecurity
HITRUST: https://hitrustalliance.net