Hospitals: The New Frontier for Medical Device Cybercrime
As I penned my most recent blog last week, I did not expect to have a new healthcare cybercrime situation surface so quickly! Hot on the heels of the recent event at Hollywood Presbyterian, where hackers employing ransomware held the hospital’s system and data hostage, a new report reveals “deadly cybersecurity weaknesses” at other hospitals. Deadly is not a euphemism here, as we’re referring to the ability to hack directly into the medical devices built to monitor patient health and turn them into tools of harm.
Now when we consider healthcare cybersecurity, the definition includes not only Electronic Medical Records (EMR) access and sensitive PHI data, but also the patient’s physical health. (Think patient monitoring systems and automated IV drug-delivery, as mentioned in the recent Baltimore Sun article.)
Independent security consultants profess shock at the reported ease of their “secret shopper” hacking infiltration, but let’s remember (1) that the FDA recently raised the warning flag along with new draft guidance for medical device cybersecurity, and (2) that most medical device manufacturers already follow the regulations for US markets.
As we have seen from other industries, health care hackers come in many guises, from lone wolf individuals and activist groups to organized crime and nation states. And an organization’s employees are a key target. So too are 3rd party vendors providing service to the hospital. Hackers often see vendors as an easy “back door” into an organization.
The potential for harm exists, yes. But so does the potential for thwarting harm. Given the tools and training to recognize everything from phishing scams to potentially poor privacy practices, people remain the first line of defense for privacy, security and good manufacturing practices. Let’s keep our sights set on prevention measures: policy development, training, ongoing risk analysis, 3rd party risk mitigation, quality management systems and compliance monitoring.
Contact us to discuss how Ostendio can help you develop, manage and track your Risk Mitigation, Information Security and Compliance.