Pre-dawn in the critical care unit at a metropolitan hospital. Shift change is still an hour away, and the overnight staff — at a bare-bones level these days — is doing paperwork after a quiet evening. Suddenly, a shrill alarm pierces the silence.
A moment later, another. Then another. And another.
In a span of minutes, there are nine “code blue” calls in the unit. Some patients aren’t breathing. Others are in cardiac arrest.
By daylight, the somber tally: four dead, and five others inexplicably in worse shape than when they arrived.
By noon, a terrifying explanation: Hackers remotely accessed the hospital’s information network and altered the software that the unit’s infusion pumps rely upon to properly administer IV drugs.
The intruders raised the dosing limits on powerful painkillers, and they adjusted the pumps’ displays to make them appear nothing was wrong. Then, for reasons unknown, they pushed the entire contents of the drug pumps into the arms of patients who were supposed to receive slow drips.
This is one scenario that unites physician leaders, health care administrators and technology experts. It’s one they constantly prepare for, and one they hope never happens.
And yet they know it’s possible, in theory.
It's no secret that today's connected information technology systems and medical devices are changing health care in radical ways. On one hand, they are driving significant improvements in the quality of care while bringing enormous productivity gains and cost savings. On the other hand, managing the growing tangle of systems and devices increases security risks, sometimes exponentially. Data, devices and systems are increasingly in the crosshairs for hackers, attackers and cyberthieves. “It's an extremely unsettling environment,” says Gene Thomas, vice president and chief information officer at Memorial Hospital and Physicians Clinics in Gulfport, Mississippi.
A concept describing the growing connection of everyday devices to the internet and/or to each other — everything from cellphones to washing machines. In health care, that can include drug infusion pumps, vital-sign monitors, bed occupancy sensors and more. Frequently abbreviated as “IoT.”
Like many executives charged with protecting systems and data, Thomas is increasingly anxious about the state of cybersecurity. “The risk is pervasive and it is growing,” he says. What's more, “Health care is fundamentally different than other sectors. It's not just about stealing an identity or money. The potential exists to hurt innocent people, or worse, by attacking systems and tampering with devices.”
Memorial, a 412-bed facility with more than 90 clinics, is increasingly vigilant about how it designs systems and networks, which vendors it selects, how it procures medical devices, and many other factors that revolve around cybersecurity.
Thomas is not alone. As the internet matures and the “internet of things” takes shape, there's a growing recognition health care providers must take cybersecurity to an entirely new level without crippling the ability of medical practitioners to do their jobs.
But many systems and connected medical devices don't measure up to essential security standards. In recent years, researchers already have discovered vulnerabilities in drug infusion pumps, ventilators, X-ray machines and MRI systems, to name a few.
“Health care providers are trying to play catch-up,” says Paul Hill, a senior consultant at Massachusetts-based cybersecurity firm SystemExperts Corp. “But many are falling further behind.”
According to cybersecurity firm ZingBox, 90 percent of hospitals were victims of cyberattacks in 2014 and 2015, leading to $6 billion in annual costs. Unprotected medical devices are the top vulnerability.
Connected medical devices allow health care organizations to gather data about patients, monitor their conditions, and track the location of medical devices as well as how they’re used in hospitals. According to a July 2017 study conducted by cybersecurity firm ZingBox, connected devices now reside on 90 percent of health care networks.
Gene Thomas, chief information officer at Memorial Hospital at Gulfport, says gaining the support of the C-suite and board helps ensure funding for data security and sets a tone for the organization. | Memorial Hospital at Gulfport
However, 70 percent of health care providers mistakenly believe that traditional security methods are sufficient for managing the task. “The reality is that there are enormous risks and too many organizations are stuck in a patch-and-pray mentality,” says Sean Smith, director of the Institute for Security Technology and Society at Dartmouth College.
A 2015 paper Smith co-authored, Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, found gaping holes in authentication methods, deauthentication procedures, permission management and more.
“In the ‘IoT’ world, it's not inconceivable that someone could gain access to systems or devices and remotely change data or parameters, or drain battery life, to wreak havoc on patients,” he says. No less frightening: Cybercriminals who control a connected system could hold data — or actual patients — for ransom.
The FBI says a typical ransom ranges between $200 and $10,000. However, over the last few years, several hospitals have been attacked by ransomware — malicious software designed to block access to a computer system until a sum of money is paid. That includes a Southern California facility that forked over about $17,000 to unlock its systems and files.
Byron C. Scott, MD, deputy chief health officer for Simpler Consulting, part of IBM Watson Health, asserts the top organizational goal has to be protecting patient information.
Other IoT risks are downright chilling. In 2015, researchers at the University of Washington hacked into public communication systems that control teleoperated robots. They could make a robot perform in a jerky and difficult-to-control way — and even shut it down by overloading it with input. In 2013, a cybersecurity expert remotely hacked into an infusion pump and proved he could remotely administer a lethal dose of drugs through the device. Others have breached pacemakers, blood refrigeration units, CT scanners and X-ray machines.
Meanwhile, the U.S. Food and Drug Administration has issued a warning and guidance document for pre-market connected medical devices. And in 2015, the FBI also issued a warning for medical devices and wearables.
“Device developers are rushing into the market with the internet of things,” warns SystemExperts’ Hill. “There is a lot more emphasis on producing a product than making sure it's secure. In many cases, they are simply embedding a version of Linux [a widely used, community-developed computer operating system] or another operating system into the device and then building features on top of it. There is little or no review of the security architecture during the design and development phases. In addition, many companies aren't performing penetration tests and conducting internet exposure profile tests before releasing the product.”
A 2016 report from market research company Forrester, Healthcare’s IoT Dilemma: Connected Medical Devices, notes that the health care sector suffered more data breaches in 2015 than any other industry. Overall, more than 100 million people were affected in the United States alone. The problem? Health care companies spend only about 15 percent of their total IT budgets on security, trailing every other industry.
The report says connected medical devices are subject to four key attack scenarios:
Cybersecurity consultant Paul Hill says some manufacturers of new medical devices are rushing into the market, putting more emphasis on production than security. | Photo from Paul Hill / SystemExperts Corp.
Denial of service: Interrupting authorized users’ access to a computer network, usually followed by a demand for a ransom payment to cease.
Patient data theft: Using malware or exploiting a system weakness to gain access to an electronic health record and steal personal information.
Therapy manipulation: Illicitly adjusting a patient’s treatment via unauthorized access to a connected medical device.
Asset destruction: Intentionally destroying or damaging a medical device.
Analyst Chris Sherman points out that physicians and other health care professionals tend to “prioritize timely care over security.” In fact, 46 percent circumvent their organization’s security policies in pursuit of greater efficiency, while 29 percent say security policies are too strict or unreasonable.
“Most medical professionals and executives aren't even aware that weaknesses and vulnerabilities exist,” says James Fine, MD, chief information officer at the University of Washington Medical Center. “They don't think of the equipment they use as network devices, and they don't recognize that they could lead to a breach.”
UW Medical Center learned this lesson firsthand several years ago. When a security executive at the medical center visited the facility as a patient, he raised questions about an IV pump. Chief technology officer David Chou, MD, began probing the system and quickly discovered a gaping vulnerability. “We insisted that the vendor repair it, but obviously, how we discovered it was somewhat of a fluke.”
An extra layer of security, requiring not only a username and a password but also something (information or a physical item) else that only the individual user knows or has on hand.
Joseph Kim, MD, EHR expert and president of Q Synthesis, a health care education and quality improvement company, says medium-sized and small hospitals are struggling the most with data security.
“Start with the concept that a multilayered security approach is essential and that it must span many different touchpoints,” explains Steve McGee, senior project consultant at SystemExperts. “It's also important to think very differently about cybersecurity than in the past. A more flexible and nuanced approach is necessary.” Traditional security practices remain an important part of the picture. These include such things as authentication (including two-factor authentication), access controls, encryption, malware detection and much more. But those alone aren't enough. Interconnected devices mean more opportunities for attacks and introduce the specter of new types of assaults that can compromise an enterprise.
Health care facilities must identify all systems and devices they use as well as purchase requirements, says Dan Bowden, vice president and chief information security officer at Sentara Healthcare, a Virginia-based not-for-profit system with 12 hospitals, nearly 28,000 employees, more than 300 sites of care, four medical groups, and a health plan that serves 450,000 members.
“You must have an accurate inventory of devices, including the manufacturer along with the make and model. You must understand how these devices are configured, what operating systems they run on and how patches and firmware upgrades take place,” he notes. What's more, once a facility has an inventory in hand, “it's critical to map the potential threats against the assets. You can then create robust controls for the devices.”
Procurement processes also must reflect organizational security, explains Scott Richert, vice president of technology services at Mercy, which operates 32 acute-care hospitals, 11 specialty hospitals and more than 700 physician practices and outpatient facilities in Missouri, Kansas, Oklahoma and Arkansas. It also has documented its systems, networks and devices. At Mercy, this led to an extensive vendor survey that includes upwards of 100 questions. These include issues such as: What's your patching cadence? What's your authentication method? What's your encryption method?
Sean Smith, director of the Institute for Security Technology and Society at Dartmouth College, has found that too many health care organizations are stuck in a “patch-and-pray mentality,” | Dartmouth College
“We do as much as possible to validate the responses and make sure they are correct,” he says. Richert also focuses on both internal systems and how devices tap network resources. “It's important to watch ‘east-west’ traffic flows, understand how devices talk to one another and either isolate or drive out devices and platforms that aren't being supported or patched,” he explains. Yet the task of managing devices and data doesn't stop there. “You have to know what data is going back to the vendor or to third parties.”
Michael Bakerman, MD, CMO at St. Elizabeth’s Medical Center in Massachusetts and a former chief medical information officer at Massachusetts Memorial Health Care, discusses the vulnerability of health systems.
When he encounters a device or platform that is critical for the organization but lacks essential built-in security, “we look for ways to isolate the technology or we use tools to spot anomalies,” he adds. Among other things, Bowden says that he watches for signs of spoofing (falsifying credentials or other data) or attempts to place fraudulent authorizations or certificates.
Analytics and artificial intelligence tools are beginning to make a mark, Hill says. Although many organizations already track login locations and machine IDs, a new generation of tools can provide deep insights into unusual device and data behavior.
AI tools can be used to analyze login monitoring but also to watch data as it flows across networks. “They can identify suspicious patterns and provide an alert or shut down a network port,” he notes. However, this approach isn't a substitute for human supervision. “You really have to understand what is and what isn't valid traffic. Otherwise, you can wind up putting lives at risk by crippling devices and choking off data. You don't want a system shutting down or unavailable at a critical moment,” he warns.
Hill also recommends taking a close look at networks, including Wi-Fi. Although most facilities already operate separate networks for internal use and guests, a more granular approach might be better. “It's important to segregate data and have essential access controls in place,” Hill says. Unfortunately, he notes, many current IoT devices lack support for key network-access control protocols. Consequently, “You may need to add technology and processes to assist with the task.”
A multilayered security program also extends beyond technology and processes. Education and training are also important pieces of the puzzle. Helping medical practitioners and staff spot suspicious links in emails also is paramount.
Scott Richert, vice president of technology services for the Mercy health system, says his organization sends an extensive security survey to vendors, then validates responses to ensure they are correct. | Mercy
Working with the C-suite and board of directors — and ultimately gaining their support — also is essential, says Memorial Hospital’s Thomas. This helps ensure adequate funding, but it also sets a tone for the entire organization. However, “You must frame things in a way that makes sense for them. You must answer their questions and make everything relevant.” Adds Bowden: “It's important to keep the message simple and direct, largely revolving around assets, threats and recommendations.”
In the end, Hill says, health care security executives must think about risks and protections in a more holistic and broad way. As consumer wearables, remote monitoring and new IoT sensors and devices enter the picture, there will be a greater need to monitor activity — and also establish a governance and control framework that addresses devices, perhaps in a way similar to today's mobile device management solutions.
“The internet of things and connected medical devices offer many advantages. They will create productivity gains and improve the quality of care,” Hill says. “But they also introduce many risks. They must be actively and carefully managed.”
Samuel Greengard is a business and technology journalist based in Oregon. He is the author of The Internet of Things (MIT Press, 2015), which explores the benefits and risks of the connected world.
AUDIO INTERVIEWS: Rick Mayer and Lesley Valentin
More Articles From The Physician Leadership News
Women, ethnic- and racial-minority, and LGBTQ people commonly experience microaggressions in the workplace. These behaviors often surface in the form of jokes, exclusion of some voices in meetings,
This article provides four steps that can help physicians translate “doctor speak” into the type of “business speak” that is more likely to get things done in a complex health system. It offers
Despite preparing a sound business case, including identifying and integrating the potential quality and cost implications, decision-makers often remain reluctant to move forward, given the potential