Cybersecurity in Medicine – An overview

Healthful Vitality | 11/19/2019 | By Dr. Faiq Shaikh, MD | Cybersecurity in Medicine – An overview.

Technology is becoming an all-pervasive part of medicine. And while there are tremendous benefits to the applications of technology in healthcare, there are several unique challenges as well. For example, there are significant issues around medical data security, medical device integrity, and reliability of medical equipment and informatics workflows. It is critical to identify them, not only as a matter of academic interest but also for practical diligence to ensure the undisrupted and safe use of medical technology for optimal healthcare delivery. As we usher in the era of big data in medicine, we must address these critical points of vulnerability and explore new solutions.

Cybersecurity in medicine: Service downtime and security breach

When it comes to medical devices, service downtime and security breach are two important concerns. For devices designed for clinical use, such as cardiac pacemakers, bionic implants and external sensors, the reports of data breaches are common and alarming. It is important to evaluate the current landscape of cybersecurity threats, challenges to address them and provide meaningful and robust solutions.

Cybersecurity in medicine: Data breach attacks in healthcare

Currently, the data breach attacks in healthcare are at an all-time high. According to a recent study, 90 percent of the healthcare providers have reported having suffered a cyber-attack, of which approximately half of the incidents were criminal in nature. From 2016 to 2017, there was a 9 percent increase in such attacks. Some of the factors responsible for this rise in attacks include inadequate staff and funding for IT security, high value of healthcare and insufficient awareness amongst the medical device users.

Increase in interconnectivity among medical devices

The drastic increase in interconnectivity between the medical devices has positive implications but can also lead to unauthorized access making them highly vulnerable. These devices have multiple sensors and monitors serving as potential entry points into hospital’s larger network. This type of attack can lead to breach of data, diagnostic errors, patient privacy issues or even worse a ransomware attack.

Cybersecurity in medicine: Embrace new technology in healthcare

It is vital to ensure that as we embrace new technology in healthcare, we are in no way compromising on patient safety and privacy. Cybersecurity threats can be external (e.g., wireless vulnerability) or internal (e.g., software integrity). And all electronic devices in medical use are potentially susceptible to electromagnetic wave interference as well. Wireless attacks can be passive (eavesdropping or stealing data) or active (taking control over the device).

Cybersecurity in medicine: The issue of systems vulnerability

When discussing the current cybersecurity issues, it is essential to address the issue of systems vulnerability, which refers to the weakness of a computer system that a threat actor can exploit to make unauthorized actions within a computer system. These threats range from minor to major, and they have to be stratified in order to have a graded action plan based on the severity of the risk. Therefore, we have to identify all possible critical threats, which involves knowing all potential threat actors, studying all possible methods they can use to attack, and what possible motivations they could have.

Medical devices need to be equipped with a security system to prevent unauthorized access to devices and minimize the potential adverse effects of such intrusions. In addition, they should be able to prevent or withstand data corruption, and safety layers need to be in place to minimize the impact of an attack.

Protected health information

In a healthcare facility, the clinical engineering department is responsible for devices that are connected to the network, which generate or store protected health information. And there needs to be a preventive maintenance cycle to ensure device security. For those devices that are allowed for clinical use, their suppliers should be required to submit their Manufacturer Disclosure Systems for Medical Device Security (MDS2) statement, which should then guide evaluations of medical devices before any purchase order is issued. Furthermore, educating the users and patients on the risks of medical devices is essential, which can also help avoid any unintentional attacks and threats to the organization. What HIPAA has done for safeguarding protected health information (PHI), new policies can do the same for cybersecurity. Recently, FDA has released guidelines on post-market management of medical devices> These guidelines address manufacturers to update these devices with the correct security protocol.

With time, cybersecurity threats have become more sophisticated. Previously, a ransomware attack focused on getting access to confidential data through medical devices. More recently, the attacks are coming from the endpoints that the providers cannot control. This situation is critical because it is no longer the case that the provider pays the ransom to get back the stolen information. Instead, they must pay to avoid a situation threatening the patient’s life.

Improve preparedness to prevent cybersecurity threats

As cybersecurity threats become more complex, there is an ever-greater need to improve our preparedness against them. Artificial intelligence can play a role in protecting patient data by enhancing our ability to detect such attacks and breaches. AI models can be trained with help of ethical hackers who can identify loopholes, test the system defenses and bring the vulnerabilities to the attention so that they can patch accordingly.

With the ubiquitous use of technology in healthcare, we are bound to encounter more cybersecurity challenges. And whether it’s with the help of “ethical hackers,” AI, or both, the increasing threat to cybersecurity has to be dealt with effectively. A concerted effort by manufacturers, clinical IT departments, users, and patients can ensure the safety and privacy of patient data so that they can avail the true benefits of technology in medicine.

Further reading:

1. Cybersecurity in health care. Perakslis ED. N Engl J Med 371 (5), 395-397, 2014.
2. Cybersecurity concerns and medical devices: lessons from a pacemaker advisory. Daniel B Kramer DB, FU K. Kevin. JAMA 318 (21), 2077-2078, 2017.
3. The role of psychology in enhancing cybersecurity. Wiederhold BK. Cyberpsychology, Behavior, and Social Networking 17 (3), 131-132, 2014
4. Inside risks controlling for cybersecurity risks of medical device software. CREDIT TK. Communications of the ACM 56 (10), 2013.
5. Effective cybersecurity is fundamental to patient safety. Martin G, Kinross J, Hankin C. BMJ 357, j2375, 2017.
6. Digital Medicine, Cybersecurity, and Ethics: An Uneasy Relationship. Weber K, Loi M, Christen M, Kleine N. The American Journal of Bioethics 18 (9), 52-53, 2018.
7. Cybersecurity in the Clinical Setting: Nurses’ Role in the Expanding “Internet of Things”. Billingsley L, McKee SA. The Journal of Continuing Education in Nursing 47 (8), 347-349, 2016.
8. Cybersecurity: Legal Case Studies in Medicine. Mungmunpuntipantip R. National Journal of Cyber Security Law 1 (2), 36-38, 2019.
9. Cybersecurity in healthcare: A systematic review of modern threats and trends. Kruse CS, Frederick B, Jacobson T, Monticone K. Technology and Health Care 25 (1), 1-10, 2017.
10. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Williams PA, Woodward AJ. Medical Devices (Auckland, NZ) 8, 305, 2015.

(Related Article: 10 Strong Benefits of Digital Transformation in Hospitals)