Medical devices need security too

Last updated: 21 March 2014

This quote stood out for me in an article I read on the Bloomberg tech blog recently:

“Medical devices have not been a focus of the computer-security industry.”

In the article, Jordan Robertson references a new study by the Ponemon Institute that reveals nearly three-quarters of 80 healthcare organizations surveyed in the US said they don’t secure their medical devices, even though they contain sensitive patient data. In the US, very few people take healthcare for granted. So why are hospitals taking medical devices for granted?

In healthcare, losing the records of your past can quite literally result in the loss of your future. It is one thing to be subject to a financial identity theft where it takes time to remove the illegal activity. It is another to have someone compromise your health record where it might be impossible to remove a fraudulent bill claiming you have some form of terrible sickness. Personal health information is often the hardest data to restore and many people who have experienced medical identity theft spend the rest of their lives trying to correct their health records.

As more medical records move online, the need for secure technology in hospitals is growing rapidly. Health Information Exchanges (HIEs) form a large part of a doctor’s network, and while no one can deny these digital systems are speeding up access to vitally important records and saving clinical organizations huge amounts of money, if not properly protected, they are as vulnerable as the patients they help.

To outline the scope of the problem, the US’s largest HIE serves more than 19,000 doctors and 80 hospitals, with data on more than seven million patients, connecting hospitals, rehabilitation centers, long term care facilities and research laboratories, to name a few. The number of medical data breaches over the past three years is staggering. If, as the Ponemon survey says, 69 percent of hospitals are neglecting multi-factor authentication to secure their network of connected devices, from computers to mammography machines, they’re left open to hackers from all over the world.

94 percent of respondents to the survey said they had experienced at least one data breach in the past two years, many of which cost the organizations over $1 million. For individuals, medical data breaches can have far-reaching implications for insurability and insurance rates; the ability to get life insurance, the ability to get insurance to pay for a procedure, and many other activities where heath is a criterion.

It’s true that, as many machines connect to the internet, they become more intelligent and yet more vulnerable (without protection). Consider the breach of a machine that delivers a specific dosage of drugs to someone at a certain time of day and you’ll realize the importance of digital security in healthcare. It’s painful to think that in an emergency situation, if a fraudulent action comes up on your own health record, it could cause a medical professional to misdiagnose what is happening based upon incorrect information.

This means that protecting access to medical records should be viewed as a top priority in healthcare. While it does not seem as critical as a doctor treating a patient in an emergency situation, the long lasting impact of this type of personal information breach should have IT professionals responding to this issue with a high sense of urgency.