According to recent research, 81 percent of U.S. healthcare organizations will increase information security spending in 2017.
This is reflective of an industry undergoing rapid technological and social change. The digitization of health information, while initially driven in the U.S. by the HITECH Act, is now being compelled by new forces, such as patient demand for access to their records via web portals and smartphone apps, as well as the increasing adoption of connected medical devices. While this digitization creates efficiency, it comes at a price: individual healthcare data is exposed to more people, in more places and on more devices.
When it comes to data as sensitive as private health information, the potential for an attack should always be taken seriously. Healthcare data has become one of the most desirable commodities for sale on black market sites – and for good reason. An extensive medical record contains enough information to not just apply for credit cards or loans but also to compromise patients’ financial accounts and generate huge sums from fraudulent medical charges. And, unlike some revocable forms of PII, such as a credit card number, many elements of an electronic patient record are permanent. As such, healthcare data is at a premium, which does not bode well at time when data breaches are at an all-time high and organizations are still grasping how to handle these new and improved threats.
With PII of patients being the prize, hackers are increasingly honing their skills to get their hands on this valuable data. And unfortunately, they’re getting good at it – putting patient data, and even patients themselves at risk. Lest we forget, the perpetrators of the 2015 hack on health insurer Anthem – in which nearly 80 million patient records were exposed on the dark web – still have not been positively identified.
For healthcare data to remain safe from cyber exploitation, cybersecurity strategies need to move beyond laptops and desktops to reflect a world of internet-connected heart-rate monitors, implantable defibrillators and insulin pumps. Worryingly, today’s devices can be laden with security problems such as outdated firmware, unaddressed bugs and vulnerabilities. What’s more, medical device vendors may employ open source software in order to accelerate products to market without looking at the security implications.
One solution to keeping hackers at bay, though, is to embed ‘digital birth certificates’ into modern medical devices. Based on strong cryptographic protocols, digital birth certificates create a unique ID for each and every device, which can prevent the introduction of unauthorized code, or unauthorized access.
Once embedded in medical devices, certificates can also be particularly useful in defending against remote attacks that may introduce malicious code or alter the purpose of a device, as the attempted update would fail the authenticity test. And with a reliable public key infrastructure in place, firmware updates can be signed by an authorized source and validated by the end device before installation is permitted.
As the number of medical devices continues to rise, and as more of our patient records become digitized, getting security right is critical. Reports of devices such as the St. Jude Medical cardiac implants being vulnerable to potentially life-threatening cyberattacks should act as clear warnings of what could happen if robust cybersecurity measures are neglected. Security needs to be enforced and improved at the manufacturer level, including introducing digital birth certificates into devices right from the start. Only then can we mitigate the potential damage medical attacks can cause in the future.
About Jim DeLorenzo
Jim DeLorenzo has broad background in communicating information technology solutions to enterprise customers, focusing on healthcare solutions at Thales e-Security. He has focused on cybersecurity for the past 4 years, previously working for organizations that provide vulnerability analysis and endpoint security products. He received his bachelor’s degree in finance from the University of Rhode Island and his master’s degree in marketing from the University of Colorado at Denver.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.