What Wannacry Taught Us About The Importance Of Healthcare IT Security -- Campus Security Today

What Wannacry Taught Us About The Importance Of Healthcare IT Security

With the rise in threats and the increased exposure healthcare facilities face, cybersecurity investments need to be mandated and enforced

By Karin Ratchinsky
November 01, 2017

WHEN HEALTHCARE LEADERS THINK ABOUT A SECURITY BREACH, HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT COMPLIANCE VIOLATIONS TYPICALLY COME TO MIND. HOWEVER, THANKS TO THE RAMPANT DIGITIZATION OF CARE-CRITICAL TOOLS AND APPLICATIONS, A CYBERATTACK ON A HEALTHCARE ORGANIZATION’S COMMUNICATIONS INFRASTRUCTURE OR COMPUTER SYSTEMS CAN NOW JEOPARDIZE MUCH MORE THAN PATIENT DATA.

The recent WannaCry ransomware attacks compromised an estimated 200,000 systems across 150 countries, including the United Kingdom’s National Health Service system. This breach came uncomfortably close to a life-or-death situation when 16 hospitals were unable to access patient data and diverted ambulances to other facilities. The scariest thing about the WannaCry attack, from a healthcare policy perspective, is that the NHS was not specifically targeted. Dozens of hospitals across England were brought down simply because their IT systems were vulnerable to malware, which placed the lives of their patients on the line.

More than 6 billion devices (including wearable sensors and personal health monitors) were connected to the Internet of Things by the end of 2016. IT research company Gartner, Inc. expects that number will surpass 20 billion by the year 2020. While protecting confidential patient information remains important, the focus of healthcare IT security policy is going to have to shift more toward protecting and ensuring the performance of digitized mission- or care-critical applications.

A GROWING CONNECTION BETWEEN HEALTHCARE DEVICES

The potential of internet-connected medical devices combined with the power of artificial intelligence in healthcare is exciting. Some devices already allow pharmacists to research patients’ allergies or other medications before dispensing pharmaceuticals. Others allow nurses to better monitor patients in ICU environments and speed response time when digital monitors indicate vital signs are deteriorating. This is the tip of the iceberg that digitization and artificial intelligence bring to medical innovation.

Although the IoT and AI are still relatively new in healthcare, their capabilities have already helped systems scale and provide better care. Other exciting developments include mobilizing care to patients’ homes and alerting patients of impending seizures, low blood sugar levels, heart arrhythmias, and more.

Care delivery organizations are becoming more dependent on digital information, tools, and applications. Because of this dependence, it has become exponentially more important for IT security to protect the performance and continuity of these tools.

CAN HEALTHCARE POLICY PROTECT US?

Last year, 114,000 diabetic patients were notified that their insulin pumps were vulnerable to being hacked. Attackers could breach the devices, disabling them or altering the dosage, which forced the product’s manufacturer, Johnson & Johnson, to issue a notification, along with ways for patients to mitigate the risks.

Kevin Fu, director of the University of Michigan’s Archimedes Center for Medical Device Security, pointed out that the manufacturers “did not anticipate the cybersecurity risks” when they first designed the product. Even if they had, the product was designed nearly 10 years ago, and hackers’ capabilities have advanced significantly since then.

The truth is that any internet-connected electronic device could eventually be broken into, and there is no 100 percent guaranteed way to secure it. However, policies can be implemented at organizational, state, and federal levels to help ensure that healthcare organizations are able to proactively take necessary security measures.

Government lawmakers can facilitate this change by devising appropriate standardized protocols that will greatly reduce the risks of patients’ care falling victim to another ransomware attack. Here are three areas where policymakers should focus their efforts in this regard.

UPDATE AND IMPROVE SECURITY POLICIES.

It is evident that healthcare security policy needs to encompass rules and best practices that go above and beyond protecting the privacy of confidential patient data. Protection of protected health information, per HIPAA mandates, remains important, but instating rules and policies that ensure organizations invest in tools and best practices that maintain the continuity of care-critical tools and applications is long overdue.

The impact WannaCry had on 16 U.K. hospitals is a wake-up call and highlights the ubiquity of cyber threats and their impact on delivering care. These threats are real and constantly evolving. Lives depend on organizations taking a deeper look at how they can ensure care continuity with comprehensive security policies and procedures.

We can look to the financial services industry as an example of a field that has strict data privacy requirements in place, especially the requirement of a response plan. The Federal Deposit Insurance Corporation, for example, requires secure logins with government-issued IDs to access its computers, as well as a third-party end-to-end assessment of security and privacy protocols.

Cyber threats are constantly evolving and becoming more sophisticated, so having an institutionalized response plan is critical in the event that a breach that they are not proactively prepared for takes systems down.

SCRUTINIZE DEVICE SECURITY AT THE FDA LEVEL.

To deter cyberterrorism, the U.S. Food and Drug Administration needs to hire highly skilled security personnel and instate strict rules and regulations on devices to ensure that security protocols are in place. Just as the FDA requires drug trials before approving prescription and over-the-counter medications for use, it should also take measures to confirm that devices released to the market are secure and that manufacturers have invested in certain best practices and upgrades. This type of policy is needed to prevent breaches such as the Johnson & Johnson insulin monitor hack from occurring in the future and ensure the continued safety of patients relying on care-critical devices and connected applications.

Fortunately, legislators at the federal level have taken note and are now taking action. In July, a bipartisan group of senators announced plans to introduce a bill that would help shore up defenses against vulnerabilities posed by IoT devices. This legislation would require vendors to ensure that all connected equipment they provide to the government conforms to new security standards with patchable products.

The bill includes new policies that aim to address the market’s failure to incentivize manufacturers to focus on stronger security features in new product designs. It will provide ongoing recommendations to improve the security of federal networks.

INCENTIVIZE COMPLIANCE.

Compliance requirements and financial incentives are necessary for healthcare systems to adopt and implement adequate security parameters. Otherwise, budget-constrained healthcare providers will often choose to invest in a revenue-generating, care-providing system, like an MRI machine, rather than a seemingly preparatory IT security initiative.

Incentives can combat this behavior by appealing to the natural human (and business) urge to prioritize investments offering tangible returns. Facilities that have never experienced the effects of a breach will find it even more difficult to invest in security without proper incentives.

Currently, there is too much focus on the compliance side of the house. Healthcare organizations need to consider care continuity for digital tools as well as the need for IT security systems to disclose certain breach types—not just whether data has been compromised, but whether systems have been.

With the rise in threats and the increased exposure healthcare facilities face, these types of investments need to be mandated and enforced. If they’re not, healthcare organizations and hospital systems that are reluctant to allocate budget toward bolstering and upgrading their defenses will find themselves in the same predicament in which the WannaCry attack placed the NHS earlier this year.

This article originally appeared in the November 2017 issue of Campus Security Today.

How Micro-Segmentation Helps Secure Digital Threats Facing Educational Sector
11/13/2024
Building a SOC to Enhance Campus Security Operations
11/07/2024
ASIS K-12 School Security Standard Should Arrive in 2025
11/06/2024
University of New Haven Deploys ZeroEyes’ Proactive Security Technology
10/30/2024

Featured

Black Hills State University Takes an Open, Scalable Approach to Video Security

Black Hills State University recognized the need for a centralized video system to improve campus security and streamline operations. The university sought a solution that could unify its main campus with a satellite location, enable cross-department access, and scale with future growth. By implementing open platform video technology, BHSU laid the foundation for a comprehensive, flexible, and scalable security infrastructure. Read Now
- Video Surveillance
Pennsylvania School Uses Locked, Rolling Security Grille to Control Spectators, Secure Building

St. Jude School in Mountain Top, Pennsylvania, is a private Catholic elementary school that serves students from Pre-K through grade 8. Recognized as a Blue Ribbon School by the U.S. Department of Education, St. Jude offers diverse educational programs designed to foster a nurturing and challenging learning environment, and extracurricular activities like sports are an integral part of promoting teamwork, discipline, and physical fitness. Read Now
- Facility Security
Fire-Rated Glazing Assemblies Modernize Academic and Social Hub

In spring 2023, the University of Pittsburgh opened the doors to a seven-story west wing addition to Alan Magee Scaife Hall. The medical school building features several updated lecture halls, labs and classrooms. It also includes team-based learning and small group rooms as well as an entire floor dedicated to medical students. This floor is meant for students to congregate, study and build community. Read Now
- Fire Life Safety
Access Control Trends Continue to Strengthen School Safety Security

Class period bells have been ringing across campuses for a few months now, but that doesn’t mean the subject of safety was fully settled before the start of the new school year. As one wise person once said, “It’s a journey, not a destination”. That’s why it remains a leading issue among administrators, faculty, students, and communities. Schools are striving to be at the top of their class when it comes to the ability to control access instantly and securely, monitor suspicious behavior accurately and consistently, and respond to threats immediately and effectively. Ultimately, they aim to provide a reassuring, comfortable, and conducive environment for a rich learning experience. These goals apply whether at a community college in Southern California, a major university in Pennsylvania, or a rural K-12 district in Michigan. Read Now
- Access Control

Webinars

BriefCam

Maximizing Your Investment: The ROI of Video Analytics
Hanwha Vision (formerly Hanwha Techwin), Eagle Eye Networks Inc, Salient Systems, Safety Technology International Inc., AtlasIED, Omnilert, Paxton Access Inc., Napco Access Pro, Hirsch, CENTEGIX

Lessons Learned from an Active Shooter Crisis
Push-to-Talk over Cellular – The NEXT Revolution

Whitepapers

HID Global

Securing K-12 Schools From the Inside Out
HID Global

The Truth Behind 9 Mobile Access Myths
NaloxKit

The Critical Need for Naloxone on School Campuses