Editors Note: The following is a press release for a book from Paul Cerrato, one of the iMedicalApps writers, from his new book. We’re a big fan of his work and wanted our readers to know about his new book.
Over 1,000 healthcare organizations have been plagued by data breaches in recent years, causing massive exposure of protected health data at Anthem, Premara Blue Cross and many other major organizations. These incidents make it abundantly clear that healthcare has become a lucrative target for attackers. Ignoring this threat by putting cybersecurity near the bottom on the priority list is costing hospitals, medical practices, and insurers millions of dollars in fines, lawsuits, and bad press.
Protecting Patient Information: A Decision Maker’s Guide to Risk, Prevention, and Damage Control, by Paul Cerrato, provides the concrete steps needed for tightening the information security of any healthcare IT system and reducing the risk of exposing patient health information (PHI) to the public. This book offers a systematic, 3-pronged approach for addressing the IT security deficits present in healthcare organizations of all sizes. Healthcare decision makers are shown how to do an in-depth analysis of their organization’s information risk level. After this assessment is complete, the book offers specific measures for lowering the risk of a data breach, taking into account federal and state regulations governing the use of patient data. Finally, Protecting Patient Information outlines the steps to take if an organization experiences a data breach, even if it takes all the right precautions.
An excerpt on medical device security from the book, which is published by Elsevier/Syngress, follows:
Medical device security remains one of the most challenging and contentious areas to manage. Device manufacturers insist that hospitals and medical practices keep their hands off the inner workings of their products while providers complain that the technology inside the devices is too often out of date and thus vulnerable to attack, or impossible to update with the latest anti-malware patches.
Although provider organizations have legitimate concerns about the lack of security of medical devices, playing the blame game is counterproductive. The top priority of device manufacturers is patient safety/device functionality, not the ability of their devices to be securely linked to a hospital’s computer network. They take this responsibility seriously because they realize that corrupted software or hardware in an IV pump, heart defibrillator, or blood gas analyzer can kill patients.
Sean P. Murphy, a respected healthcare security specialist, sums up the dilemma this way: “Unlike other computing device manufacturers, medical device manufacturers retain a great deal of responsibility for their devices even after they are sold …the reason for this has to do with safety rather than cyber security, and this responsibility can actually introduce security risks. Because medical devices are FDA-regulated and patient safety is a concern, medical device manufacturers must test and approve all third party software before a healthcare organization can update a medical device. This process can, at best, delay the software vulnerability patch management process; at worst, it can cause medical devices to remain unpatched and vulnerable to exploit on the hospital LAN [local access network].”
HOW REAL IS THE THREAT?
Some business executives and physicians may be skeptical about the risks posed by medical devices. Is this paranoia? Consider the evidence to date: In 2011, Jay Radcliffe, a computer security researcher, demonstrated that he could hack into a Medtronic insulin pump and gain remote control of the device. Since then, Barnaby Jack, another security specialist, has shown he can cause some medication pumps to deliver fatal insulin doses from up to 300 feet away.
In 2010, a Veterans Affairs catheterization lab in New Jersey had to close down temporarily because its computerized devices were infected with malware. Similarly, William Maisel, deputy director of science and chief scientist for FDA Center for Devices and Radiological Health has stated that the FDA is “aware of hundreds of medical devices that have been infected by malware… It is not difficult to imagine how these types of events could lead to patient harm.”
More recently, in July 2015, both the US Department of Homeland Security and FDA warned hospitals not to use a Hospira Symbiq infusion pump because of a security vulnerability that allows hackers to gain remote control of the system. And John Halamka, MD, CIO at Beth Israel Deaconess Medical Center (BIDMC) in Boston, has reported a breach that had to be reported to federal authorities that involved a medical device. As he explained the account, the breach occurred “when a medical device manufacturer removed our hospital provided security protections in order to update a device from the Internet. It took about 30 seconds for the unprotected device to become infected and transmit data over the Internet. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach. We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.”