Recent studies have shown that healthcare organizations are the target of a new cyberattack every two weeks. Although it would be difficult to find any healthcare providers who haven’t heard of WannaCry, most are unfamiliar with Lucky, Philadelphia and Defray.
Those are just a few of the cyberattacks that emerged following WannaCry, and they are very different from the attacks of old. They represent a shift in hacker behavior.
Soon after WannaCry, which started this new cyberattack trend, the U.S. Department of Health and Human Services (HHS) stated that it was aware of two large, multistate hospital systems in the U.S. that continued to face significant operational challenges. Technologists discovered the virus persisted even on a machine that had been patched—and while the virus could not spread to a patched machine, the attempt to scan could disrupt the Windows operating systems when it executed.
The latest wave of attacks also revealed that even if a healthcare system is intact from within its network, affected vendors and the disruption to services they provide, such as transcription services, can have a negative impact on the system.
While healthcare organizations have been somewhat slow to adopt and adapt new technology, manufacturers of the important equipment we use in our daily provision of care have quickened the pace of innovation with the intention of improving patient care. But the recent barrage of attacks raised concerns and brought awareness. It has made us think about our vulnerabilities, and IoT security is one such vulnerability that deserves increased focus.
Physicians and healthcare leaders are focused on high-quality, safe and effective patient care. We often focus on care delivery and underestimate the effects of a disruption. Our physician colleagues from the NHS have called on physicians to recognize the physical harm that can befall patients when our IT system is victimized by a cyberattack. Just as we would ensure medications are not expired or tampered with, we are obligated to have a sufficient understanding of the technology we use and ensure our software is not expired or tampered with. That is an especially important role for chief medical officers and chief medical information officers.
Since hospitals rely on many connected IoT devices to provide critical care, providers must recognize that these devices were designed for patient care, not security. Left unprotected, these devices are prime targets for hackers to access the network, causing disruptions to treatment that can inflict significant harm and possibly even death to patients, as well as provide access to private patient records. And we can’t always rely on vendors to provide sufficient security.
For healthcare organizations and practitioners, IT security is not always top of mind. I was surprised to read a recent survey that found that more than 90% of healthcare IT networks have IoT devices connected to them and over 70% of IT departments believe that the traditional security solutions used to secure laptops and servers are sufficient to secure IoT connected medical devices. In addition, the survey found that over 76% of IT decision-makers within healthcare organizations are confident or very confident that all devices connected to their network are protected.
It shed light on the simple fact that many organizations do not fully understand the unique security requirements of IoT and connected devices. IT organizations are applying the same security concepts they had employed in the past in the hopes that they can provide “good enough” security for new IoT devices.
Additionally, our end-user patients represent a new challenge. Their perception of network security has always revolved around IT devices such as PCs, laptops and servers. Trying to extend the same security concept to IP cameras, HVAC systems, and electronic door locks represents a significant leap for many.
Educating doctors, nurses and even our patients starts with a clear understanding of what IoT devices are and where they are located. These devices can be hacked, resulting in the retrieval of very private and personal health and financial information. The devices can also be used to spread malware—and cybercriminals are only getting smarter.
Maia Hightower, M.D., is the chief medical information officer and a clinical associate professor at the University of Iowa Health Care. She received her M.D. at the University of Rochester School of Medicine, her M.P.H., at the University of Rochester School of Medicine, and her M.B.A. from The Wharton School at the University of Pennsylvania. Dr. Hightower is licensed by the Iowa Board of Medicine, the Iowa Board of Pharmacy, the American Board of Internal Medicine and the American Board of Pediatrics.