How healthcare security strategies might not prevent patient harm

The healthcare industry focuses its security strategy almost exclusively on protecting patient health records, yet rarely addresses potential patient harms from a cyberthreat perspective, Independent Security Evaluators’ executive partner Ted Harrington says in an interview with CSO.

Attackers targeting patient records are likely to go after different systems in different ways that those intending to do patient harm, he says, so for organizations to focus their resources only on protection of records increase the likelihood that patient harm will occur.

Vulnerabilities in medical devices such as pacemakers and even vital sign monitors could prove deadly in the hands of determined hackers, and protections aimed at patient data wouldn’t really help, Harrington says.

For instance, with vital sign monitors, a hacker could activate false alarms or bypass authentic alarms, he adds.

While the company has not yet found an example where an attacker actually harmed or killed a patient, “we’re advocating that the industry start dealing with these problems because it’s not just possible, it’s probable that this will happen,” he says.

For instance, it’s common in the industry for manufacturers to tell clients not to change the default passwords in order to help techs who won’t know the passwords to all the different systems they service. “But if all these systems are using default credentials, they’re effectively public information,” Harrington notes.

Other common problems within healthcare include lack of budget for security, insufficient staffing, lack of network awareness, non-existent security assessment procedures, and systems that have never undergone security assessment.

To learn more:
- watch the interview