June 22, 2018
Application of the Internet of Things (IoT) in the healthcare industry is witnessing an exponential growth globally, especially with electronic health records (EHR) having a big role to play.
It is bringing along a new era of patient care and shaping the healthcare infrastructure in a manner which existed never before. Interoperability between health systems has proven its mettle in the medical field and is finding an increasing adoption by the providers.
This can be attested with a projection by MarketsandMarkets that the market of connected devices is expected to reach from $939.4 million in 2018 t0 $2670.3 million in 2023, reflecting a growth of around 23%.
Interoperability allows remote devices to communicate and exchange health data with one another and send it across the systems in a perceptible and usable format. This ability of connected devices has facilitated numerous benefits including:
However, despite being able to strengthen the foundation of healthcare, this boon of medical technology has its own vulnerabilities. Connected devices leave a lot of room for security threats to creep in. Among all health IoT concerns, security gaps in EHR interoperability have been one of the top items on the list.
These attacks or breaches predominantly focus on three targets:
◙ Web servers: Web interface possesses several serious vulnerabilities. There are many tools available on the web which the attackers can use and detect the security gaps in web servers.
◙ Database servers: Device and system database is vulnerable to serious attacks. The attackers can delete all information from the database and replace it with false data. Besides this, the insiders, people working inside the organization, can also steal files from the database and compromise data integrity.
◙ Applications: Systems which are not sufficiently tested in a live environment or which run with obsolete security measures are prone to malware attacks. Similarly, wireless technologies are quite susceptible to tampering. It is easy for an outsider or even insider to access the wireless network unlawfully without much difficulty.
Below are a few major factors that may lead to inviting cyber-criminals to attack the network of a healthcare organization.
Among all the security threats, ransomware remains the biggest security threat to interoperability in healthcare. An interconnected network where key health information is passed on seamlessly between multiple connected devices, a malware attack can even result in a life-death situation. A perfect example of a ransomware or malware attack can be WannaCry in 2017.
Many experts admit that it was the biggest security threat in the history of healthcare technology. It compromised a huge amount of critical patient data, including procedures and appointments, in 48 hospitals in the United Kingdom and left a number of medical records inaccessible.
Mobility has acquired an important role at workplace today and healthcare industry enthusiastically joined the bandwagon too. The bring-your-own-device or BYOD concept in the medical companies is on the rise. Unfortunately, many of these do not even have an idea of the risk this can pose.
To store and access data, mobile devices depend on the cloud which is prone to data breaches. As the number of general users, patients, and physicians smartphones increases, it invites cyber-attackers.
To address this, organizations can leverage Network access control (NAC) solutions to secure patient health information. Moreover, these solutions can also protect interconnected devices and equipment from cyber threats.
The primary factor responsible for security vulnerability is the difference in security standards of the device vendors or manufacturers. The devices and instruments in a hospital are usually purchased from multiple manufacturers who follow their own network security measures. This is why it becomes challenging to avoid the threat by using a uniform infrastructure for all the devices.
To address this, the entire supply chain must be reviewed at each stage. It is important that both hospitals and vendors follow the healthcare regulatory frameworks such as the HIPAA to maintain a uniform and effective security measure. These checks can ensure that interoperability between health systems is not prone to attacks.
Another reason why interoperability security is a big concern for healthcare IT leaders is that connected devices are different from traditional machines. The hardware which these devices designed around does not have the same functionalities. Unlike computers, interoperable devices are unable to run antivirus scans and lack firewalls and malware detection. Moreover, these devices are moved and connected throughout the facility using a number of networks. This means only a threat to a single device can spread across the networks and corrupt the whole system.
They might appear minor concerns but insider actions pose a serious threat to EHR interoperability. A significant number of reported data breaches are committed by the employees with a motive for quick money or tax fraud.
One viable and effective solution to this would be auditing the devices that the employees use. This will also be helpful in ascertaining who should access what data.
This is a form of an insider breach but there is a big difference between both and that is–intention. In an unintentional data breach, security is not compromised by the employees on purpose. But such breaches render the safeguard against an attack weak.
While the possibility of human mistakes cannot be denied, it is always possible to mitigate the effect of these mistakes. It is required that organizations spread awareness among employees and educate them to learn security best practices.
The wannaCry attack brought one more fact to sunlight. The investigation revealed that most of the attacked systems were using older versions of Windows and this made the operating system vulnerable to the attack.
Therefore, it is advisable for the healthcare organizations to run a penetration testing in a live environment to find and fix the gaps in their IT security infrastructure.
The first and foremost consideration, in this case, should be spreading awareness about the gravity of cyber-attacks and the vulnerability of the healthcare organizations to these attacks.
Along with focusing on optimizing patient care and being world-class health providers, the organizations must also give due priority to cybersecurity infrastructure and protection of sensitive data. They should have a dedicated team or service provider to constantly monitor security loopholes and risks and ensure that measures to address these issues are in place.
They must also authenticate the data before storing it and implements an access control on that data. The level of access should only be need-based so that the client privacy is not compromised.
It is true that healthcare interoperability solutions have some potential gaps for security threats. Addressing this concern is not optional for healthcare providers and medical device manufacturers as it can result in privacy breach, identity theft, and HIPAA violations if they fail to protect patient health information.
However, proper planning, constant monitoring and addressing anomalies on-the-go are surely going to make way to build a strong cyber-security infrastructure and contribute to establishing a more efficient healthcare delivery model.