Machines are wholly indispensable in today’s technology-powered medical landscape. Patients and providers alike trust in the value and security of medical devices. Our trust seems almost necessary; after all, medical technology supports hospital staffers during every minute of every day. The machines they access store vital patient data, facilitate channels of communication, and provide real-time insights into medical conditions. We all but take them for granted, rarely considering that the information they hold and transmit might be stolen or worrying that the systems we rely on will be held for ransom. We trust that the technology we hear running in the background will continue to work as it always has: without any disruptions or costly breaches.
But is that faith misplaced? Recent research suggests that some providers worry that it might be.
In late 2017, a study conducted by KLAS Research and the College of Healthcare Information Management Executives (CHIME) revealed that well over half of surveyed provider organization did not have “a strong degree of confidence in their medical device security.” When asked about the source of their concerns, respondents explained that many of the devices they use daily are outdated, unpatched, and wholly unsecured against hackers.
This is no small risk. As I’ve discussed in previous posts, breaches can be costly and dangerous for institutions and patients alike. When an organization is breached or held for digital ransom, it loses the ability to operate effectively. When a corrupted system goes into lockdown, providers are unable to access the information they need to treat patients safely. They can only hope that the attack ends quickly and that the hackers don’t breach patient files. The financial burden of a breach is considerable; a recent report from IBM put the global average cost of a data breach at a whopping $3.86 million. A single stolen record containing sensitive patient information can cost a provider organization as much as $148.
Cybercriminals are clearly to blame for these hacks — and yet, many provider organizations find themselves under fire for not adequately securing or updating their devices. Critics suggest that if the victims had dedicated more time and resources towards cybersecurity measures in the first place, the hack might not have happened.
I believe that taking preemptive cybersecurity measures is a necessity for every provider organization — however, I think that in this case, it might be unfair to lay so much blame on providers alone. After all, the medical community has come a long way; in 2017, 42% of healthcare organizations had a vice president or C-level official overseeing cybersecurity measures, and 62% regularly discussed security topics at board meetings. These numbers do lag somewhat for smaller hospitals and individuals practices; however, the trend towards greater security is clear.
Provider organizations want to be secure. However, they often lack the means to fortify or even update their devices. According to the above-mentioned KLAS/CHIME study, roughly 33% of the machines in a given hospital are not patchable. To put this in perspective — in a hospital with 10,000 connected devices, over 300 would offer hackers insecure points of entry. Note that this estimate is conservative; if the organization has not maintained its security measures on all of its patchable devices, the risk could be even higher.
There are many reasons why a device may not be patchable. It could be too outdated to support a software update, be too old to fall under warranty, or fall under restrictions that prevent users from installing a patch without aid from the manufacturer. In any case, providers struggle to compensate for not only subpar security controls and weak encryption, but also manufacturer contracts that do not adequately account for modern cyber security demands. The resulting insecurity puts provider organizations in an unenviable position. They can’t afford to replace their devices every few years to keep up with patches and warranties — but if they allow an older machine to remain unpatched, they leave themselves vulnerable to malicious third-parties.
All this said, the responsibility for the security shortfall does weigh on provider organizations as well. Many do not have an up-to-date inventory of the assets connected to their network or an accounting of which devices have been or should be patched. There could be good reasons for the confusion — a lack of personnel or budget constraints, for example — but without a clear understanding of their digital network, hospitals cannot protect every point of entry into their system.
The path to mitigating cybersecurity risk and restoring provider confidence in medical technology will be a long one. In the years to come, manufacturers, regulators, and provider organizations will need to work together to develop standard contracts that allow for more continuous patching and security updates. In the short term, provider organizations need to do all they can to establish a clear picture of their security weaknesses by allocating resources to inventory devices and creating a consistent patching schedule. If possible, they should also invest in third-party network access control (NAC) software and tools that both detect digital intrusions and scan for vulnerabilities.
It may seem like a lot to invest upfront — but isn’t allocating a reasonable chunk of resources now preferable to doling out millions after a preventable attack?
I believe so.