by
Lauren Dubinsky, Senior Reporter | February 14, 2017
From the January 2017 issue of HealthCare Business News magazine
The health care industry has recently suffered the greatest number of data breaches compared to 16 other industries, according to a 2015 report conducted by the digital security company Gemalto. Is this industry the most attractive target for hackers, or is it the most vulnerable? “There are more and more reports of hospitals being the target of malicious intent,” says Rob Maliff, director of the applied solutions group at ECRI. “The numbers are rising in terms of how many health systems have been penetrated, but other industries have a quicker way to assess where they have been a subject of an attack.”
Hackers are aware that health care information is much more valuable than credit card information from a bank. If they get into a hospital’s electronic health record (EHR), they have access to the patient’s name, address, Social Security number and credit card number. The black market value of EHR information is about $50 per record and credit card information is only about a dollar, according to Maliff.
How did this happen?
The industry is embracing interoperability and the benefits it can bring to hospitals, but it comes at a cost. When medical devices are connected to a hospital’s network, information is shared and hacking becomes a concern. Manufacturers often remotely monitor a hospital’s imaging equipment, but they need protection on their end to prevent hackers from getting access to the hospital’s MR system. The field service engineers have administrative access to the equipment, and when they leave the company the hospital has to decide if a new password is needed.
“It’s not only cybersecurity in the form of attacks and scanning ports and IT infrastructure, but it also has a lot to do with individuals that perform phishing attacks and the ecosystem of people, processes and technologies that are responsible for preventing cybersecurity issues or causing the issues,” says Rik Primo, chair of the Medical Imaging and Technology Alliance (MITA) Cybersecurity Taskforce. A cybersecurity white paper published by MITA and the National Electrical Manufacturers Association (NEMA) in 2016 stated that cybersecurity for medical imaging is a shared responsibility between health care providers and manufacturers. The organizations believe the best line of defense is for manufacturers and health care providers to adopt best practices and standards.
The manufacturers’ role
To meet FDA standards and provide patients with quality health care, manufacturers need to build security into their devices, according to the MITA/NEMA white paper. They can do that with standardized coding practices and training for software developers. Manufacturers should test their devices by designing threat models that feature different use cases. A device is considered to be secure if it defends against unauthorized operation in the context of its intended environment and use.
