It’s no longer news that most of us are uber-connected. We use phone apps for weather, meditation, mapping, games, travel, texting, and more. Online management of home devices, including thermostats, coffee makers, and alarm systems make it possible for us to remotely control many aspects of our lives. These technologies offer previously unthinkable convenience – and a great deal of risk to their owner’s physical and information security.
Healthcare, too, is becoming more connected for all the same reasons you may use networked devices at home – speed, convenience, control, and situation transparency. For instance, in-room cameras are very helpful for preventing patient falls. They can also be used by nurses to determine if a patient’s telemetry alarm is due to a loose lead or a real cardiac event. All this convenience, however, comes with the same risks as an online thermostat at home – these devices are vulnerable to attack (Health Data Management, May/June 2017).
Many of the devices in use today were deployed before security standards for them had been developed. Even relatively new devices released while the FDA was working on the rules may not be up to snuff. For example, this spring an IT Director for a brand new hospital told me about receiving devices for the hospital, which he was responsible for installing and maintaining, and learning they did not adhere to some very basic security principles!
So what can members of the care team do?
You – nurses, respiratory therapists, surgical technicians, medical technologists, radiology techs – can be the “Human Firewall.” The healthy skepticism that care team members are trained to bring to all aspects of their work can play an important role in cybersecurity as well.
Staff often assume that the “IT gurus” have carefully reviewed all devices or computer applications and deemed them “safe” – WRONG! Smart devices and applications are proliferating rapidly due to the advent of the Internet of Things. This combination provides great opportunity to the cyber criminals! The obvious conclusion is it’s now everyone’s job to look out for the patient’s information safety.
So ask the hard questions – and protect your patients and yourself in the process.
1. Does this device transmit data?
If the answer is yes, ask more hard questions:
- Is the transmitted data encrypted during transmission?
- Does the device store data as well? If so, is the data encrypted when stored? Is the data backed up regularly?
- Where is the manufacturer’s proof that the device is cybersecure?
- Does the manufacturer’s cybersecurity claim state the standards against which they tested the device? (Hint: You don’t have to know the standard – you only need to ask your IT and BioMed departments to validate them.)
2. Can this device or app access my Contacts? my Location?
If so, ask how to turn those “features” off – or for documentation explaining all the steps taken to ensure your phone, computer, or patient care devices won’t be hacked.
3. Can the password be changed?
For this question, the wrong answer is “No.” Devices with hard-coded passwords – those with a single, manufacturer-issued password used by everyone on the team – can be “weaponized” by a cyber criminal to penetrate the organization’s network and send malware to other computers. If the answer is “No,” contact management – “This device is unsafe to use.”
4. Would you feel safe if this device was being used on you or a family member, and the organization was hit with a virus or ransomware attack?
Healthcare is risky business – there are physical risks and electronic risks – and there’s no way to make it completely safe. But working together, we can certainly make it safer.
If you’re not sure your organization has taken all the proper steps to ensure patient information security, contact us to arrange for a comprehensive HIPAA security risk analysis to identify any gaps in your network security or operating procedures.
info@thirdrock.com | 512.310.0020
Protect Your Patients. Protect Your Practice. Protect Yourself.™