According to a post on HIPAA Journal, 60% of healthcare organizations have already introduced networked medical devices into their technical infrastructure. Networked medical devices are the healthcare version of the “internet of things” (IoT) – smart devices that communicate with applications, such as the EHR, and with one another without human intervention. The problem – many medical devices aren’t cyber-secure! 89% of the organizations reporting the use of networked medical devices also reported having experienced a security breach as a result.
The FDA is focusing more attention on the cyber security of medical devices, but no single security standard yet exists. Even medical devices with security features incorporated in their design have a wide variance of capabilities, leaving gaps that can be compromised. There is a growing appreciation, however, that installed medical devices exist in a complex ecosystem of people, processes, and technologies. Therefore, the security issues related to these devices cannot be addressed by the device manufacturers alone – healthcare facilities need to identify and evaluate all the “things” connected to their networks.
In his presentation at HIMSS17, Brian Finch, JD, Partner and Co-Chair of the Cybersecurity and Global Security Practice Groups at Pillsbury Winthrop Shaw Pittman, noted that “there is a gross lack of awareness of the number and diversity of ‘things’ connected to a covered entity’s network.” And he went on to say that “the OCR is really whacking those that have not done a risk assessment and those risk assessments that don’t address ‘internet of things issues’.”
A widely-publicized study by Hewlett Packard subsidiary Aruba Networks reported that in just two years, 87% of healthcare organizations will have adopted Internet of Things technology. Will your organization be one of them? Do you know where your Things are? Did you assess the security of your Things in your Risk Assessment?
Bottom line: Smart, networked medical devices are a rapidly growing component of healthcare information systems, but they are often the weak link in an organization’s security infrastructure. The first step in addressing the security challenges is identifying the vulnerabilities and associated risk through a comprehensive risk assessment.
If you’d like more information on HIPAA compliance, risk assessments, or reducing the liabilities for your practice, contact us at: compliance@thirdrock.com