For decades, healthcare medical devices functioned as freestanding tools. Glucometers, lasers, infusion pumps, pressure monitors, neonatal incubators, heart monitors – each serving its unique function independently of the others. With the widespread implementation of electronic health records (EHRs), however, and the push for increased digitization of health information, these devices have increasingly been networked into the patient information ecosystem.  They now transmit PHI between a myriad of systems including the EHR system, bed management, supply chain management, and billing systems.

The variety and use of these devices have proliferated. The HIMSS Medical Device Security Workgroup reports that hospitals and similar healthcare delivery organizations typically have “300% to 400% more medical equipment than IT devices.” In a study of US hospitals cited in Wired Magazine (3/02/17), ZingBox reported an average of 10-15 connected devices per bed. That translates into approximately 4500 connected medical devices for the average 300-bed community hospital – and up to 75,000 devices for a large metro medical center with 5,000 beds!

Are devices vulnerable to hacking?

To date, the number of medical device breaches and the number of patient records exposed by those breaches has been seemingly negligible when compared to the large-scale data losses due to hacks of healthcare organizations’ primary IT systems or losses of unencrypted mobile devices. But there have been hacks, and there are several reasons to expect medical devices to be increasingly exploited:

• As more medical device developers rely on off-the-shelf operating systems to speed development and/or facilitate integration with other systems, the vulnerabilities of the parent code are transferred to the devices, increasing their vulnerability.
• The increased networking of devices makes them a more attractive target for hackers because they provide additional points of entry to other systems.
• A Trend Micro study found a large number of devices to be discoverable on Shodan, a search engine routine for connected devices.

In fact, a study by Ponemon Institute found that 67% of medical device makers expect an attack on their devices in the next 12 months!

Didn’t the FDA pass regulations to fix this?

Yes – and no, depending on who you ask. The FDA is quoted in many news articles saying that medical device manufacturers are responsible for complying with “quality system regulations” (QSRs), which include requirements for addressing cybersecurity risks, but both law firms and industry executives say the compliance environment remains murky:

• Some devices have been downgraded from “Class III” – high risk and mandatory compliance – to “Class I” – low risk and “unregulated,” though they still could pose a cybersecurity risk.
• Once a device is in use, it’s not clear whether the device manufacturer or the healthcare delivery organization is responsible for continued patching as cyber threats evolve.
• The FDA doesn’t actually test medical devices for their compliance with the QSRs.
• Reporting of device malfunctions, including cybersecurity breaches, to the FDA is voluntary.

Know-how and budget are also factors.

Because cybersecurity of devices is still a relatively new concern in the medical device and healthcare delivery industries, lack of knowledge regarding both the threat and the appropriate risk management responses remains a problem. The ZingBox study also found that 70% of healthcare IT decision-makers believe that the same security solutions used for laptops and servers are sufficient for all their connected medical devices, a misconception that the report goes on to explain.

Despite two-thirds of medical device manufacturers anticipating an attack on their devices, only 15% of study respondents anticipate taking measures to mitigate the risk! Senior executives in the field say it usually comes down to budget and production deadlines. Because cybersecurity protections don’t improve device performance in terms of clinical care, it is often looked upon as a cost. Similarly, when cybersecurity flaws are discovered too far into the development process, decision makers often determine that the rework required to build in the cybersecurity protections is too costly. So devices go to market with known cybersecurity flaws.

So what to do?

As a healthcare delivery organization, you are the gatekeeper between the medical device vendors and patients. Regardless of who is technically at fault for a medical device breach, if a breach were to occur, it would be your patients’ information lost and your reputation damaged!  Thus it is up to you and your organization to set the standard for medical devices coming into your organization and to include medical devices in your annual security risk assessment.

Start by requesting information from your device vendors about each of the device types on your network using the Manufacturer Disclosure Statement for Medical Device Security ((MDS)²) which was collaboratively developed by the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS).

Finally, if you have questions about assessing the risk of an Internet-connected device or need help completing a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com or 512.310.0020.

Just when you thought all hope was lost of remembering your 16 character password with upper and lower case letters, numbers, and special characters; NIST comes to the rescue. That’s right!  The National Institute of Standards and Technology wrote a brief addendum to SP 800-53 which simplifies Strength of Memorized Secrets.  You and I refer to those “secrets” as passwords.  It’s a light read, only 50 or 60 pages.  I don’t really know because I didn’t want to print it and kill four trees.  Anyway, the good news is Tom Sullivan wrote up a nice, short, one pageish, blog post about the draft from NIST.  You can find it at NIST tweaks advice on passwords, says make them easier to remember.  Thank You, Tom!  And Thank You, NIST!

Seriously though, it’s a serious issue.  We all need to take care in creating strong passwords to protect our data and that of our clients.  Here’s the short list of how best to do that according to the new NIST advice:

1. Make it easy to remember for you; e.g., “I rode a green bike as a kid.”
2. Make it something private, not publicly known. (Sports team names are not good passwords.)
3. The longer the better, longer than 12 characters.  Personally, make it longer than 16 if the system supports that length.
4. Hope the developers know to have password policies that prevent bad passwords.

 Here’s the summary from the document.

A.5 Summary

Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed.

And you thought all your tax dollars were going to waste! 🙂

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

One of the most common services in healthcare is the connection to the internet. With all the focus on security and cyber breaches, one of the most vulnerable pieces on your connection to the internet is what is called the router / gateway. The router / gateway connects your computers and devices to the public internet and in many cases provides the initial security or barrier through the use of a built-in firewall.

The problem is, that while this is the door, the gateway to the internet, it is a two way door. Much like the door on your office or building, if it is not properly secured anyone can walk in. What makes this such an issue is the Internet Service Providers (ISP) that generally setup the router / gateway for your organization. Larger organizations may or may not take care of this themselves, but small and medium organizations rely on the ISP to do the install and setup.

Here comes the major problem!!

The ISP will generally leave the default username and password for the router / gateway. This means that anyone that gets on your network can simply connect to the router and use the commonly known list of default usernames and passwords to quickly access your router and change the settings to allow them to access your network from anywhere and steal data.

How to fix this

You have two options to correct this.

1. Most ISP’s have instructions on how to access and change the router’s username and password. You can login and change it yourself.
2. If you are unsure, contact the ISP and they can walk you through the process.

This is a critical issue that is extremely prevalent in many organizations, not just healthcare.

Time and time again we see healthcare organizations using free email accounts. While convenient, it is an extremely dangerous decision in a world where HIPAA fines are increasing in cost and occurrence.

If you or your employees have access to or use the free email services from you organization’s network, either officially for business and/or for personal use, you are at an extreme risk of being breached!

Why? Think about what can be sent via email. Whether you are using email to send patients reminders or any other communication, there is a strong likelihood of PHI being sent. If you allow employees to access those accounts from your organization’s network, it is easy for them to send patient data either by accident or to steal data.

Guess what happens if a hacker gets into an email account that your employee uses? You’ve been breached and need to report it, which will trigger a HIPAA audit.

Now, think about these headlines over the last year…

• Hundreds of Millions of Email Accounts Hacked and Traded Online, Says Expert
• A Russian hacker has 272 million stolen Gmail, Yahoo, and Hotmail passwords
• 500 Million Yahoo Accounts Hacked, Change Your Passwords Now
• and on and on…

What is worse is that the free email services make their money by serving ads in their online email client. Have you ever wondered how they tailor those ads? They do it by data-mining your emails, which means that any potential PHI data is now being kept in their databases!

Notice we didn’t even go into the threat of malware and ransomware, which is also extremely high when using these free services.

There is never a good reason to use the free email services within a health organization or any organization that deals with PHI. More importantly it is extremely important to block access to these services on your organization’s firewall so that no one can access them from your organization’s resources.

If you are looking for hosted email service providers, there are options out there and most will not break the bank. Below is a list of a few of the options. (note we are not tied to these providers)

• Hushmail
• Email Pros
• MD OfficeMail
• Also Microsoft Office 365 can be setup for HIPAA, as long as you get it setup and the BAA in place.

Sources

• Hundreds of Millions of Email Accounts Hacked and Traded Online, Says Expert
• A Russian hacker has 272 million stolen Gmail, Yahoo, and Hotmail passwords
• 500 Million Yahoo Accounts Hacked, Change Your Passwords Now
• 1 Billion Yahoo Accounts Hacked

While meeting all the HIPAA requirements for your technology (computer, network, etc.) requires some planning, there are some quick fixes that can greatly reduce the odds of your organization being breached while at the same time starting you on your path to compliance.

Below are some common issues that we see at all sizes of organizations. How you go about correcting some of them is determined by the size and resources of your organization.

Quick Fix #1

Issue: The operating system (i.e. Windows) on your organization’s computers / laptops is out of date.

Details: Hackers are constantly finding new ways into your computers. If you do not keep your computer up to date, it leaves these vulnerabilities open for attack.

Fix: For smaller organizations you will need to manually check each of your computers to make sure automatic updates are turned on and updating. Alternatively there are centralized patch management systems that can help, if you are running on a Windows domain.

Quick Fix #2

Issue: Weak password! Simple passwords DO NOT WORK!

Details: Hackers can download a tool off of the internet to crack passwords fairly easily. The weaker the password the more likely the hacker will be able to breach your computer and network.

Fix: Require that all users have unique accounts and passwords that are a minimum of 12 characters with a mix of UPPERCASE, lowercase, numbers, and at least one special character (i.e. !@#$%^&*). You should also have your users change their password every 90 days max. If you have a Windows domain you can enforce this with a domain policy.

Quick Fix #3

Issue: Outdated Antivirus

Details: Similar to #1, if your antivirus is out of date, your computers and networks are vulnerable to the latest virus’, malware, and ransomware.

Fix: Check all of your computer’s antivirus software to ensure that it still has an active subscription, is running, and is being updated. Most major antivirus companies have business versions of their product that allow you to centrally manage the antivirus and reduce the likelihood of something happening.

Quick Fix #4

Issue: Lack of trained staff

Details: Staff that has not been trained to watch out for malware in emails or on the web is generally the most likely way for your organization to become a victim of malware or ransomware.

Fix: Ensure the staff is properly trained in HIPAA. There are plenty of online training courses that are neither expensive nor time consuming. While the return on investment may be hidden, it is huge.