Your hospital is more vulnerable to a hack than you think

New security challenges sometimes require a focus on the fundamentals, experts say

Sam Bernstein, Staff Writer

It's already too easy to hack an MRI—and it's about to get even easier.

That's the chilling conclusion from a recent Bloomberg Businessweek report that looked at the fragile state of medical device security. Many devices are only protected by their default password. Others have no defenses at all.

Cybersecurity expert Billy Rios told Bloomberg about his recent trip to Mayo Clinic, which had invited about a dozen top experts to try to hack everything from respirators to ultrasound machines. The hackers made short work of essentially every device put in front of them.

"It was all bad. Really, really bad," Rios bemoaned.  

Mayo Clinic used the experience to beef up its defenses. But for most hospitals, the gates are still down. That's especially because many devices are now connected to the Internet, or more accurately—the Internet of Things (IoT).

What is the IoT?

The IoT is an emerging set of connected smart objects, such as appliances, sensors, controllers, wearables, and medical devices. By connecting to a network, these devices create, process, and share data to prompt action—frequently without human input.

IoT device security is high stakes. Over the past several years, attacks have ranged from sabotaging Iran's nuclear centrifuges, hijacking a smart refrigerator to send spam emails, and—most recently—bringing a Jeep to a halt in the middle of the highway.

And patients are clearly at risk. Inspired by his visit to Mayo Clinic, Rios ordered a drug pump made by Hospira off eBay. The smart pump is designed to automate the process of giving patients' intravenous drugs and other fluids. It should be a clear win for patient safety.

But when Rios connected the pump to his home network, he discovered something worrying. "It was possible to remotely take over the machine and 'press' the buttons on the device's touchscreen, as if someone were standing right in front of it," Bloomberg reports.

Shortly thereafter, FDA issued a warning to hospitals that they should stop using the pump. It was one of the first instances of an in-the-wild IoT security threat grabbing the attention of regulators.

But vectors for IoT-targeted attacks are poised to grow substantially. By 2020, Gartner predicts there will be 25 billion smart devices in use—up from 3.7 billion in 2014. Another study released by McKinsey & Company estimates IoT devices could have $1.7 trillion in economic impact on health care by 2025.

And in many ways, the rapid of growth of IoT-enabled devices makes sense. They can provide numerous benefits for consumers and patients.

The promise—and peril—of smart devices

Researchers on the Advisory Board Company's Health Care IT Advisor team recently released a framework for thinking about the value proposition of the IoT. According to the research brief, use cases of IoT devices in health care include:

  • Remote patient monitoring;
  • Medication adherence;
  • Supply chain management;
  • Smart hospital rooms; and
  • Infection control.

Some of the most exciting opportunities are in population health management and telehealth. For example, imagine a patch that monitors the blood sugar, heart rate, and skin temperature of chronically ill patients and warns a care team about abnormal readings. Companies like Google are already working on bringing similar devices to market.

But IoT security is still fraught with problems—partly because of problems with IoT device manufacturers, warns Paddy Srinivasan, VP and head of products for Xively Internet of Things at LogMeIn. Many of these manufacturers lack significant software experience and are bringing devices to market with only minimal security protections.

And after devices are purchased, it's not always easy to update them with new software as security threats evolve.

That puts the onus on health care providers to think critically about what type of IoT devices to bring onto their network, a particularly daunting challenge considering each device may require specialized expertise to manage and secure, experts say.

One strategy is to shift some of the security burdens back onto vendors with carefully structured contracts, says William Tanenbaum, head of the IP & Technology Transactions Group and GreenTech. "New contracts should be structured to provide the security provisions that the Internet of Things requires," he wrote for Healthcare IT News recently. 

The provider perspective

However, attitudes among providers can also be a challenge to implementing effective IoT security. "The thirst for data and automation in health care can lead to a lack of focus on privacy and security," says Eric Banks, Chief Information Security Officer at the Advisory Board. "There are so many amazing benefits to gathering this data for big data analytics, for solving large-scale problems … there isn't always a huge focus on security and privacy."

Organizations can help protect themselves by selecting products that are already widely adopted, advises Ken Kleinberg, who leads the Health Care IT Advisor research at the Advisory Board. "If you have a lot of people using a solution, that can be an advantage," he explains, because "you have a lot of people finding the holes and they are getting plugged very quickly."

Kleinberg adds that selecting devices that have been vetted by industry consortiums, such as the Continua Health Alliance, can add another level of assurance. But both Kleinberg and Banks say some of the best strategies to secure the IoT are not new at all.

For instance, security leaders should make sure they are part of acquisition and strategic discussions early, Kleinberg says. "The advice that I hear [security leaders] give their business units is 'don't wait until the end to come to me to show me what you have got so I can bless it. Start early in the process with a risk assessment so security can be part of the planning and budget.''

And Banks adds it is important to frame those security discussions in ways that non-technical executives can understand. "Speak to business and customer risk from an information security perspective. You need to treat information security risk like financial risk or any other risk your organization is dealing with," he says.

The security challenges of the IoT aren't a reason to sit on the sidelines, Banks and Kleinberg say. This is the direction the industry is going. But early adopters should be mindful they are joining a more fluid security environment.

Next in the Daily Briefing

AMA: Rx drug ads harm patients—and should be banned

Read now