patient lives

Securing Healthcare Internet of Things: Privacy vs Availability

Estimated reading time: 5 minutes

Since the pandemic began last year, the world and especially the healthcare industry, was actually battling against two viruses – the COVID-19 virus and ransomware attacks. This cybersecurity topic was one of many more discussed during a HIMSS healthcare panel discussion moderated by HIMSS’ Digital Health Strategist, Andrew Pearce.

His panellists were Johnathan Bagnall, Cybersecurity Global Market Leader at Philips, and Richard Staynings, Chief Security Strategist at Cylera.

Richard pointed out COVID forced a massive pivot to remote services like telehealth, but there also had to be a change in the delivery mechanism of health services to the population.”It also led to an explosion of medical devices in hospitals as clinical staff tried their best to keep their distance from contagious patients.”

But these changes led to a gap between advances in digital maturity as digital transformation outpaces the feasibility to secure new technology. As a result there has been a massive rise in cyberattacks like ransomware.

“Ransomware shut down hundreds of (health) providers worldwide, including much of the Irish health system,” Richard observed. This has led to not just inconvenience as thousands of patients have been forced to reschedule appointments, and Richard shared that ransomware attacks resulted in at least one patient death that we know of.

“The fact of the matter is we don’t currently track patient morbidity and patient mortality as a result of a cyber attack,” he noted. And it is a fact that patient safety is at risk because of highly insecure medical devices and healthcare IoT that are being targeted by perpetrators.

Vendor accountability

Richard explained, “They can be compromised in a matter of minutes, and many suffer from legacy technology problems that result in security gaps like WEP and WPA encryption for wireless connectivity.”Some vendors are better than others, at fixing and patching their network devices.”

Some are missing in action. And there are usually so many different vendors in the average hospital.

“At the end of the day, you can’t risk assess that you don’t know and we need much better tools and processes to identify and assess our growing inventory of healthcare IoT connected assets. We need to up our game.”

Security by design

Jonathan explained that security by design is Philip’s proactive cybersecurity approach for Connected Care.

“We also commit to make sure that our products remain within what we term as a cyber safe position, making sure that we continue to update our products and upgrade them to make sure that security is the utmost priority.”

Philips’s services are built and delivered by their health suite digital platform, which is frequently audited and is certified with all the relevant certifications and compliance standards like ISO27001, HIPAA, GDPR, ITIL and more. Jonathan shared that this proactive cybersecurity approach is also executed under QMS or Quality Management System, a very detailed process which tracks all changes within their products, for accountability purposes.

Jonathan explained, “Philips is focused on transparency with our customers. As I mentioned we have continuous vulnerability disclosures, as well as we produce and provide continuous monitoring evidence of our products through our updates and upgrades.”

Critical security gaps in healthcare

Andrew had asked, what are the most critical gaps in healthcare, and what can providers and manufacturers do to address these gaps?

Richard noted that healthcare has had to play catch up with other industries like financial services which have an estimated 20-year headstart.

“They’ve spent the money (on cybersecurity) to protect the money. In healthcare, we are dealing with different assets like patient safety.

“One of the biggest challenges governments face right now for healthcare, be it a public or private facility, is governance and funding and prioritisation of cybersecurity.”

That usually translates to needing better resources, more better trained staff and better tools and abilities to pivot quickly and respond to the types of attacks we’re beginning to see targeted against healthcare.

Richard shared that he while he was on the Singapore committee of inquiry into the SingHealth breach and it was plainly obvious to him that that we are not prepared in the APAC region for the types of cyber attacks that are being executed against healthcare facilities.

“We are up against sophisticated, highly funded nation state actors and highly motivated cyber crime units. We have yet to set the balance correctly.”

Balancing information integrity and information privacy

Another point Richard wanted to bring up was how cyber defense has been focused upon the protection of protected health information (PHI), around confidentiality and privacy.

“It is not about protecting the availability and integrity of health systems. And we have seen what happens when a health system is taken out by ransomware. That is an availability attack, as well as extortion attack.

“When healthcare systems are not available to provide the service and care they are supposed to, patient safety becomes at risk.

“We need to focus a lot more on the availability and the integrity and security aspects, than we do the confidentiality aspect. Confidentiality is already lost, does it really matter whether my medical identity or PII is stolen for a fifth or sixth time?”

The final point Richard wanted to highlight is the lack of attention upon emerging IT that we currently see in healthcare. Healthcare IoT or the Internet of medical devices is growing exponentially.

“We need to focus a lot more on the availability and the integrity and security aspects, than we do the confidentiality aspect. Confidentiality is already lost… does it really matter whether my medical identity or PII is stolen for a fifth or sixth time?”

Visibility into your inventory of endpoints

Richard shared a CFO of a large healthcare system in Australia had candidly commented that three quarters of the endpoint assets in his network are unmanaged, there are medical or BYOD devices that he has no visibility or insight into, and these are three quarters of the risk profile for his particular organisation, and one that he has little control over.

Jonathan echoed similar thoughts and reiterated that the Philips approach is to build security-by-design medical devices to protect them from being yet another attack vector for hackers to use.