Securing Our Medical Devices

Last October, we reported a vulnerability in Johnson & Johnson’s Animas OneTouch Ping insulin pump that highlighted a need for a security review in medical devices. As more and more devices become connected to the Internet, patient records, medical device control, and healthcare data are increasingly under threat.

Adam Rubenfire and Joseph Conn explored this issue in their special report, discussing the role of AI, healthcare budget, and talent pool in healthcare cybersecurity. We note the highlights of each section here, but you can read the full report on their website.

A Smarter Anti-Hacker Defense

  • Brian Selfridge, a cybersecurity consultant at Meditology, advocates for the use of AI-driven security measures to detect malicious attacks. Selfridge demonstrates the ease in which hackers can steal protected health information within hours through a WiFi connection.
  • In 2016, HHS reported 106 healthcare hacking incidents, up from mere 5 incidents in 2010. To combat the rise of hacks, more healthcare providers are looking into predictive analytics software to detect and stop those threats.
  • Current protection measures by Kaspersky Lab, for example, monitor IP addresses to prevent ransomware attacks wherein hackers encrypt an organization’s file and demand a ransom for the decryption key. IBM, on the other hand, wants to utilize its Watson software to build a database to identify typical hacker activity.
  • While AI-driven tools are powerful, providers are yet reluctant to pay for another service that may drive up the cost of healthcare. Despite Ponemon Institute estimating a loss of $402 per healthcare record breach, smaller organizations indicated that these services were not affordable. Furthermore, 35% of provider executives noted that they still feel uninformed about the benefits of AI in healthcare cybersecurity.

The Nightmare Scenario: Death by Hacking

  • The most deadly threat by hackers is quite literally when they take control over medical devices and cause harm. Increasingly, hospitals sequester critical devices on restricted networks to fend off intrusions.
  • Thankfully, there hasn’t been a known instance of hackers hijacking medical devices. Hospira’s Symbiq infusion pump and the OneTouch Ping insulin pump mentioned earlier have noted their vulnerabilities, but haven’t received real cases of hacking thus far.
  • With 75% of providers noting that cybersecurity makes up only 4% of their overall IT budget, device manufacturers are embedding safeguards to mitigates the effects of device hacks. For example, an infusion pump made by BD requires a physical button press to initiate treatment, disabling remote activation.
  • Modern Healthcare also reports that 31% of healthcare providers don’t have an accurate record of all connected devices. This statistic is scary considering that 88% of the providers expect cybersecurity attacks to increase in 2017.

Low Pay Hinders Healthcare’s Hunt for Cyber Cops

  • In contrast to the rising demand for healthcare cybersecurity, healthcare providers are struggling to hire for talent. Matt Sigelman, the CEO of Burning Glass Technologies, points to mistakes in recruitment strategy as one of its major reasons. Healthcare providers look for people with both business and technical skills, significantly reducing the pool of applicants who simply have advanced cybersecurity knowledge.
  • Another problem is low pay. Healthcare cybersecurity workers make $76,033 compared to the industry average of $90,435. This lower figure may reflect healthcare providers’ greater willingness to invest in technology than in people, according to Lee Kim of Healthcare Information and Management Systems Society.
  • The industry goal is to find and train 50,000 new healthcare cybersecurity workers in the next three to four years. Hospitals may be forced to pay exorbitant fees to AI-driven security providers if it cannot hire trained personnel to deal with it internally.