Healthcare organizations have taken more than their fair share of security hits lately. The bad news continued this week with yet another data breach announcement for Medical Informatics Engineering, an Indiana-based healthcare software company, and an FDA warning to stop using Hospira’s Symbiq medication infusion pump.
The data breach involved 3.9 million people, exposing names, addresses, Social Security numbers, and other protected health information. The company reported the breach late last month but news of the nearly 3-week hack and the resulting exposed records emerged publicly yesterday.
The FDA’s warning about the potential to hack Hospira’s Symbiq infusion pumps actually hit the wire on Friday but has been making headlines this week as analysts and healthcare providers digested the first warning of its kind from the FDA. Ten days earlier, the Department of Homeland Security also announced the vulnerability which allows attackers to take control of the pump over a hospital’s network and either cut off infusion or overdose a patient.
While no attacks of this type have been reported, hospitals are understandably being advised to take the pumps off of their network and manage dosing manually until they can replace the pumps with newer models (Hospira discontinued the pumps in 2013). A recent Reuters article quoted John Halamka, CIO for Boston’s Beth Israel Deaconess Medical Center who noted,
“Healthcare providers need to secure medical devices by putting them behind firewalls and placing them on private internal networks that are not accessible.”
This isn’t an especially new message. Manufacturers, energy producers, and others have been working to secure industrial internet-connected devices for years now and still remain vulnerable to attack. Healthcare largely remains behind the curve even as the severity and frequency of attacks increase in this sector.
Ryan Witt, Fortinet vice president of healthcare, refers to the three vectors of a healthcare cyberattack:
- Traditional cyberattacks like malware, phishing schemes, etc.
- Connected medical devices
- Personal and home health devices
While the first has become commonplace (and quite expensive for providers involved in recent breaches), the Hospira warning marks the beginning of what we expect to be a dramatic increase in vulnerabilities and attacks related to the “Internet of Medical Things”. The news in the last two weeks has been dominated by demonstrated vulnerabilities in cars, scooters, and other connected devices – healthcare devices will not be far behind.
In his article, “Dear Health Care, the Internet Is Here to Stay”, David Ting, co-founder and CTO of Imprivata, explained,
The charge in health care is clear: We must implement…security technologies [like those in ‘other industries, that are further along in this journey’] in order for IoT to be fully realized. There is no question that the IoT’s network of IP-connected computers, sensors and devices allows care providers and patients to share information to a transformative degree.
If organizations and providers don’t address these issues aggressively and swiftly, we’re going to find that healthcare is left in a position where it can’t take advantage of emerging technologies that can have direct benefits to patients. And the healthcare security headlines will continue to roll across our feeds.