While large-scale healthcare data breaches have grabbed the headlines, there’s another serious problem to tackle: the vulnerability of many medical devices.
Wired magazine recently reported on a two-year study that revealed how surprisingly easy it is to hack hospital devices. Scott Erven, head of information security for Essential Health, was given free rein to roam several large hospitals in the Midwest on the lookout for security weaknesses.
What Erven uncovered was truly horrifying:
- Drug infusion pumps that could be remotely manipulated to change dosages
- Lax security on Bluetooth-enabled defibrillators that can be hijacked to overshock those who need it (or fail to shock to those who do)
- Medical records that were able to be remotely altered so that a physician might prescribe the wrong medication or dosage
There are many reasons why this is a growing problem.
Most medical device purchases are okayed by physicians, and IT considerations are seldom involved in the purchasing decision. Hospital IT departments are also in a bind because many of these devices require special patches, yet the vendors are reluctant to support the devices if the original configuration gets changed.
Any covered entity looking to deploy network-connected devices – both wired and wireless – that store and handle electronic Protected Health Information (ePHI) must fully understand the risks that these new devices pose.
This requires two rounds of risk analysis: the baseline analysis required by HIPAA that assesses the current security readiness of the enterprise, along with a device-specific analysis to assess any new or increased risks when that device gets added to the environment.
Determining whether the device offers data encryption is just the beginning.
There must also be secure procedures in place for deploying, servicing and decommissioning the device. If the device is capable of being serviced remotely, the manufacturer may need to be covered by a Business Associate agreement to ensure HIPAA compliance.
It doesn’t make sense for a healthcare organization to build a steel wall around its EHR data while leaving an array of medical devices vulnerable to hacking and mischief.
For more information on how your organization can better safeguard its medical devices, contact Greg Bassett at greg.bassett [at] clearwatercompliance.com or complete the enquiry form below.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016