Federal agencies are stepping in to address security within the healthcare industry
Cybersecurity is a growing threat for many industries, particularly health care. Healthcare data are richer in volume and value than financial or retail data, and medical identity fraud takes longer to detect, making the industry an attractive and easy target.
Earlier this year, the Department of Health and Human Services (HHS) warned about an increase in ransomware attacks targeting healthcare organizations. Ransomware targets insecure remote desktop protocol connections and vulnerable systems to carry out its infections. Hackers introduce malware or a virus to encrypt a hospital operating system and deny access to patient records. Hackers then demand ransom, usually paid in cryptocurrency such as Bitcoin, to allow the hospital to regain entry to their data and operating systems.
The rapid spread of connected medical devices has left the healthcare sector more exposed to cyberattacks than ever before. In orthopaedics, devices such as ultrasonic scalpels, smart stents, CT scanners, infusion pumps, vital sign monitors using Bluetooth, and glucose monitors are easy targets for hackers. Medical device manufacturers, however, have been hesitant to reveal concerns or findings about product security flaws. As a result, federal oversight agencies such as the Food and Drug Administration (FDA) are beginning to collaborate with security researchers—ethical hackers—to uncover bugs in devices that make them vulnerable to attack.
The FDA recently introduced a set of new initiatives to improve device security, including a playbook to help healthcare organizations respond to cyberattacks. It also announced a new device security partnership with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center. The department will be responsible for coordinating and disseminating information from the FDA, medical device manufacturers, researchers, and others on device vulnerabilities and safety. FDA and DHS will work together to ensure medical devices are safe from cyberthreats.
Congress and regulatory agencies also are taking a closer look at industry vulnerabilities and methods of protection from cyberattacks. For example, in a recent report, the Government Accountability Office (GAO) identified the Centers for Medicare & Medicaid Services (CMS) as being at risk of compromising Medicare beneficiary data due to lack of proper security oversight. Specifically, it found that CMS has not protected user data in state-based marketplaces. Additionally, HHS has not addressed key security elements and electronic record privacy. GAO also named the FDA as one of three federal agencies that has not effectively implemented information security controls.
The GAO report was the focus of a hearing held by the subcommittees on Government Operations and Information Technology of the House Oversight and Government Reform Committee.
The committee discussed the growing cybersecurity challenges and asked the federal chief information officer about plans to coordinate a government-wide response.
Security experts at the hearing also called for the Health Insurance Portability and Accountability Act (HIPAA) to be replaced or rewritten to address emerging cybersecurity threats.
All healthcare providers should have disaster recovery and business continuity procedures in place such as file sync, file share, and frequent online data backups to protect against a cyberattack. They also should test backups to ensure they are restoring data successfully. Additional protection activities may include training employees to be aware of ransomware tactics, patching and updating computers with the latest malware tools, and blocking email from foreign countries.
Providers also should be aware of cyberthreats associated with medical devices. According to the National Institutes of Health, the wearable device market is expected to grow from $20 billion in 2015 to $70 billion by 2025. Despite their significant advantages and conveniences, mobile medical devices present new security risks. Using powerful receiver antennae, malicious hackers can intercept, modify, and extract patient data from devices, posing serious threats to patient safety and security. Every device that is added to a network is another potential point of vulnerability for a cyberattack.
Legislation and rule-making is coming
Healthcare privacy and security are important areas of concern, and the American Association of Orthopaedic Surgeons (AAOS) anticipates significant legislation and rule-making to address the growing healthcare cyberthreat. In the meantime, the AAOS Office of Government Relations (OGR) has been working with other medical specialty societies to address the issue. In August, it hosted a cybersecurity awareness meeting during which the keynote speaker from the American Medical Association (AMA) discussed AMA activities related to augmented intelligence and cybersecurity vulnerabilities.
The HHS offices of Civil Rights, the National Coordinator, and the Inspector General created a Security Risk Assessment toolkit that healthcare providers can use to learn the new HIPAA rules related to smartphone use, email, text messaging, and cloud-based security. Additionally, users can conduct a security assessment of their devices.
For more information, visit www.Healthit.gov.
To access the House Committee on Oversight and Government Reform hearing, visit https://bit.ly/2zkw7D4.
To access the GAO report, visit www.gao.gov/products/GAO-18-645T.
Judi Buckalew, BSN, MPH, CAE, is a senior manager of regulatory and government relations in the AAOS OGR.