A recent Bloomberg article titled, “It’s Way Too Easy to Hack the Hospital“, by Monte Reel and Jordan Robertson provides a scary glimpse into the ease of a malicious attacker’s ability to gain access to health data, access drugs, and change patient dosages. After reading the article, Rocker decided to create a To Do list for our friends in the medical profession. The potential damage to a patient, medical provider, and related parties is so great it can cause one to drop into the “if I ignore it then it may go away” mentality. This is not going away, it is serious, and you can take action now to improve the situation.
Bloomberg Article Summary
The article is a lengthy read for most people so here’s our summary.
- A white hat hacker (person who helps companies look for their own vulnerabilities) is hired by the Mayo Clinic to assess the vulnerabilities of network connected medical devices.
- He and a team of others found many ways to get into the devices, access health data, change drug dosage amounts, and more. Someone with the intent to cause harm could do so very easily.
- He decides to continue the investigation beyond the engagement with the Mayo Clinic and has to go through a number of channels before anyone took him seriously at the device manufacturer or the FDA. The FDA finally issued an alert to medical facilities to stop using the device.
- Another company sets up hacker traps at 60 hospitals. It discovered all 60 had been infiltrated. Many of the attacks begin by spear phishing hospital employees.
- Hackers want medical info because it is worth ten times the amount of a stolen credit card.
- A malicious person could manipulate devices to harm people as well as steal medical information.
- A great deal of the medical devices have no defense against attacks.
You can read some comments from people who work in or assess healthcare information technology over at Hacker News. The comments reinforce the importance of this issue.
What Should a Medical Risk Manager Do?
The recommendations listed below are for risk managers at healthcare facilities with equipment connected to the network and/or Internet. These recommendations are not just for hospitals. If you have any devices connecting to your network or over the Internet, then you should continue reading.
- Understand your risk and the risk to the patient. Review the agreements in place with your existing device providers to understand your organization’s and the device manufacturer’s liability, warranty, and more. Your counsel and someone with technical experience should review these documents together.
- Send an inquiry to the device manufacturer so the company can explain how it protects patients and unauthorized access to the device. You may receive a response the manufacturer does not give out this information for security reasons. Press a bit harder to understand how the device connects and how you can work with the manufacturer to address any weaknesses. Remember: it is not just the manufacturer’s responsibility to protect the patient and your network.
- Ask the provider what data is stored on its device, why, and how it is used. This helps you understand the risk of the device being compromised.
- Contact your insurance carrier to verify you are covered for breaches, fees, and more in the event a medical device is compromised. The carrier may require you to list all of the devices connecting to your network — and this should be easy since you are already doing this, right…?
- Ask the device manufacturer to agree to participate in any incident investigation. It is in everyone’s best interest to protect the patient and stop thieves & attackers.
You should evaluate all potential vendors with these items prior to purchasing devices or extending any contracts.
If you need assistance with investigation into your device providers, agreements, or policies, please call Rocker at 859-654-7625 or email [email protected].