For the past 15 years or so in the U.S., when you go to a doctor’s appointment, there have typically been signs posted asking patients, and those with them, to turn off their cell phones. In recent years, after much push-back from patients, a large majority of those signs have changed to asking that phones simply be silenced instead, so that those seeing the physicians and in the waiting rooms could continue to text and also go online. My Privacy Professor and SIMBUS clients and friends in other countries have told me this is a similar situation for them as well. As a result, we increasingly have more smartphones and online devices in use within healthcare provider settings, wirelessly sending and receiving data.
Last year I was sitting on the table in the exam room of Musculoskeletal Imaging Specialist surrounded by many different types of medical devices, waiting for the doctor to arrive. I decided to use my free wi-fi access finder app to see how many medical devices were active in the room. Not only did I find over a dozen wireless medical devices and/or associated controlling systems, but my app also reported that none used encryption, and there were no passwords required for authentication on any of them. I could also see the network names, and data that was being sent within the facility’s wireless network, through them. When the doctors arrived, I asked them if they had good security on their networks and devices.
“We have a great information security department, so I’m sure we do,” answered one of the doctors.
I then showed them my smartphone and what I found in that very room, and explained how, if I had been malicious, I could have accessed all the data on those devices and sent it to some unknown and far-away cloud server, and that others within range could that very moment also be accessing the data. I went on to explain that from what I could see of their current security, none of that activity would be seen, leaving them at risk for significant breaches, and they’d never even know they were being breached. I explained that if I could see those devices and data, then others could as well. They were very startled, to say the least.
“We’ll discuss this with our data security officer!” they assured me.
Every day more medical devices are being used that collect, transmit and store huge amounts of personal data. Every day more medical devices are being enabled to communicate, and share this huge amount of personal and health data, with more and more types of devices, networks and systems. Every day there are more types of direct-to-consumer medical devices being offered that are collecting and sharing huge quantities of data with unlimited unknown others.
There were 450 total breach incidents reported in the U.S. in 2016, impacting 27,314,647 affected patient records. How many more breaches occurred that were never identified?
More needs to be done to protect the medical devices that largely have little to no security controls built within them, and that can allow others to get the data within them, the data they transmit, and that allow them to become malicious pathways for malware distribution, distributed denial of service (DDOS) attacks, and also used to cause physical harm to the patients that depend upon them.
With the massive amount of personal and health data associated with medical devices, many issues need to be addressed, and associated questions need to be answered.
- How is access into the devices, and to the settings, controlled?
- How is the security and privacy of all that data being assured?
- What security and privacy standards are in place that can be used by medical device engineers to build in protections and controls?
- What agencies are overseeing the medical device manufacturers to make sure they appropriately address security and privacy risks?
- What can CISOs/information security officers and privacy officers within hospitals and clinics do to mitigate the risks that the medical devices bring into their digital environment?
- What can healthcare providers do to mitigate their HIPAA non-compliance risks that the devices present to the organizations?
Certainly, among many other actions necessary for a comprehensive and effective information security and privacy program, both healthcare providers as well as the medical device manufacturers and vendors need to perform risk assessments to be able to identify and mitigate the associated risks. They also both need to have a comprehensive risk management program. These needs were just a couple of the motivations for my SIMBUS, LLC business to build an automated risk assessment that can be used by any size of organization; too many have used the excuse that they couldn’t afford to do risk assessments. I wanted to make that a non-valid excuse; for devices that are so critical to the safety, health, and privacy of patients, risk assessments must be performed.
In honor of Data Privacy Day this year, one of the things my SIMBUS and Privacy Professor businesses did to help exemplify the many risks of unsecured medical devices, and to start medical device engineers on the path to thinking about the cybersecurity and privacy risks involved with inadequately secured medical devices, was to create an infographic to demonstrate how far and wide health data can spread as a result of unsecured medical devices and systems, and just a few of the many type of people that can get copies of it. See it here. https://www.facebook.com/photo.php?fbid=10206966048744667&set=a.1155166014303.19047.1682280067
I’ve gotten great feedback for it so far from many hospital system security and privacy officers saying they will show this infographic to their CEOs, Board members, doctors, hospital staff and medical device vendors to raise the awareness of the security risks that inadequately secured medical devices bring into their digital environment.
I would love to hear your feedback! Will you also be using it within your facility to raise awareness, within your security and privacy education activities, etc.? I would love to hear that you are doing so! I just ask that you leave my Privacy Professor and SIMBUS references at the bottom to cite attribution to us as the creators of this image.
We will be posting more free tools and information this coming week to stretch Data Privacy Day into a week.
Happy Data Privacy Day…Week!
#privacy #PrivacyAware #awareness #DataPrivacyDay #RiskManagement #SIMBUS #PatientPrivacy #RiskAssessment #MedicalDevices #IOT #IOMT #HIPAA
This article originally appeared on Rebecca Harold's LinkedIn page here.
