There seems to be a lot of confusion in the healthcare world between security and privacy. These two terms are related but respond to different issues. In broad terms security takes on preserving data and systems, whereas privacy refers to preserving identity and specific parts of data. Both of these terms are important when it comes to healthcare, but need to be understood individually.
It’s critical to understand information security and privacy in healthcare and to pinpoint each health organizations’ privacy and security concerns to be able to explore solutions that could address the identified concerns. In this post we hope to shed some light on various privacy and security issues and also look into medical device security.
What you can expect to find highlighted here is:
-Intro to security and privacy threats in healthcare
-What is medical device security?
-FDA’s role in medical devices
-What are the challenges of medical device security
Introduction to security and privacy threats in healthcare
In healthcare, we must maintain a delicate balance. The standard IT scenario calls for security measures to be able to protect data in the system from malicious threats. While standard IT privacy measures are designed to control the amount of visibility of any kind of sensitive information from unauthorized or unnecessary exposure. This must all be achieved while at the same time not preventing the overall goal of healthcare being delivered.
Essentially, the fundamental purpose of cybersecurity in healthcare, which calls for privacy protections, is to control who has access to which data within a system and thus being able to prevent breaches and failures.
Three main types of threats in healthcare systems
In order to fully understand the purpose of healthcare information security and privacy we must explore the different types of threats that exist and why.
These are by far the most talked about security threats. They can be perceived as anyone (or anything maliciously) from the outside trying to interfere with the system without invitation or authorization. These sort of threats can occur from individual hackers, criminal collectives or groups of professional infiltrators. These external threat’s objective is to limit or take down a system’s ability to function. To do this they use various methods including viruses, trojans, phishing, malware, among others. This is all in order to circumvent firewalls, breach system security and gain access to the internal sanctums of an environment with the purpose of copying, stealing, ransoming or moving data around. These types of threats are continuously evolving and can often go undetected for extensive periods of time.
This type of threat refers to the misuse of authorizations or permissions, where the access login is stolen, lost or misapplied. An example of this is stealing someone’s password and later using it to log into a system. This type of breach implies unauthorized access to sensitive or protected information, in turn violating security controls and privacy protections. This can be seen with regards to electronic health records (EHRs), the data obtained from them and other electronic health information (EHI) could be used to steal someone’s identity.
These types of threats, just as they sound, come from inside the health organization. They can cause the same amount of damage as external threats.
An internal threat could be a disgruntled employee within the organization exposing or stealing information or data. It doesn’t always have to have malicious intent in order to classify as a threat. It could be an employee mistakenly attaching a spreadsheet with sensitive information to an email or accidently exposing passwords. An internal threat is essentially any kind of harm that could be caused from within, regardless of the intent behind it.
What is medical device security?
When we talk about medical device security we mean certain techniques and practices that can ward off attacks aimed against these devices. These attacks could be unauthorized control or access to medical devices, or it could also mean disclosing sensitive data that they store.
One way to start to understand this issue is to read the FDA guidelines that they elaborated for medical device safety. It is a resource that helps healthcare organizations be prepared for cybersecurity incidents, should they occur. The playbook they elaborated focuses on readiness and response for medical device cybersecurity issues that impact how the device functions.
IoT security encompasses security for medical devices. But there are some differences between medical devices and regular IoT devices. For example, unauthorized control of medical devices could actually in some cases be life-threatening, whereas for regular IoT devices this isn’t the case. The information that is stored on medical devices is usually very sensitive, a lot of the time it actually constitutes protected health information (PHI), which needs to be HIPAA compliant. And lastly, since medical devices are meant to last a long time it can be extremely difficult to upgrade their security as time goes on, because this could interrupt the critical functioning of the device.
FDA’s role in medical devices
To dictate whether your product meets the definition of a medical device or not we direct ourselves to Section 201(h) of the Food, Drug & Cosmetic Act. According to this act, a device is any instrument, machine, implement, apparatus, implant, contrivance, or in vitro reagent that meets the following 3 conditions:
1) It is acknowledged in the U.S. Pharmacopeia or the official National Formulary;
2) It is meant to be used in the diagnosis, treatment, mitigation, prevention or cure of disease; or
3) It is meant to affect the function or structure of the human body.
Medical devices are very connected to hospital networks, Internet and other medical devices to improve health care and grow the ability of health care providers to treat their patients. On the other side these same features also increase potential security and privacy risks. Medical devices, such as other computer systems, can be vulnerable to security breaches, and this potentially impacts the effectiveness and safety of the device.
To determine if your product meets the definition of a medical device, you need to first define its intended use and the indications for use of the product. Once you have done this you can move on to determining if the product meets the actual definition of a medical device.
All medical devices have both risks and benefits. The Food and Drug Administration (FDA) is responsible for clearing, authorizing, and approving devices to be marketed when there is enough of a reasonable assurance that those devices are effective and safe for their intended use.
Information security and privacy in healthcare is a complex subject. Existing vulnerabilities and threats can’t be eliminated and reducing the amount of security and privacy risks is especially challenging. The healthcare environment is very intricate, which is why manufacturers, facilities, and hospitals need to work together to manage healthcare information security and privacy. As we stated above the FDA guidelines are a great way to understand medical device safety. These guidelines focus on being prepared and the right response for medical device security and privacy issues that could impact device functions.
What are the challenges of medical device security
As we’ve seen, medical devices are very different from other devices. They were created with the intent in mind for a specific function. Which means that installing new software on it usually requires a special upgrade process otherwise it may not be supported at all. Medical devices more often than not lack the resources to run any software beyond their core functions because they were meant to reduce memory usage. This results in standard security solutions not being suitable for these devices.
Security and privacy issues with healthcare information technology can largely affect medical devices. Which is why it’s important to stay up to date on security and privacy measures.
Some important challenges when it comes to the security of medical devices are:
- They are critical - many of these devices affect critical patients or manage very sensitive data. They are life-supporting.
- Security not a priority - many of these devices were created with the thought that physical products aren’t subject to security threats, so it wasn’t a top priority.
- Standardized configuration - medical devices are usually mass produced with the exact same hardware and software setup. This means that a successful attack on one of these devices can be easily executed across other devices.
- Patching restrictions - updating these devices is not an easy task. After they are up and running they will usually only run the intended factory installed software. Changes need to be performed carefully in accordance with its manufacturer.
- Inside threats - Since they are regularly accessed by hospital personnel they are vulnerable to insider security threats.
- Longevity- they can last up to 10 or 20 years. This means that even if security was top of mind when the device was created, it is almost impossible to protect against modern security threats.
Best practices to keep in mind
Security is important not only for medical devices themselves but they are also important for information systems and the endpoints they are connected to. The endpoints need to be protected, this task falls on medical device manufacturers as they must directly support antivirus software. If it isn’t possible to use an antivirus alternative measures should be taken, this could be for example to require an extended SBOM integrity verification every single time that the device is dispatched for maintenance before it is connected back to the network.
This refers to keeping an inventory of the medical devices the organization has on hand, and identifying which devices are critical, and indicating what their maintenance schedule is like.
It’s important to control access to the device using the pertinent user roles. It’s a way to secure passwords specifically to each and every medical device. When possible, it’s also best to limit the number of tries a user has after a login failure.
They need to constantly review vulnerability disclosures made by the medical device vendors. The organization should also conduct their own evaluation of the software that is deployed on medical devices to assess their vulnerabilities.
The challenge with healthcare organizations is they tend to have a lot of old school technology running up against other cutting-edge technology, and they just don’t mix well. The old school tech isn’t able to adapt to new threats and evolving requirements. Healthcare organizations need to have a deeper understanding of their whole digital landscape and later define, divide and determine the organizational risks for all technologies measured against security and privacy threats.
It’s impossible for any organization to achieve one hundred percent healthcare information security and privacy. They must therefore aim to be as secure as possible.