Cybersecurity, healthcare

Ransomware and Data Breaches Top Threats in Health IT

By Maria Fontanazza
No Comments
Cybersecurity, healthcare

And medtech companies need to keep interoperability and security top of mind.

This year has further accelerated the digital health revolution. The pandemic has also exposed vulnerabilities in the healthcare system, and the challenges that hospitals and medtech companies faced as a result. In a discussion with MedTech Intelligence, George Gray, CTO and VP of research & development at Ivenix, shares some of the top trends that are threatening health IT, along with 2021 predictions for the healthcare and medtech arena.

MedTech Intelligence: What are the current top threats to health IT?

George Gray: I see two cybersecurity threats in the health IT space.

The first is ransomware, which continues to become more prevalent in healthcare. A recent example of this is the Ryuk attacks that, once again, are placing several hospitals in the U.S. under siege. With this type of threat, attackers try to take control of the hospital’s system through encryption of its data or in another way that compromises the system until their demands are met. This is going to continue being a major issue for health systems. In fact, IBM predicted another surge in ransomware delivered via connected devices this year targeting healthcare organizations—and last year, 491 of the 621 successful ransomware attacks were against U.S. healthcare companies.

The second top threat is data breaches. Compared to other businesses and systems, hospitals are unique in that the data they hold gives attackers a breadth of personal patient information, including social security numbers, billing details, health concerns and overall demographics. Attackers can break into electronic medical record (EMR) systems and steal that personal data, leaving patients vulnerable to identity theft.

George Gray, Ivenix
George Gray, CTO and VP of research & development at Ivenix

MTI: What role do you see real-time data playing in the healthcare space in 2021?

Gray: Real-time data has always been key to assessing patient conditions and coming up with a plan of attack. With the recent [pandemic], we’ve seen the need to gain access to reliable healthcare data that, though not changing in real time, is evolving at a rapid pace and critical in the containment of this invisible enemy.

Today, there are large amounts of real-time data available to clinicians, who are responsible for using the information to form a plan of care for their patients. Relative to other industries where data collection and correlation is more automated, having highly skilled clinicians bear the brunt of most of this work is fairly labor intensive and costly. With the growing costs of healthcare, this obviously begs the question: How can we drive down these costs while maintaining or improving the quality of care being delivered?

In my opinion, we’ll see more developments of tech-enabled solutions that capture real-time data, streamline the decision-making process and allow clinicians to focus more on their patients. Whether it takes the form of machine learning or something simpler, I believe we will see more machine-driven information processing in 2021 and beyond. This includes making use of real-time data in the diagnosing of medical conditions, establishing plans of care, and identifying and warning clinicians of potential risks to their patient.

These types of solutions will provide great benefit but also have the potential of increasing a hospital’s cybersecurity risk. That said, assessing the security risks of these solutions will be critical. This includes the incorporation of the new wave of intelligent medical devices such as ultra-smart infusion pumps and patient monitoring systems that assist in the processing of this real-time information.

MTI: Discuss the role and importance of data scientists.

Gray: Data scientists are needed to help advance the use of information in the healthcare space using such tools and techniques as data modeling, analytics, statistics and even machine learning. Given that the use of data is a key driver in the delivery of care, there should be a large number of data scientists supporting these efforts. But, in my opinion, this isn’t the case. I think there continues to be too few data scientists in healthcare and a de-emphasis of roles such as the CNIO and CMIO who would be advocates of such investments. Vendors seem to be investing in this area, particularly around machine learning, genetics and pharmaceutical development. But in a world where “data is king,” it feels like data scientists are underrepresented.

MTI: What kind of challenges do devices that require manual entry pose?

Gray: As most in the healthcare industry can understand, clinicians and nurses are working in high-stress, quick-paced settings, where mistakes can happen at any given moment. For any device, user interactions will almost always lead to use errors. Depending on the severity of the errors, users can put patients at risk of serious and potentially life-threatening danger. As an example, being off by a decimal point when programming an infusion pump can lead to serious complications and sometimes fatalities.

To err is human. And knowing the possibility of human error, it’s crucial for device manufacturers to always consider patient safety in the design and development of products that are intended to improve upon patient care. The industry constantly walks the line in eliminating, automating, and/or simplifying data entry. Making devices more intuitive to users through easy-to-use interfaces, for example, can help simplify the process for clinicians and nurses.

Automating manual processes can also help take it a step further to reduce use errors by eliminating the manual tasks at hand for users. For example, some smart infusion pumps can be automatically programmed from a medication order sent to it from the EMR. This helps eliminate data entry errors and makes the pump safer to use.

MTI: What are the top cybersecurity vulnerabilities affecting hospitals?

Gray: Hospitals have to closely examine where vulnerabilities lie within the system. Several existing elements can play a role.

The system network is only as secure as its weakest link. Currently, many hospitals continue to use systems that run on old operating systems like Windows 7. Many hospitals also continue to use legacy devices that are not designed to be secure. Once any of these are penetrated by hackers, there is a good chance that subsequent attacks can be launched against systems they are connected to. With cyber-crimes on the rise, it is vital that healthcare systems take these vulnerabilities seriously and invest in a plan to replace these devices and systems with those that are designed to be secure. Vendors should anticipate this and should either already have or have in development systems and devices that can resist cybersecurity threats.

People also represent a major vulnerability to hospitals. Under “normal” working conditions, phishing attacks can trick users into exposing secure information or launching a Trojan inside the hospital. However, when faced with a fast-paced environment and the use of complex equipment, it may be easier for a hacker to get into a health system. A disgruntled employee might also be willing to provide access or retrieve information from a hospital system. Hospitals need to limit user permissions to those required to perform their duties and, under some circumstances, may need to disable user access altogether.

Though personnel can be a vulnerability, they can also mitigate cyberattacks—but only if these employees are skilled in recognizing and mitigating. In comparison to other industries, the healthcare industry has under invested in building these kinds of skills, making them more vulnerable to cybersecurity attacks. If hospitals want to prevent attacks, they need to invest more in security experts and the ongoing education of those experts to stand as guards against those attacks.

Vendors of medical devices and systems should do the same. This includes building expertise within their organizations and collaborating with security experts across the industry to identify risks and share resolutions. It also includes building cybersecurity frameworks within their products that can be used to protect from attacks, detect when they occur and help the hospital mitigate their impact.

MTI: What are your predictions for the medical device arena in 2021?

Gray: There are few key areas we’ll see the industry focus on to improve patient safety and care, as we go into the new year.

It’s evident that cybersecurity is top of mind. We will continue to see hospital systems invest in secure medical devices that are ready to sit on system networks safely, especially as the potential for threats continues to rise.

There is also a shift toward smarter data exchanges through interoperable medical devices that can communicate data to and from other systems within the hospital. For example, interoperable capabilities in smart infusion pumps can provide a richer view of the patients’ condition and provide that information in the context of the infusion to better guide their clinical decision making.

Patients are more healthcare- and technology-savvy than in the past, and the industry is leveraging that shift more and more. Over the next five years, we will see an uptick in the use of digital health devices to help patients better manage their own health. Through connected devices such as smartphones, wearables (e.g., continuous glucose monitors, biosensors, etc.), and in-home products, patients will be able to play a more active role in monitoring and improve their health.

Related Articles

About The Author

Maria Fontanazza, MedTech Intelligence

Leave a Reply

Your email address will not be published. Required fields are marked *