Cybersecurity risks are high in health care
What’s happening? The US Food and Drug Administration (FDA) has issued updated draft guidelines on how medical device developers should make their products less vulnerable to hacking. It replaces a draft published in 2018 and now emphasises the whole device life cycle and suggests that manufacturers include a Software Bill of Materials (SBOM) to provide information about product components. The agency has also asked Congress for more power regarding device cybersecurity requirements. Separately, a bill introduced to Congress proposes that device makers should have plans to address any cybersecurity issues with their products and include an SBOM for new devices. (The Verge)
Why does this matter? Hackers view medical devices as an easy entry point to get into hospital networks and the huge rise in telehealth and remote patient monitoring during the pandemic has escalated the problem to an unexpected level.
Why health data? According to a Politico analysis, there was a threefold increase in US health data breaches over three years, leading to almost 50 million individuals being affected in 2021, with hacking behind 75% of cases compared to 35% in 2016. The information is extremely valuable to hackers and is said to be worth 10 to 15 times more than credit card data when sold on the dark web. This is because, unlike credit card data, health data cannot be cancelled once it’s been stolen.
Records containing names, dates of birth, family connections, provider information and health and genetic information can be used to take out loans, to create false identities and make fake insurance claims or even blackmail patients into making payments to stop their health records being shared online.
Information about health care professionals themselves is even more valuable as a Carbon Black report found doctor licences, Drug Enforcement Administration licences, medical diplomas and insurance documents being sold for around $500 per listing. Someone without a medical background could use these to assume a doctor’s identity to submit claims to Medicare and other health insurers for expensive procedures.
Alongside the danger of data theft, this presents a real risk to patient safety. In such cases, staff have to revert to pen and paper note taking, while being unable to access health records, test results and details of patients’ contacts. Such attacks also result in the cancellation of appointments and the need to relocate patients needing emergency care. Even if ransoms are not paid, the cost of these attacks can still run into millions, adding pressure to already stretched health systems.
Lack of investment – Although the health care industry being one of the most targeted for cyberattacks, few hospitals consider cybersecurity as a high-priority investment, an Ipsos report found. Its survey of hospital IT and information executives and biomedical technicians and engineers also listed a lack of automation in device tracking as a concern, alongside a lack of staff to focus on the issue. Another problem is that staff working off-site may be using their own personal devices, which could lack security, to plug into the network to access the information they need.
Regulation – It’s imperative that health systems step up their security measures, so they are prepared to minimise disruption. It’s also essential for more robust regulations, like the above-mentioned medical device guidance, to be put into practice.
Another recent US development in this space is the introduction of a bipartisan bill to the US senate. If passed, it would direct a collaboration between Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to help improve cybersecurity preparedness and training to health care and public health organisations.
A question of trust – Patient data sharing across systems presents the opportunity to improve health outcomes and care delivery, while also reducing risk of treatment errors. It can also help support research, identify trends that could be useful in planning, and drive innovation.
Interested organisations need to work harder to mitigate security issues if they are to gain public trust, which is lacking. Better transparency about how data is kept safe and shared could help build the confidence needed to win them over.