“Breaches of private information in hospital records are serious and expensive security events but remediating them can be deadly. That's the conclusion of a study presented last week at the 4A Security and Compliance Conference.”
Breaches at hospitals are not new. Whether it is a hunt for monetizable patient data, or holding medical systems for ransom, hospitals are a target-rich environment. A hacked hospital brings to mind all sorts of worst-case scenarios, because you’re never more vulnerable than when you’re undergoing medical treatment. The more automated medicine becomes, the more likely flaws in medical devices and supporting computer systems pose a threat to life and limb.
Hospitals are unique environments. Security policy for medical devices and systems is often in the hands of doctors, not necessarily (or at least exclusively) the CISO. This is in large part because traditional security protocols (e.g. detect, disconnect, clean, restore) might kill someone if applied to, say, a heart monitor in the middle of surgery. The data processing tasks that take place in a hospital range from the mundane to the highly technical, which means there is no “one policy to rule them all,” nor is there a single model that works for every hospital, clinic, or specialty practice.
Which brings us back to the findings of the study. It turns out that a breach, no matter how bad, has very little of any impact on patients directly or immediately. What brings about negative results is what happens in the aftermath of the breach, when all sorts of new policies and procedures get put into place. It is all done with the best of intentions, but the impact leads to a significant increase in patient mortality:
“When hospitals respond to a breach, the response tends to have a major impact on their legitimate users...new access and authentication procedures, new protocols, new software after any breach incident is likely to disrupt clinicians…[leading to] an additional 34- to 45 deaths per 1,000 heart attack discharges every year.”
Like the list of side-effects in a drug ad on TV, it seems like you’re better off not taking the cure. All jokes aside, better patient outcomes in the wake of cybersecurity threats starts with establishing a sound, resilient security policy in the context of the institution. Hospitals are not in the cyber security business, so dogmatic adherence to <insert your favorite standards body recommendations here> makes little sense when the primary mission is saving lives.
An ideal approach will balance the competing factors of patient health, privacy, and system and device security. These factors are not equal. Medicine will always place a priority on care, which means increased risks when it comes to the other factors. We don’t know many people who would complain if in the course of saving their life an emergency room team committed a HIPAA violation; if doctors let people die because they were afraid of committing a HIPAA violations, the response would not be the same.
One of the most effective, long-term ways to address this imbalance involves medical device manufacturers. We all know ‘baking in’ security is superior to any after-the-fact approach, though the demand for secure devices is still outpaced by the demand for functional and reliable ones. Actions that help ensure medical device integrity are arguably the most fundamental the industry can take to reduce risks and improve patient outcomes across the board.
Since a ground-up approach to better cyber security isn’t likely in the near term, institutions must make a concerted effort to improve their ability to detect and monitor the devices they deploy in support of patient care. A hospital of modest size can have IoT devices that number in the tens of thousands, yet have no meaningful way of keeping track of them, understanding their behavior, or know when they might be compromised. Traditional asset discovery solutions are often ill-suited for IoT-rich environments, which is an argument for passive, network-based solutions that can baseline device behavior and provide system owners with a comprehensive inventory of what they are trying to protect, and when those devices need attention.