ARLINGTON, Va. – PhysIQ was selected winner of the 2017 MyVCM Trust Network Awards, presented by Ostendio, a provider of cybersecurity and information management solutions. “Throughout the year, PhysIQ has demonstrated their dedication to maintaining high levels of security and has consistently ranked in the top five of the monthly MyVCM Awards,” said Grant Elliott, CEO of Ostendio, in a statement. PhysIQ’s portfolio of technologies includes solutions that capture, transport, store and analyze continuous telemetry from wearable sensors and present personalized physiology analytics for their customers in health care, wellness and clinical trials markets. “Protecting data is extremely important to us, and we take it seriously,” said Matt Pipke, chief technology officer at PhysIQ, in a statement.
‘The health care industry is a target-rich environment for hackers’
ENGLEWOOD, Colo. – As home health care organizations increasingly become aware of their vulnerability to cybersecurity risks, Brian Wells, director of health care strategy at Merlin International, offered his expert opinion on the unique challenges faced by the health care space.
HHTN: What are some of the cybersecurity challenges facing the home health care industry?
Wells: The health care industry is a target-rich environment for hackers and others. Attacks can come in the form of ransomware that makes data and systems unavailable to the end users and forces a switch back to paper-based processes, which drastically reduce nurse, physician and staff productivity, and may impact patient safety and quality of care. Far too often the health system’s only option is to pay the ransom so that automated care processes can return to normal. Another form of attack relates to stealing data, which can result in patient or employee identity theft, theft of services and the filing of false claims. These data breaches can come from an external source or result from the theft of a physical data storage device, and they result in remediation costs and reputational harm
HHTN: How are cybersecurity challenges different in home health care?
Wells: I actually think that home health care security challenges are much worse. With the rapid growth of digital technologies like wearables, smartphones, artificial intelligence and the Internet of Things that are connected wirelessly to the Internet, the number of attack vectors is increasing exponentially. Many of these devices are not connected to hospitals or doctors’ offices. However, with the shift in health care reimbursement from fee-for-service to fee-for-value, health care providers will be incentivized to ensure that patients are compliant with care protocols and will want to have much closer and ongoing contact with the patients for which they are responsible. This will increase the demand for connecting these devices into the provider’s electronic medical records systems, creating a much larger attack base. For example, a wireless scale in a patient’s home might be used as an entry point into the provider’s network.
HHTN: What do health systems need to address to be safe from cybersecurity attacks?
Wells: First and foremost, health systems need to constantly maintain a real-time inventory of all of the devices that are connected to their networks because it provides an accurate and up-to-the minute universe of endpoints that need to be managed. The endpoints can then be categorized and assigned to the appropriate automated management processes to ensure the devices are compliant with the required prevention and detection software or segmented into a higher security portion of the network. Secondly, all end users—including patients and family members—need to be educated and regularly reminded about the risks of IT security non-compliance. End users need to be vigilant with password usage, device sharing, physical device security and usage to protect the organization and, ultimately, themselves. Lastly, all data and information systems need to be regularly managed, backed up and made as resilient as possible. It should be assumed an attack or breach will occur and the information systems teams, as well as clinical and business groups, need to know how to respond, recover and return to normal operations as quickly and safely as possible.
‘The more connected devices you have, the more attack opportunities there are for hackers’
BOSTON – With cybersecurity attacks on the rise, health systems need to prepare their medical devices, data and operating systems, Leo Scanlan told attendees of the 9th annual mHealth+Telehealth World Congress in Boston on Monday.
With memories of the recent WannaCry and Petya ransomware attacks still fresh, the message was loud and clear from Scanlan, the deputy chief information security officer and senior cybersecurity advisor for healthcare cybersecurity in the Office of Information Security, Office of the Chief Information Officer, for the U.S. Department of Health and Human Services.
“The question is not if you will be attacked,” he said. “The question is when you will be attacked and how.”
Scanlan warned that cybersecurity attacks can come from all fronts, including connected devices and the Internet of Things. Hackers are not only seeking information like names, addresses and Social Security numbers—in some countries, chest X-rays are a valuable commodity because they are often needed to obtain a work visa, he said.
“The more connected devices you have, the more attack opportunities there are for hackers,” he said. “The convenience must be weighed against higher risks and vulnerabilities.”
HHS fielded about 9,000 managed cybersecurity issues in the health care sector last year, with 63% more successful attacks than the previous year, Scanlan said. While $12.6 billion was spent on IT in health care in 2016, cybersecurity in the industry is still lacking, he said.
“HHS is trying to make a major leap over that problem,” he said.
Case in point: The Cybersecurity Information Sharing Act has tasked HHS with establishing a common set of voluntary, consensus-based and industry-led security practices to help health care organizations cost-effectively reduce their cybersecurity risks, Scanlan said.
“Congress recognizes the scope of this problem,” he said. “We’re looking to create public and private partnerships, and trying to build a crowdsourcing model.”
SILVER SPRING, Md. – The U.S. Food and Drug Administration issued a notice that cybersecurity vulnerabilities have been identified in St. Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter. “The FDA has reviewed information concerning cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” the notice said. The Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion or administration of inappropriate pacing or shocks, said the FDA. St. Jude Medical has developed a software patch that addresses and reduces the risk of cybersecurity vulnerabilities.