ENCINITAS, Calif. – MedCrypt has raised $1.9 million in new funding to accelerate the commercial deployment of cryptographically embedded cybersecurity software for medical device makers. “The FDA is cracking down on medical device cybersecurity by releasing more robust regulations by which medical device vendors and health care delivery organizations are required to abide,” said Mike Kijewski, CEO and co-founder of MedCrypt, in a statement. “Our solution lets these organizations protect their devices and patients with just a few lines of code.” The company’s cryptographically embedded security software helps medical device vendors build products that are secure by design and monitor behavior of these devices once they are deployed. This additional financing brings the company’s total to-date funding to $3 million.
IRVING, Texas – Health care performance improvement company Vizient has formed a task rorce to minimize the risk and cost of medical device cybersecurity by creating standard practices for the health care industry.
The work of the Medical Device Cybersecurity Task Force will augment the U.S. Food & Drug Administration’s Medical Device Action Plan, which was released earlier this month. It will assess the overall maturity level of cybersecurity for medical devices and identify areas to improve, as well as focus on sourcing enhancements, standards, governance and information sharing best practices to reduce exposure to risk.
“Vizient is excited to step up and provide leadership in the area of medical device cybersecurity by facilitating collaboration between key stakeholders for the benefit of the entire industry,” said Ross Carevic, director, technology sourcing operations at Vizient, in a statement. “The goal is to help reduce cybersecurity risks and the cost of assessing risk.”
The task force will initially work on a multi-phase roadmap that will help advance the cybersecurity maturity posture of the entire health care industry, Carevic said.
The Medical Device Cybersecurity Task Force includes information security leaders from 25 member health systems. It will also engage device manufacturers, suppliers, cybersecurity consultants, government and industry experts. The task force will be assessing the overall maturity level of cybersecurity for medical devices and identify areas to improve. It will also focus on sourcing enhancements, standards, governance and information sharing best practices to reduce exposure to risk.
“We are viewing this from an entire industry perspective, not just for Vizient members and suppliers,” said Carevic. “Wherever possible, we intend to make key deliverables publically available, which will help suppliers and providers prioritize their remediation plans for older medical devices and ensure appropriate safeguards are included in new devices for the benefit of all patients.”
‘Until we have better protective measures in place, there’s always risk’
FRAMINGHAM, Mass. – mHealth apps, devices and platforms have significant privacy and cybersecurity failings, and are vulnerable to hacking events, recent studies show.
Steven Bearak, CEO of IdentityForce, which provides medical identity, privacy and credit security solutions, shared why home health technology is attractive to hackers and what consumers can do to protect their health data.
HHTN: Do you think home health devices and platforms are secure?
BEARAK:Medical devices are no different than any other device that connects to the Internet—once you’re connecting with other devices and networks, your information is vulnerable and can be breached. These devices can be compromised and personal information can be exposed.
HHRN: Why do you think hackers are targeting medical information?
BEARAK:It’s not surprising that hackers are going after medical information so easily. On the dark web, it’s been reported that the most expensive personally identifiable information being bought and sold are complete medical records, which can be purchased on the black market for $1,000.
HHTN: Do you think home health devices can ever be secure?
BEARAK:Medical devices have wireless connectivity and they essentially enable health professionals to adjust and fine tune treatment and medication of these devices without invasive procedures. That’s a strong benefit, but as with any technological conveniences, there can also be downfalls. Better security protocols must be initiated by the manufacturers before these devices go out to market. Too much reliance on third-party protection versus starting during the early planning stages has created a lot of the security hacks we see today. Enacting better security protocols is a marathon, not a sprint, and unfortunately, until we have better protective measures in place, there’s always risk.
HHTN: What can consumers do to keep their information safe?
BEARAK:Medical identities are 20 to 50 times more valuable to criminals than financial identities. That may explain why an average of 1.5 health care data breaches occur each week. What makes this even more unpredictable is that identity theft is a long-term crime, and fraudulent activity may not show up for six to 12 months or even longer. That’s why it is essential to continually monitor your personal identity.
Consumers should also:
- Track your medical records and check for mistakes. Remember, you have the right to see your records and have errors corrected. Wrong information not only points toward evidence of identity theft but also has implications for your treatment.
- Read your medical and insurance statements regularly and completely. They can show warning signs of identity theft.
- Review your insurance benefits. Ask your insurer for a listing of benefits paid out under your policy at least once a year.
- Monitor where and when you provide your personal medical information (in person, over the phone, or online). Always decide if the information is absolutely necessary before providing it.
- Keep paper and electronic copies of your medical records and health insurance records in a safe place, and, when no longer needed, shred documents containing personal information.
- Look for medical organizations that follow the “Red Flags Rule,” which requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations and take steps to prevent the crime and mitigate its damage.
IoT devices are perfect target, report finds
HERNDON, Va. – A frightening number of hackers said they can find the health care data they’re seeking in under an hour, according to a new report by cybersecurity software company Nuix.
More than half of the hackers who responded to the company’s “Black Report” survey said it takes fewer than 10 hours to breach the perimeter of hospitals and health care provider systems, and 38% said they can find the data they’re looking for in less than 60 minutes.
“Those stats are disturbing on their own, but become more so when compared to many industry-accepted numbers that say it takes organizations seven to eight months, on average, to discover they’ve been attacked,” said Chris Pogue, head of services, security and partner integration, at Nuix. “That’s a long, long time for your data to be gone before you’ve figured it out.”
To compile the report, Nuix asked more than 100 hackers to complete an anonymous survey either online, at gatherings like Black Hat and Bsides Vegas, or on paper at a Nuix event.
The allure of health care data: It can be worth 10 times more than credit card numbers on the deep web, according to industry experts. The data can be used to create fake IDs to buy medical equipment or drugs, or to file fictional claims with insurers.
The report also found that Internet of Things health devices are low on the list of concerns for health systems and providers, but are actually a perfect target for attackers.
“IoT devices are, for now, about the lowest hanging fruit you can find,” said Pogue.
Pogue said the biggest obstacles to making health devices and systems more secure are the limited options and the dire need.
“The hospital’s choices are limited regarding which manufacturers they can purchase devices from, the doctors are more interested in functionality than they are security, and the patients are more focused on why they are monitoring their health rather than how secure the device is,” he said. “It will take a widespread attack to force the industry to react.”
ARLINGTON, Va. – PhysIQ was selected winner of the 2017 MyVCM Trust Network Awards, presented by Ostendio, a provider of cybersecurity and information management solutions. “Throughout the year, PhysIQ has demonstrated their dedication to maintaining high levels of security and has consistently ranked in the top five of the monthly MyVCM Awards,” said Grant Elliott, CEO of Ostendio, in a statement. PhysIQ’s portfolio of technologies includes solutions that capture, transport, store and analyze continuous telemetry from wearable sensors and present personalized physiology analytics for their customers in health care, wellness and clinical trials markets. “Protecting data is extremely important to us, and we take it seriously,” said Matt Pipke, chief technology officer at PhysIQ, in a statement.
‘The health care industry is a target-rich environment for hackers’
ENGLEWOOD, Colo. – As home health care organizations increasingly become aware of their vulnerability to cybersecurity risks, Brian Wells, director of health care strategy at Merlin International, offered his expert opinion on the unique challenges faced by the health care space.
HHTN: What are some of the cybersecurity challenges facing the home health care industry?
Wells: The health care industry is a target-rich environment for hackers and others. Attacks can come in the form of ransomware that makes data and systems unavailable to the end users and forces a switch back to paper-based processes, which drastically reduce nurse, physician and staff productivity, and may impact patient safety and quality of care. Far too often the health system’s only option is to pay the ransom so that automated care processes can return to normal. Another form of attack relates to stealing data, which can result in patient or employee identity theft, theft of services and the filing of false claims. These data breaches can come from an external source or result from the theft of a physical data storage device, and they result in remediation costs and reputational harm
HHTN: How are cybersecurity challenges different in home health care?
Wells: I actually think that home health care security challenges are much worse. With the rapid growth of digital technologies like wearables, smartphones, artificial intelligence and the Internet of Things that are connected wirelessly to the Internet, the number of attack vectors is increasing exponentially. Many of these devices are not connected to hospitals or doctors’ offices. However, with the shift in health care reimbursement from fee-for-service to fee-for-value, health care providers will be incentivized to ensure that patients are compliant with care protocols and will want to have much closer and ongoing contact with the patients for which they are responsible. This will increase the demand for connecting these devices into the provider’s electronic medical records systems, creating a much larger attack base. For example, a wireless scale in a patient’s home might be used as an entry point into the provider’s network.
HHTN: What do health systems need to address to be safe from cybersecurity attacks?
Wells: First and foremost, health systems need to constantly maintain a real-time inventory of all of the devices that are connected to their networks because it provides an accurate and up-to-the minute universe of endpoints that need to be managed. The endpoints can then be categorized and assigned to the appropriate automated management processes to ensure the devices are compliant with the required prevention and detection software or segmented into a higher security portion of the network. Secondly, all end users—including patients and family members—need to be educated and regularly reminded about the risks of IT security non-compliance. End users need to be vigilant with password usage, device sharing, physical device security and usage to protect the organization and, ultimately, themselves. Lastly, all data and information systems need to be regularly managed, backed up and made as resilient as possible. It should be assumed an attack or breach will occur and the information systems teams, as well as clinical and business groups, need to know how to respond, recover and return to normal operations as quickly and safely as possible.
‘The more connected devices you have, the more attack opportunities there are for hackers’
BOSTON – With cybersecurity attacks on the rise, health systems need to prepare their medical devices, data and operating systems, Leo Scanlan told attendees of the 9th annual mHealth+Telehealth World Congress in Boston on Monday.
With memories of the recent WannaCry and Petya ransomware attacks still fresh, the message was loud and clear from Scanlan, the deputy chief information security officer and senior cybersecurity advisor for healthcare cybersecurity in the Office of Information Security, Office of the Chief Information Officer, for the U.S. Department of Health and Human Services.
“The question is not if you will be attacked,” he said. “The question is when you will be attacked and how.”
Scanlan warned that cybersecurity attacks can come from all fronts, including connected devices and the Internet of Things. Hackers are not only seeking information like names, addresses and Social Security numbers—in some countries, chest X-rays are a valuable commodity because they are often needed to obtain a work visa, he said.
“The more connected devices you have, the more attack opportunities there are for hackers,” he said. “The convenience must be weighed against higher risks and vulnerabilities.”
HHS fielded about 9,000 managed cybersecurity issues in the health care sector last year, with 63% more successful attacks than the previous year, Scanlan said. While $12.6 billion was spent on IT in health care in 2016, cybersecurity in the industry is still lacking, he said.
“HHS is trying to make a major leap over that problem,” he said.
Case in point: The Cybersecurity Information Sharing Act has tasked HHS with establishing a common set of voluntary, consensus-based and industry-led security practices to help health care organizations cost-effectively reduce their cybersecurity risks, Scanlan said.
“Congress recognizes the scope of this problem,” he said. “We’re looking to create public and private partnerships, and trying to build a crowdsourcing model.”
SILVER SPRING, Md. – The U.S. Food and Drug Administration issued a notice that cybersecurity vulnerabilities have been identified in St. Jude Medical’s implantable cardiac devices and the Merlin@home Transmitter. “The FDA has reviewed information concerning cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” the notice said. The Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion or administration of inappropriate pacing or shocks, said the FDA. St. Jude Medical has developed a software patch that addresses and reduces the risk of cybersecurity vulnerabilities.