Categories

Tag: Security

Security Crisis of Cardiac Pacemakers Paves the Way for IoT Security Evolution in Cardiology

By INGA SHUGALO

While the healthcare IoT demand forecasts are more than generous, anticipating the market to hit $158.07B by 2022, there is still a certain delay in IoT adoption across the industry. Connected medical devices, especially those that are directly involved in patient care, are adopted cautiously due to potential security vulnerabilities and risks to patient safety.

One of the reasons behind the hesitant adoption of healthcare IoT in cardiology is preexisting concerns about the security of implantable medical devices, such as pacemakers.

The recent pacemaker crisis revealed the vulnerabilities in pacemaker software across several major vendors. If exploited, software vulnerabilities would allow hackers to take over the device and control it fully. The crisis led to device recalls, certain features disabled, and even remote updates cut off completely to avoid unacceptable health risks.

This series of events led to a cautious attitude toward the emerging cardiology IoT. Since we can’t be sure that all exploits and vulnerabilities are eliminated in less advanced systems, are we really ready to take a step forward to more elaborate healthcare software solutions at this point?

The fact of the matter is, cardiology is already taking these steps. The new generation of pacemakers has embedded sensors to monitor a patient’s blood temperature, sinus node rate, breathing, and other vitals. This data is used to flexibly alter the heart rate, slowing or speeding it depending on a patient’s current activity level. They also inherited remote control from their predecessors. Practically, next-gen pacemakers are IoT devices.

Accordingly, the industry can either stigmatize the security concerns or choose to adopt a new perspective, seeing the pacemaker crisis as an opportunity to create a solid platform for unbiased adoption of upcoming connected cardiac devices.

Continue reading…

A Patient in the Lobby Refuses to Leave: Medical Emergency, Unhappy Customer or Active Shooter?

By HANS DUVEFELT, MD

The receptionist interrupted me in the middle of my dictation.

“There’s a woman and her husband at the front desk. She’s already been seen by Dr. Kim for chest pain, but refuses to leave and her husband seems really agitated. They’re demanding to speak with you.”

I didn’t take the time to look up the woman’s chart. This could be a medical emergency, I figured. Something may have developed in just the last few minutes.

I hurried down the hall and unlocked the door to the lobby. I had already noticed the man and the woman standing at the glassed-in reception desk.

“I’m Dr. Duvefelt, can I help you?” I began, one hand on the still partway open door behind me.

The husband did the talking.

“My wife just saw Dr. Kim for chest pain and he thought it was nothing. He didn’t have any of her old records, so how could he know?”

While I quickly considered my response, knowing that Dr. Kim is a very thorough and conscientious physician, the man continued:

“Can we get out of here, and step inside for some privacy?”

My mind raced. This was either a medical emergency or an unhappy customer situation. We had the door locks installed not long ago on the advice of the police and many other sources of guidance for clinics like ours. It was a decision made by our Board of Directors. In this age of school, workplace and church shootings, everyone is preparing for such scenarios. We are always reminded not to bring people inside the “secure” areas of our clinics who don’t have an appointment or a true medical emergency.

I figured I had to find out more about this woman’s chest pain in order to make my decision whether to let her inside again; after all, she had just been evaluated.

“Ma’am, are you having chest pain right now?” I asked.

“A little”, she answered.

“How long have you had it?” I probed.

“A couple of years now.”

“And you just saw Dr. Kim?”

“Yes, and he said my EKG looked okay, but he didn’t bother to ask me about you heart valve operation three years ago in, Boston. He just said ’we’ll get those records’, and he told me I was okay today.”

The husband broke in, “It’s the same everywhere we go, everybody just says it’s not a heart attack, but we need more answers than that. we know what it isn’t, but we need to know what it is!” He added, again, “can’t we go inside for some privacy?”

“Have you been seen elsewhere for the same thing?” I said without answering the request.

“Yes, at the emergency room in Concord, New Hampshire when we lived there…”

“Did Dr. Kim have you sign a records release form so we can get the records from Boston and New Hampshire?” I asked.

“Yes”, the woman answered.

“Then that’s all we can do today,” I said. “I hear you telling me this is an ongoing problem, you’ve already been assessed today and Dr. Kim told you that you’re safe today and we’ve requested your old records. That’s what needs to happen.”

“You mean you’re not going to help us today?”

“You’ve seen Dr.Kim, your records will get here, I don’t know what more we can do for you today.”

“You’ll hear about this”, the husband said as they stormed out. Another man in the lobby introduced himself to them and said “I’ll be your witness.”

I closed the self-locking door and wished I had somehow been more skilled and more diplomatic, and I wished the world wasn’t the way it has become in just a few years, with more concern for bolted doors, gun violence and mass shootings than simple customer relations.

Hans Duvefelt is a Swedish-born rural Family Physician in Maine. This post originally appeared on his blog, A Country Doctor Writes, here.

How health IT organizations are using security as a competitive advantage

When speaking with our health IT clients, I’m hearing a distinct shift when it comes to cybersecurity. They no longer view it as an IT cost; they understand how it can facilitate growth, create competitive advantage and build trust in their products and brand.

Their executive management is on board with this thinking, too. They don’t want to hear about fear, uncertainty and doubt when it comes to data breaches, hacks and cyber threats, but rather how cybersecurity can help ‘protect the house and the product’ while at the same time enabling the business, customers and partners.

As more products and services in the healthcare continuum are connected, the need to proactively address cybersecurity increases. And as more consumer and business information is generated and shared, data privacy becomes a critical business requirement. This explains why we’re seeing forward-thinking health IT organizations moving to a new model of cybersecurity – one that’s adaptive to evolving risks and threats plus aligns with overall business objectives, such as increased revenue.

The one unifying thing we see with most health IT clients is the cloud. They need to design, build, assess, test and validate architectures and products on the cloud to confidently go to market with secure solutions. They’re finding that as they address cybersecurity in the design and development of products and services, they experience new ways to innovate and move faster. These cloud-integrated solutions can also enhance data privacy and boost customer trust and brand reputation. These are crucial safeguards as consumers are more concerned than ever about how their data is collected and shared.

Organizations aren’t waiting to hear that security program elements to demonstrate customer data protection are a requirement to closing a deal, they’re getting proactive by using cybersecurity as a sales strategy.Continue reading…

Three Lessons Healthcare Executives Can Learn From the Sony Hack

Screen Shot 2015-02-12 at 1.55.51 PM

As if healthcare executives needed more to worry about, the recent hacker attack on Sony Pictures should send yet another reminder that data security can’t be ignored. On an international stage, Sony management learned the hard way that their e-mails, text messages, and private conversations were vulnerable to attack. Hackers accessed everything from the company’s sensitive financial information to its confidential employee communications. In the immediate aftermath of the attack, Sony is facing government inquiries, class action lawsuits from employees and business partners, and a significantly tarnished reputation.

Many executives in our industry might think that healthcare facilities are better prepared to withstand hacker attacks, with numerous government agencies regulating how we store and transmit protected health information (PHI) and personal identifiable information (PII). In reality, a significant number of healthcare facilities have already suffered damaging hacker attacks over the last few years and expectations are that hacker attacks will be a continued threat for the foreseeable future. The question healthcare executives must ask is: “What are we going to do about it?”

Continue reading…

Privacy and Security and the Internet of Things

Screen Shot 2015-02-03 at 8.28.53 AM

In the future, everything will be connected.

That future is almost here.

Over a year ago, the Federal Trade Commission held an Internet of Thingsworkshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act’s attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report — and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) — seeks to increase the public’s confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum — I can’t define it, but I know it when I see it (see Justice Stewart’s timeless concurring opinion in Jacobellis v. Ohio).

To anyone actively involved in data privacy and security, the recommendations seem frighteningly basic:

build security into devices at the outset, rather than as an afterthought in the design process;

train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;

ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;

when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;

consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;

monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely;

notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

Continue reading…

The New Bioterrorism? The Hacked Medical Device

A time-and-technology challenged FDA, proliferation of software-controlled medical devices in and outside of hospitals, and growth of hackers have resulted in medical technology that’s riddled with malware. Furthermore, lack of security built into the devices makes them ripe for hacking and malfeasance.

Scenario: a famous figure (say, a politician with an implantable defibrillator or young rock star with an insulin pump) becomes targeted by a hacker, who industriously virtually works his way into the ICD’s software and delivers the man a shock so strong it’s akin to electrocution.

Got the picture?

Welcome to the dark side of health IT and connected health. Without strong and consistently adopted security technology and policies, this scenario isn’t a wild card: it’s in the realm of possibility. This is not new-news: back in 2008, a research team figured out how to program a common pacemaker-defibrillator to transmit a “deadly 830-volt jolt,” according to Barnaby Jack, a security expert.

Continue reading…

Five Reasons Americans Should Want Electronic Health Records

Although healthcare providers are making progress in adopting health IT, Americans seem to be resistant to change to Electronic Health Records (EHRs). In fact, only 26 percent of Americans want their medical records to be digital, according to findings from the third annual EHR online survey of 2,147 U.S. adults, conducted for Xerox by Harris Interactive in May 2012.

Last month the Institute of Medicine issued a seminal report entitled “Best Care at Lower Cost: The Path to Continuously Learning Health in America.” The report estimates the American healthcare system suffered a $750 billion loss in 2009 from inefficient services and administrative expenditures. The report is grounded on the principle that effective, real-time insights for providers and patients which result in collaborative and efficient care depend on the adoption and use of digital records.

As people are naturally resistant to change, education will be key in gaining support among Americans for the transition to EHRs. If providers can help patients understand “what’s in it for me,” that will likely go a long way in making Americans feel more comfortable with the switch to digital.

Let’s take a look at five ways EHRs directly impact the patient. For these examples, we’ll use a fictitious patient named “Joe”:

  • Health Information Exchanges (HIE): HIEs work on the principle of a network – they grow stronger as more participants join. If Joe’s primary care doctor switches to digital, that’s a great step in the right direction. However, it isn’t truly meaningful until his primary care doctor joins an HIE and begins sharing Joe’s patient health history, medication history, lab results, family and social history and vital statistics with his specialists, emergency care providers, and so on. This sharing of information helps ensure that Joe gets the best quality of care, because all of his providers will be in sync and have the most up-to-date information. It also helps reduce the amount of duplicate exams and labs Joe will be asked to give.
  • Continue reading…

What Keeps Me Up at Night 2012

I’ve written several posts about the issues that keep me up at night.  Here’s what I wrote in 2011.

Today, my team presented a list of risks to the Compliance, Audit and Risk Committee at BIDMC.   Here’s my list of top risks for 2012:

1.  Old Internet browsers – many vended clinical applications require specific versions of older browsers such as Internet Explorer 6, which are known to have security flaws.  We’ve worked diligently to eliminate, upgrade or replace applications with browser specificity.   At this point we are 96% Internet Explorer 8/Firefox 7/Safari 5 minimizing our risks to the extent possible.

2.  Local Administrative rights – Of our 18,000 devices on the network, a few thousand are devices that require the user to have local administrative rights to run their niche applications (often the research community doing cutting edge research with open source or self developed software).   We have done everything possible to eliminate Local Administrative rights on our managed devices.

3.  Outbound transmissions – Security has historically focused on blocking evil actors from the internet.   Given the current challenges of malware and infections brought in from the outside, it’s equally critical to block unexpected outbound activity.

4.  Public facing websites –  any machine that touches the internet has the potential to be targeted for attack.  We’ve implemented proxy servers/web application firewalls on most public websites.

5.  Identity and Access management – Managing the ever changing roles and rights of individuals in a large complex organization with many partners/affiliates is challenging.  If an affiliate asks for access to an application, how do you automatically deactivate accounts when users leave an affiliate, given the lack of direct employment relationships?

Continue reading…

Hacking Your Heart

implanted pacemaker xray

If they can hack your home computer, your mobile phone, apps, your store, your social networks, your bank account, your gaming system, your medical records, your school records, the government and its records, and pretty much anything anyone sets their mind to – isn’t it is only a matter of time until someone finds a way to hack your heart?

Not through a musical hook or melody that you can’t shake. Or a well timed smile by someone your soul connects with. Or a box of chocolates. Or a poem. People have been penetrating the human heart with those Luddite-ish tools since the beginning of civilization.

I was thinking more about that electronic device your doctor might have implanted into your chest to keep your heart beating. Or the little box stuck in your gut to help you and your pancreas regulate your diabetes.  Or the mini-computer surgically inserted to keep your neurological systems on track.

Hacking the medical miracles put inside people to let them live longer with more normal lives.

While to my limited knowledge nobody has reported a single case and the likelihood is extremely low, it is a real enough concern that the New England Journal of Medicine published a paper about the need to improve security last year.

Continue reading…

Health Information Security and the Cloud

Back in 2005, Hurricane Katrina smashed into the Gulf Coast community of Waveland, Mississippi. Among the many losses were the community’s medical files. The storm instantly wiped out more than 10,000 of Waveland Medical Center’s patient medical records.

“For the past year, we have had to rely on our memories and notecards to keep track of patient care while treating patients outside or in a tent, battling against power outages, and working without heat in the cold and without air conditioning in the summer,” said Roberta Chilimiagras, M.D., WMC’s owner, in the days after the storm.

Patients fleeing the Gulf Coast area often sought treatment elsewhere. In Houston, Melinda Amedee presented at the MD Anderson Cancer Center, saying that she had been scheduled to have a tumor removed from her kidney at a New Orleans hospital. As Time magazine reported, her case posed a serious challenge to the doctors in Houston, who had no medical records and no way of contacting her Louisiana kidney specialist.

This example – extreme as it is – highlights a critical, and often overlooked, component of the privacy and security of patient information. Health information security can be thought of as a three-legged stool—Confidentiality, Integrity, and Availability. It’s widely accepted that health information must be kept confidential. But what good is all that information if doctors and their patients can’t get to it at the critical moments? I’d argue that on a day-to-day basis, patient access to, and input on, what is in their health records is an aspect of privacy and security that deserves greater attention.Continue reading…

Registration

Forgotten Password?