When you visit a hospital or a doctor’s office, you’re focused on the reason that sent you to a medical doctor for treatment. While the doctors are poking and probing you with various instruments and monitoring you with various electronic medical devices, they are recording some of your personal data and other information about you. Any industry that records personal data on its clients is at risk of a cyber breach, and the medical industry is the hackers’ most recent target.
The health care industry took strong note that medical practices became prime cybersecurity targets when WannaCry and Petya made national news. The aftermath of both attacks proved that patches and software updates are critical data security protections, but they may not be enough. WannaCry infected systems before some organizations had time to install the latest Microsoft update.
Medical Equipment Is the Hacker’s Latest Target
Manufacturers of medical equipment have focused on making medical devices highly calibrated so that they can help doctors and nurses save lives with little or no focus on cybersecurity protective measures. Some medical equipment manufacturers may have an inkling that their products may be placing patients at risk of breaching personal information; yet, their prototypes have not evolved to the degree that they can protect sensitive patient information. Other manufacturers place their focus on profits and simply don’t care about the residual negative effects on patients.
To make matters worse, medical equipment is increasingly interconnected with other electronic devices. One device can spread a bad virus to another device just as a bad cold or infection can spread from one person to another.
Board Directors Are Overwhelmed With Cybersecurity Warnings
Board directors of health care industries get inundated with information about cybersecurity risks—so much so, that they scarcely have time to read and digest it all. Risks are coming at them from so many sides that they can’t sort out the best places on which to put their focus.
On top of all the cautionary information, health care boards get deluged with solutions and companies pursuing high-cost options to protect them. In total, too much information makes it hard for the board to make responsible decisions, which delays actions that could be protecting their stakeholders at the earliest opportunity.
These are the challenges that make bolstering cybersecurity measures in the health care industry an arduous and laborious task. Boardroom discussions take on a tone of concern as board directors strive to fulfill their fiduciary duties responsibly. It takes a corporate village of varied experts flanking the board table to solve these challenging issues, including cybersecurity experts, the general counsel, the chief information security officer (CISO) and every board director.
HHS Keeps a Pulse on Cybersecurity With a New Report
The U.S. Department of Health & Human Services (HHS) is the federal agency that is responsible for regulating issues related to the health and well-being of all Americans. As cybersecurity issues begin to encroach upon the medical field, Congress established the Health Care Industry Cybersecurity Task Force to investigate cybersecurity risk relative to the health care industry. The task force’s recent report reviews the cybersecurity issues that today’s health care providers are facing, and offers up valuable suggestions for making improvements. In particular, the report places a marked focus on improving cybersecurity around electronic medical devices.
Congress Introduces a Bill to Increase Security of Medical Devices
Taking a cue from the HHS task force report, Senator Richard Blumenthal (CT) introduced S. 1656, the Medical Device Cybersecurity Act of 2017. The primary goals of the bill are to better protect sensitive patient information and to create stronger cybersecurity protection at the level of medical devices.
If Sen. Blumenthal’s bill passes in its current form, it would do five things to protect patients:
- Increase transparency of medical device security by creating a cyber report card for devices and mandating testing them prior to sale.
- Strengthen remote access protections for medical devices inside and outside of medical facilities.
- Require crucial cybersecurity fixes or updates to remain free and not require FDA recertification.
- Provide guidance and recommendations for end-of-life devices, including how they can be disposed of and recycled.
- Expand the DHS Computer Emergency Readiness Team (ICS-CERT) obligations to include the cybersecurity of medical devices.
The bill is still in the introductory phase of the legislative process, but it will move along with strong support from two prominent health care industry groups with an eye on IT issues. CHIME, the College of Healthcare Information Management Executives, and AEHS, the Association for Executives in Healthcare Information Security, have already voiced strong support in favor of the mandate. Their expertise and recommendations will be highly valued as the bill gets debated in committees of both chambers. The issue is important enough to arouse public interest and concern.
In a related bill, Senator Susan Collins (ME), along with Senators Mark Warner (VA) and Jack Reed (RI), introduced S. 536, the Cybersecurity Disclosure Act of 2017. If passed, this bill would require corporations to appoint at least one board director to serve on their boards who has strong expertise in the area of cybersecurity. The idea is that a board director who serves in this capacity would support board oversight and decision-making around cybersecurity measures and protections.
Cybersecurity in the Health Care Realm Is Challenging to Navigate
For the everyday patient, worrying about having their personal information confiscated and tossed about in cyberspace adds to the emotional drain of getting healthy. Government officials like Senators Blumenthal, Collins, Warner and Reed are committed to easing that worry by enacting new laws that protect the health and confidential information of America’s patients.
As cybersecurity issues begin to take the center stage of board discussions, board directors are becoming painfully aware of how little they know and understand about cybersecurity issues. It’s a complicated issue that forces board directors to find the balance between allowing the use of essential medical equipment while finding a way to preserve sensitive patient data.
Unfortunately, the recent cyber-attacks that we’ve seen in the health care industry are probably only the tipping point of what is to come. As long as patients need to give their medical practitioners sensitive personal information, the health care industry will continue to be vulnerable.