Last week’s global cyberattack garnered wide media attention, as it spread across nearly 150 countries. Among its primary victims was the United Kingdom’s National Health Service system, causing massive shutdowns and inconveniences to the country’s health care infrastructure. Though certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts should serve as a stark reminder of the significant vulnerabilities within the intersection of technology and medicine.
Accordingly, experts need to revisit a few areas of concern in the health care industry which may be conducive to increased cybersecurity threats in the coming years.
Hospital/Health Care Systems
The Department of Health and Human Service’s Office of Civil Rights, which oversees the enforcement of patient privacy laws such as HIPAA (Health Information Portability and Accountability Act), contends “that [the] personal health data of 30 million Americans has been compromised since 2009.” With the advent of electronic medical records and digital systems to store patient data, hospitals have become critically dependent on electronic media to provide patient care, and have thus become ripe targets for hackers which seek to extort or cripple large health care systems. Similar to the UK’s current crisis, extortionists often encrypt vital system and patient files, making it impossible to move forward with treatment or patient care. While some hackers cyber security seek payment prior to releasing the files, far larger concerns emerge when patient data itself is stolen, giving access to vital information about an individual’s health care records and overall biography. The potential misuse to this data is limitless, as medical records and specific patient files can fetch up to $500 to $1200 (per record) in unregulated forums.
Revolutionary innovations in health care such as pacemakers, insulin pumps, and other medical implant devices have made it easy for patients to seek personalized and convenient care. However, many of these devices have also become “smarter,” often allowing users to control them wirelessly or remotely. Though an incredible metric of convenience, the connective and digital abilities of these devices provide a perfect medium for cyber threats. While the hacking of less invasive devices such as smart contact lenses or wirelessly controlled hearing aids may not raise immediate concern, the threat and level of danger is as imminent for more sensitive and life-sustaining equipment, such as insulin pumps and even modern pacemakers. Many of the wireless features on these critical devices were originally created in order to give physicians real-time patient data and metrics. For example, a “smart” pacemaker can provide a physician with deeper insight into the patient’s cardiac data and even the device’s own efficacy. However, these digital features create vulnerabilities, allowing room for savvy intruders to take control of the systems remotely and cause potentially life-threatening changes.
“The health care industry needs to rise to the challenge and address the evolving landscape of cyber threats.”
This problem will only be further compounded as the economy surrounding the “internet of things” continues to grow—a consumer trend that is expected to reach nearly $117 billion in market share by 2020. Fitbits, smart watches, activity trackers, and other health care “wearables” are constantly tracking and collecting data from the individual donning the device, which may likely also become of critical interest to cyber criminals. Ultimately, though many of these devices have considerably augmented individual health outcomes, their digital capabilities lend an open door for cyber threats.
The health care industry needs to rise to the challenge and address the evolving landscape of cyber threats. Large hospitals and health care systems need to be more privy to security measures, specifically ensuring that the systems they are utilizing for storing patient data are frequently updated, and any system vulnerabilities are immediately addressed. Furthermore, guidance and training on detecting cyber threats should be provided to medical staff and employees, as they are often the first points of contact for digital threats. As for medical devices, manufacturers should take the necessary steps to ensure that their devices comport with standard compliance guidelines, and provide regular security updates and patches for the continued efficacy of their products.
Finally, the most vital solution is to increase the attention and emphasis given to this critical issue. While the majority of the health care security debate is still stuck on HIPAA compliance, the digital revolution has brought forth many more imminent threats to patient safety. Accordingly, health care cybersecurity spending is expected to reach nearly $65 billion by 2021. Given that the digitization of health care and the industry’s reliance on information technology systems is unavoidable, research, development, and support for cybersecurity must be provided, congruent to the growing digital health ecosystem. Ultimately, while there is much to be gained from this revolutionary ecosystem, it brings with it the need for an unprecedented level of vigilance.