Attacks targeting medical devices and health information technology continue to grow and vulnerabilities related to the pandemic are amplifying the threat. Azi Cohen, of CyberMDX, explains that, over the last year, many health systems quickly grew their Internet of Medical Things (IoMT) inventory to meet the surge in care demands and provide patients with lifesaving treatment. Unfortunately, says Cohen, new devices and tools, such as telehealth platforms, did not undergo thorough security onboarding due to the emergent nature of providing care during the COVID-19 pandemic. The result, notes the IT and cybersecurity expert, has created a significant risk to “patient safety, personal health information (PHI) confidentiality, and the overall clinical network.”
In an interview with HealthITSecurity.com, Cohen and colleague Richard Staynings, of Cylera, identify the following IoMT-associated risks, which they say healthcare organizations should prioritize:
- Unknowns about the status of all device security vulnerabilities, cyber hygiene, security controls and anti-malware agents;
- Unknowns about the potential impact of an attack on patient safety and data confidentiality;
- Lack of control over PHI locations and the security status of the devices on which the data exists; and
- Inability to identify if devices are already carrying malware and what risk this poses to the security of the entire clinical network.
To mitigate these threats, hospitals and health systems must patch medical device vulnerabilities, safeguard all technology with proper password protection and run anti-malware agents. Furthermore, reports HealthITSecurity.com, leaders should be aware of the exact “number of devices operating on the network at any given time” and understand the connectivity between the web of technology. Perpetrators see the interoperability of the healthcare sector as an easy way to compromise a system, says Staynings. Therefore, security leaders must perform a complete and accurate inventory of devices.
MLMIC recommends that insured facilities and physician practices maintain a robust IT presence in their organizations and stay vigilant in their ongoing efforts to safeguard patient data.
We continue to keep policyholders informed of COVID-19-related cyber threats and encourage our insureds to review the following guidance for protecting their networks:
- The Importance of Security Measures that Prevent Cyberattacks on Health Systems, a blog post with security measures to prevent cyberattacks;
- Security of Patient Information and Health Information Technology, a risk management tip on securing technology and private patient information;
- Telehealth & Cybersecurity Considerations, a blog post with practices to help reduce the risk of privacy breaches or cyberattacks related to the use of telemedicine; and
- Security of Patient Information and Health Information Technology, a risk management tip on maintaining the security of health IT devices and the privacy of patients’ protected health information.