Healthcare and Technology news
37.6K views | +0 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

The Security Risks of Medical Devices

The Security Risks of Medical Devices | Healthcare and Technology news | Scoop.it
There are a large number of potential attack vectors on any network. Medical devices on a healthcare network is certainly one of them. While medical devices represent a potential threat, it is important to keep in mind that the threat level posed by any given medical device should be determined by a Security Risk Assessment (SRA) and dealt with appropriately.

So let’s assume the worst case and discuss the issues associated with medical devices. First off, it must be recognized that any device connected to a network represents a potential incursion point. Medical devices are regulated by the FDA, and that agency realized the security implications of medical devices as far back as November 2009, when it issued this advisory. In it, the FDA emphasized the following points:

Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.


Software patches and updates are essential to the continued safe and effective performance of medical devices.


Many device manufacturers are way behind on cybersecurity issues. As an example, many devices are still running on Windows XP today, even though we are one year past the XP support deadline. They are often loathe to update their software for a new operating system. In other situations device manufacturers use the XP support issue as a way to force a client to purchase a new device at a very high price. All healthcare facilities would be well advised to review any purchase and support contracts for medical devices and make sure that things such as Windows upgrades do not force unwanted or unnecessary changes down the road. While there are options to remediate risks around obsolete operating systems, they are unnecessary and costly. Manufacturers should be supporting their products in a commercially reasonable manner.

Why would anyone be interested in hacking into a medical device? Of course there are those that would argue that anything that can be hacked will be hacked, “just because”. While it is possible that hacking could also occur to disrupt the operations of the device, the more likely reason is that getting onto a medical device represents a backdoor into a network with a treasure trove of PHI that can be sold for high prices on the black market. Medical devices are often accessible outside of normal network logon requirements. That is because manufacturers maintain separate, backdoor access for maintenance reasons.


Hackers armed with knowledge of default passwords and other default logon information can have great success targeting a medical device. For example, this article details examples of a blood gas analyzer, a PACS system and an X-Ray system that were hacked. Many times healthcare IT departments are unaware or unable to remediate backdoor access to these systems. These are perhaps more “valuable” as a hack because they are hard to detect and can go unnoticed for a long period of time. As a reminder, the Target data breach last year was initiated because the access that a third party had to the retailer’s network was compromised. A complete SRA should inventory all network connected medical devices and analyze the access/credentials that a device has, and any associated security threat. The best defense is a good offense – make sure that networked devices have proper security built in and implemented. Then your devices will no longer be “the weak link in the chain”.

more...
No comment yet.
Scoop.it!

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach | Healthcare and Technology news | Scoop.it
A new survey from TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.

Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach,” said Gerry McCarthy, president of TransUnion Healthcare. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Other survey insights on consumers’ expectations following a data breach include:

· Nearly half of consumers (46%) expect a response or notification within one day of the breach.

· 31% of consumers expect to receive a response or notification within one to three days.

· Seven in 10 (72%) consumers expect providers to offer at least one year of free credit monitoring after a breach.

· Nearly six in 10 (59%) consumers expect a dedicated phone hotline for questions.

· More than half of consumers (55%) expect a dedicated website with additional details.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” said McCarthy. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”
more...
No comment yet.
Scoop.it!

The radical potential of open source programming in healthcare

The radical potential of open source programming in healthcare | Healthcare and Technology news | Scoop.it

Everyone wants personalized healthcare. From the moment they enter their primary care clinic they have certain expectations that they want met in regards to their personalized medical care.


Most physicians are adopting a form of electronic healthcare, and patient records are being converted to a digital format. But electronic health records pose interesting problems related to sorting through vast amounts of patient data.


This is where open source programming languages come in, and they have the ability to radically change the medical landscape.

So why aren’t EHRs receiving the same care that patients expect from their doctor? There are a variety of answers, but primarily it comes down to how the software interprets certain types of data within each record. There are a variety of software languages designed to calculate and sort through large amounts of data that have been out for years, and one of the most prominent language is referred to as “R”.

What is R?

According to r-project.org “R is an integrated suite of software facilities for data manipulation, calculation, and graphical display.” Essentially this programming language has been built from the ground up to handle large statistical types of data.


Not only can R handle these large data sets, but it has the ability to be tailored to an individual patient or physician if needed. There are a variety of other languages focused on interpreting this type of data, but other languages don’t have the ability to handle it as well as R does.

How can a language like R change the way in which EHRs function?

Take, for instance, the recent debate regarding immunization registry. EHRs contain valuable patient data, including information associated with certain types of vaccine.


If you were able to cross reference every patient that had received a vaccine, and the side effects associated with said vaccine, then you could potentially sort out what caused the side effect and create prevention strategies to deter that certain scenario from happening again.


According to Victoria Wangia of the University of Cincinnati, “understanding factors that influence the use of an implemented public health information system such as an immunization registry is of great importance to those implementing the system and those interested in the positive impact of using the technology for positive public health outcomes.”


This type of system could radically change the way we categorize certain patient health information.


Programming languages like R have the ability to map areas that have been vaccinated versus those that haven’t. This would be ideal for parents who wish to send their children to a school where they know that “x” number of students have received a shot versus those that haven’t. Of course, these statistics would be anonymous, but this information might be critical for new parents who are looking for a school that fits their needs.


This technology could have much bigger implications pertaining to personalized data, specifically healthcare records. Ideally, an individual could tailor this programming language to focus on inconsistencies within patient records and find future illnesses that people are unaware of.


This has the potential to stop diseases from spreading, even before the patient is aware that they might have a life threatening illness. Although such an intervention wouldn’t necessarily stop a disease, it could be a great prevention tool that would categorize certain types of illness.

Benefits of open source

One of the more essential functions that R offers is the ability to be tailored to patient or doctor’s needs. Most information regarding patient health depends on how a physician documents the patient encounter, but R has the ability to sort through a wide variety of documentation pertaining to important statistical information that is relevant to physician needs. This is what makes open source programming languages ideal for the medical field.


One of the great components associated with open source programming languages in the medical field is the cost. R is a completely free language to start working in, and there is a large amount of great documentation available to start learning the language. The only associated cost would be paying a developer to set up, or create a program that quickly sorted through personalized information.


Essentially, if you were well rounded in this language, the only cost associated with adopting it would be the paper you would need to print information on.


Lastly, because of HIPAA, the importance of information security has been an issue, and should be a primary concern when looking at any sensitive electronic document. Cyber security is always going to be an uphill battle, and in the end if someone wants to get their hands on certain material, they probably will.


Data breaches have the ability to cost companies large amounts of money, and not even statistical data languages are safe from malicious intent. A recent issue has been the massive amount of resources that are being built in R that have been shared online. Although this is a step in the right direction for the language, people are uploading malicious code. But if you are on an encrypted machine, ideally the information stored on that machine is also encrypted. Cloud based systems like MySQL, a very secure open source server designed to evaluate data, offer great solutions to these types of problems.


These are some of the reasons why more physicians should adopt these types of languages, especially when dealing with EHRs. The benefits of implementing these types of systems will radically alter the way traditional medicine operates within the digital realm.


More statistical information about vaccinations and disease registries would greatly benefit those that are in need. The faster these types of systems are implemented, the more people we are able to help before their diseases becomes life threatening.


more...
No comment yet.
Scoop.it!

Security audit of Premera identified issues prior to cyberattack

Security audit of Premera identified issues prior to cyberattack | Healthcare and Technology news | Scoop.it

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.


Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.


However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.


At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.


more...
No comment yet.