Many and varied electronics come equipped with software that makes them “smart.” But smart technology is not invincible. Any device that is computerized and connected can be hacked. The more that systems become integrated and the more they become connected to the Internet, the greater the risk for compromise.
In the electronic healthcare environment, privacy and security are intertwined. Threats are internal and external and include theft of electronic patient medical information, theft or loss of equipment containing that information, and disruption of operations. Insiders (eg, employees) and outside hackers may seek health-related and personal information to perpetrate identity theft and fraud. Even nonmalicious security lapses by insiders, such as carelessness, misuse, policy violations, and configuration maladjustments, can lead to privacy and security breaches.
The Food and Drug Administration (FDA) recently became aware of certain cybersecurity vulnerabilities and incidents and issued a Safety Communication titled “Cybersecurity for Medical Devices and Hospital Networks” (June 13, 2013), which recommends that “medical device manufacturers and healthcare facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware* into the medical equipment or unauthorized access to configuration settings….” The Safety Communication provides specific recommendations for medical device manufacturers and healthcare facilities, along with information on how to report cybersecurity problems to the FDA.
(Read the alert at http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm.)
A major portion of products used in patient management and care are medical devices, according to the National Cybersecurity and Communications Integration Center, US Department of Homeland Security, 2012 Bulletin “Attack Surface: Healthcare and Public Health Sector.” Various types of medical computing devices are in use. Portable devices include smart phones, iPads, and laptops and are used in direct patient care; implantable devices are designed to be implanted within the body to collect, store, and analyze data; and external devices are older versions of implantable devices.
Technologic advances such as higher storage capacity, faster computing speeds, easier use, and portability are increasing the use of medical computing devices, which is affording better care to patients. But concerns have arisen that “the instant connectivity of these devices to the Internet or a Health Information System could be compromised if not protected….” As the healthcare industry builds continuous loops of information around patients to provide access to all of their data, all of the time, the implementation of robust security systems for the full range of cyberthreats is a requirement to protect patients’ privacy and secure their medical and identity information.
*Malware, or malicious software, is software used by cyberattackers to gain access to private computer systems, gather sensitive information, or disrupt computer operations.