Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Many Providers Lack Dedicated Budget For Connected Medical Device Security

Posted on November 5, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new vendor survey has concluded that while most providers haven’t dedicated much of their budget specifically to managing and securing connected devices, most are convinced they have the situation under control.  Rightly or wrongly, this seems to be part of a larger picture in which support for connected health devices hasn’t matured as much of the rest of the IT infrastructure.

The survey, which was conducted by Zingbox, developer of a healthcare Internet of Things analytics platform, collected responses from about 200 healthcare IT professionals in 200 clinical/biomedical engineers in the U.S., weighting results to US census levels for age, gender, region, and income.

According to Zingbox researchers, 87% of healthcare IT professionals responding to the survey said they were confident that their connected medical devices were protected from cyberattacks, and 79% said that their organization had real-time information of which on these devices might be vulnerable to cyberattacks.

Also, 69% said they believe that existing security solutions using secure laptops and servers were capable of securing their connected medical devices. Not surprisingly, the vendor’s report argued that this may not be the case, given that they aren’t designed to support on-device security solutions like anti-virus software, and that the blocking ports or protocols via gateways lead to problems that include device malfunction.

When asked whether their organizations had a budget allocated specifically to securing connected medical devices, 53% said yes, and that the amount was sufficient, while 41% said no, that they didn’t have dollars allocated to the problem or hadn’t set aside enough dollars. (I’d be interested to know how they decided whether their device security was adequate; given the relative youth of this category their standards might be worth a look.)

Meanwhile, roughly 85% of clinical/biomedical engineers said they were confident they had an accurate inventory of connected medical devices in their network, with 64% of respondents noting that such device inventories were completed manually. Thirty-four percent said they did a manual room-to-room audit to get this job done, and about 30% said they did static asset management.

To determine which devices were in use, 55% of respondents said they did so manually, while 38% said they used an automated solution. Of those clinical/biomedical engineers doing manual checks, 28% walk over to the device location to check in person, and 27% find out by contacting someone.

To keep these devices online, 73% of these engineers said they conducted maintenance on a fixed schedule, including 29% that followed manufacturer recommendations, 27% adhering to internal schedules and 17% taking a cue from reseller recommendations.

Are You Prepared For Healthcare Ransomware?

Posted on February 3, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Earlier this month, a Texas hospital was hit with a particularly loathsome virus.  Leaders at Mount Pleasant, Tx.-based Titus Regional Medical Center found out on January 15 that a “ransomware” virus had encrypted files on several of the medical center’s database servers, blocking access to EMR data as well as the ability to enter data into the system.

In this kind of attack, the malware author demands a financial ransom to be paid for freeing up the data. TRMC didn’t disclose how much money the attacker(s) demanded, but it may have been an immense sum, because the hospital apparently thought that bringing in pricey security consultants and enduring several days of downtime was preferable to paying up. Although, they also probably realized the slippery slope of paying the ransom and also there’s no guarantee those receiving the ransom money will actually permanently fix the problem.

It would be nice to think that this was just a passing fad, but researchers suggest that it’s not. In fact, US victims of ransomware reported losses of more than $18 million in 14 months, according to an FBI report issued in June.

According to one news report, the average ransomware demand is about $300 per consumer. The amount demanded goes up, however, when business or government organizations are involved. For example, when a series of small police departments in Massachusetts, New Hampshire and Tennessee were hit with a ransomware attack tying up their key databases, they ended up paying between $500 to $750 to get back access to their data. One can only imagine what a savvy intruder familiar with the life-and-death demand for health information would charge to free up an EMR database or laboratory information system data store.

But the threat isn’t just to enterprise assets. Not only are hospital enterprise network attacks via ransomware likely to increase, these exploits could take place via wearables or medical devices in 2016, according to technology analyst firm Forrester Research. Such attacks don’t just use medical devices to reach databases; Forrester predicts that some ransomware attacks will disable the medical devices themselves.

Given how important mobile technology has become to healthcare, it’s worth noting that ransomware is increasingly targeting mobile devices as well. For example, a recent strain of Android virus known as Lockdroid ransomware is now afoot. While it has no direct healthcare implications, one of the things it does is threaten to send a user’s browsing history to friends and family unless they pay the ransom. The victim, who may get tricked into allowing malicious code to gain admin privileges on their device, could end up having their personal data — and perhaps data from an EMR app — sent wherever the attacker chooses.

It seems to me that the ransomware threat will push healthcare organizations to mirror their core data assets in new and heretofore unheard of ways. HIT departments will have to bring disaster recovery methods and network intrusion defenses to prevent the worst possible outcome — a hack that kills one or more patients — and quickly. Meanwhile, if a company specializing in protecting healthcare firms from ransomware doesn’t exist yet, I suspect one will exist by the end of 2016.