Why is cyber security in healthcare important?
As the clinical benefits of a digital healthcare system unfold and spread throughout the world, securing healthcare systems and patient information has never been more important, especially in the face of growing cyber-security threats and attacks.
In the healthcare industry today, demand for connected devices is driven by the increasing utilisation of patient data—not only for incorporation of the patient’s health record, but also in the diagnosis process. Connected devices can also communicate with systems capable of remotely programming them to perform specific tasks. Many regulations and stimulus packages have driven the adoption of connected devices that can integrate with healthcare information systems, in addition to interoperate with other devices.
However, the rise in the use of devices capable of wireless integration with external systems has also resulted in escalating cyber-security risks. In fact, the healthcare market is viewed as being among the most vulnerable of industries to cyber-attacks, an enticing target to hackers who see sizable financial gain in stealing patient information. These concerns have resulted in greater focus being directed toward ensuring the security of connected medical systems.
Vulnerabilities laid open in breaches
Medical devices and healthcare systems have three primary vulnerabilities: weak administrative credentials, software vulnerabilities, and data transmission that is often unencrypted. With the rise in use of digital systems, a pronounced increase in the number of data breaches in healthcare systems has also been reported.
In the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Breach Notification Rule, as laid out in 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach in unsecured protected health information. As of 4th May 2018, close to 100 breaches, each affecting 500 individuals or more, have been reported to the office of the US secretary of health and human services. In Europe, the task of collecting and analysing data on security incidents as well as evaluating emerging risks falls to the European Union Agency for Network and Information Security (ENISA), established in 2004.
One of the most publicized incidents of a global cyber breach was the WannaCry ransomware attack that occurred in May 2017, targeting computers that ran older versions of Microsoft Windows operating systems. During its attack, WannaCry struck more than 150 countries in one day alone, and many healthcare facilities were hit, including the National Health Service (NHS) in England. The cyber attack highlighted the vulnerability of healthcare organisations running older operating systems.
How governing bodies are tackling the issue
Several global organisations are advocating a better understanding of cyber-security risks faced by digital healthcare systems. Bodies like the US Food and Drug Administration (FDA) and the European Commission, for example, are encouraging medical device manufacturers to address these risks to help improve the security of patient health information.
In a blueprint called “Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health”, the FDA outlines how the agency hopes to encourage innovation to improve the safety of medical devices and to keep both doctors and patients more informed. The plan also cites the limitations of current tools in assessing the safety and effectiveness of devices marketed in the United States.
Specifically, the FDA highlights five action points in its plan that it hopes to improve:
As part of action point #4, the FDA will look to consider potential premarket authorities to require firms to do the following:
- “…build capability to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA as part of the device’s premarket submission; and,
- develop a “Software Bill of Materials” that must be provided to FDA as part of a premarket submission and made available to medical device customers and users, so that they can better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities.”
Further to this, the FDA has also updated the president’s FY2019 budget to enable the development of a CyberMed Safety (Expert) Analysis Board (CYMSAB) to serve as a resource to device manufacturers and the FDA.
For the European Union (EU), the General Data Protection Regulation (GDRP) seeks to strengthen and unify data protection for all individuals within the EU. Taking effect on 25th May, the GDPR imposes fines, on companies found in violation, of either up to 4% of their annual global turnover or a penalty of EUR20 million—whichever is greater. The regulation applies to all companies processing and holding the personal data of residents in the EU, regardless of the company’s location that has access. As part of the regulation, consent must be clear and distinguishable from other matters; provided in an intelligible and easily accessible form, using clear and plain language; and subject to being withdrawn with the same ease as it is given.
In England, the NHS has set aside a budget of GBP150 million to strengthen its defence systems against cyber attacks following the WannaCry incident, including the updating with the most recent security settings of Microsoft software packages used by the country’s health agencies. The NHS has also made significant efforts to ensure compliance with GDPR once it is in effect.
In Australia, as part of the Privacy Act of 1988, the Notifiable Data Breaches (NDB) program requires entities that utilise personal information to notify individuals in the event of a data breach likely to result in serious harm. Under the Australian law, organisations with a turnover of more than AUD$3 million, as well as Commonwealth government agencies, must notify both the privacy commissioner and the individuals affected by a data breach. The new laws were enforceable beginning 22th February of this year, with civil penalties for non-compliance at up to AUD$360,000 for individuals and AUD$1.8 million for corporate bodies. In its first quarterly report on data breach notifications received under the NDB scheme, the Office of the Australian Information Commissioner (OAIC) received 63 notifications during the first six weeks of the NDB’s operation. Health service providers accounted for 24% of the breaches occurring during this time.
How regulations will affect medical device manufacturers
With tighter regulations in place on the utilisation of patient information and the storage of data in North America, Europe, and Asia, manufacturers are becoming more aware of their role and involvement. Manufacturers will be responsible for ensuring that data is encrypted and that software updates are deployed, should any breaches occur, within a reasonable time. As regulations expand globally, software development as an area will also be more closely scrutinised. Furthermore, manufacturers will have a shared responsibility with healthcare providers to ensure that patient information is upheld to the highest level of security. Consent must also be clearly given by patients before any data from them is collected.
For the US non-profit organization Healthcare Information and Management Systems Society (HIMMS), it has set up the HIMMS Healthcare Cybersecurity Community to help guide healthcare manufacturers and organisations in navigating thorny security issues. Advice and guidance come from thought leaders in the healthcare industry.
For its part, the National Cybersecurity Centre of Excellence (NCCoE)—a part of the National Institute of Standards and Technology (NIST)—last year released an initial draft of a cyber-security guide, “Securing Wireless Infusion Pumps in Healthcare Delivery Organisations”, in collaboration with leading healthcare vendors of pumps. The guide, which aims to improve the security of wireless medical infusion pumps that are at risk of cyber attacks, provides best practices and guidance on how to securely configure and deploy the medical devices.
At IHS Markit, we project that similar alliances with other medical manufacturers will continue to be established across the healthcare consortium. As customers become more aware of the risks associated with the utilisation of their health data, manufacturers and healthcare providers need to provide the assurance that their customers’ health treatment regimens and health information will both remain safe from hackers and cyber-security theft. Devices will need built-in end-to-end security features to safeguard their long-term success, and more financial investment overall can be expected from medical device manufacturers to ensure that their device portfolios remain updated and secure.