A recent cybersecurity exploit known as “MedJack” enables hackers to inject malware into internet-connected medical devices, including CT Scanners, MRI machines, and other monitors and equipment that track and record a patient’s vital signs. That malware then propagates through a medical center’s network to vacuum up patient medical and billing information. Hackers can then use this data to file fraudulent tax returns and to steal patients’ identities. Hackers who gain access to prescription medication information can turn that data around to order medicine that they can then resell over the dark web.
This scenario is far more a rule than an exception. As the Internet of Things (IoT) revolution has become fully absorbed into the modern healthcare environment, hackers have jumped into the fray to take advantage of the weaknesses that are inherent in healthcare IoT devices. Industry analysts expect the IoT medical device market to grow to more than $117 billion by 2020. The proliferation of IoT devices will attract more interest from hackers who will continue to see those devices as easy targets, unless healthcare IoT device manufacturers and medical centers take proactive steps to increase their IoT cybersecurity.
The benefits of healthcare IoT devices are beyond dispute, but consumers are at more of a disadvantage with respect to protecting their own personal cybersecurity in the healthcare market than they are in other commercial areas. Consumers can generally choose the companies that they want to purchase from and the products that they want to purchase, and can direct their purchases to companies and products that have a better cybersecurity record. Consumers do not have this choice in the healthcare market. Physicians will use and recommend IoT devices for their diagnostic capabilities with little concern for cybersecurity, and consumers have no option but to accept those recommendations.
Cybersecurity experts recommend a four-step pathway toward improving healthcare IoT cybersecurity:
Incident response plans. Medical centers are ill-prepared to respond to cyberattacks and will devolve toward capitulating to a hacker’s demands. The Hollywood Presbyterian Medical Center was struck by a ransomware attack in 2016 and paid hackers more than $16,000 to recover its data and systems. Rather than being caught unprepared, health care facilities should formulate a loss and mitigation plan that allows them to recover apart from dealing with hackers.
Data backup and recovery. Measures to recover data and operations are a critical part of any incident response plan. Ransomware is a growing problem for medical centers and healthcare IoT devices have few, if any barriers against hackers who use them to deploy ransom-demanding malware into a medical center’s information technology networks. A robust system and data backup and recovery plan would allow a medical center to get back online apart from any ransom payments.
Stress tests. Every firewall, anti-virus system, and network defensive strategy has its weaknesses. Those weaknesses grow exponentially as more healthcare IoT devices are added into an environment that may already have several flaws. Healthcare information systems networks should be tested on a regular basis by skilled technicians and any security holes should be quickly patched to avoid future problems.
Contingency preparation. The best plans can be derailed by sudden personnel changes and additions of new IoT devices into a network. A cybersecurity plan is never static. It needs to change as a healthcare environment is updated and improved.
A good healthcare cybersecurity insurance policy is the final backstop for every medical center that utilizes IoT devices. The fines, costs, and expenses that a medical center can face following a cybersecurity breach are anything but trivial. An Illinois healthcare system, for example, paid a fine of more than $5.5 million following a data theft of confidential patient information. Healthcare cybersecurity insurance can help a medical center to absorb this magnitude of a loss and to continue to provide necessary medical care to its patient population.