Your Clients Might Be Protecting The Wrong Data
By Megan Williams, contributing writer
If your clients are prioritizing the protection of patient data above all else, they may actually be putting their patients’ health at risk.
How do your clients prioritize their data protection? If they’re guided by happenings in the news, they likely (and reasonably) place a high value on the protection of their patients’ data. However, according to a recent Independent Survey Evaluators (ISE) survey, a side effect of that choice may be leaving medical devices and electronic work orders vulnerable to cyber criminals.
While these access points don’t necessarily provide as much monetarily valuable patient data, they do provide direct access to changing a patient’s treatment, and thereby, their well-being.
The Study
According to Healthcare IT News, ISE looked at 12 separate healthcare organizations, two data facilities, two active medical devices, two Web-based applications, as well as other devices on healthcare networks. They did this over a period of two years to figure out the possibility of remote attacks and how the organizations would fare in keeping data secure.
To conduct the study, researchers separated threat vectors into three categories: primary, secondary, and tertiary “attack surfaces” that posed exposure threats to patient health over patient data. The surfaces broke down as follows:
- primary: active medical devices, clinicians, medicine, and surgery
- secondary: work orders, passive medical devices, EHRs, and test results
- tertiary: physical storage, connected power, barcode scanners, climate controls
The report also highlights the fact that many of the systems that get forgotten during prevention initiatives have “direct consequences with regard to patient health.”
Opportunities For Vendors
The overall findings were grim, with the hospitals using outdated network designs. They were also generally unsure which technologies would be effective in helping them address the issue. The authors specifically implicate choices in vendor products, writing, “We found hospitals were antiquated in their network designs and unsure about the technologies that could effectively help them. In many cases, vendor products purchased for a security purpose were inappropriate for the organization, and those systems that were appropriate were deployed incorrectly, all resulting in heavy waste while not achieving an improvement in security posture.”
The survey also highlights the fact that health leaders too often ignored hacker strategies and motives, focusing on “unsophisticated threats” and leaving cyber attackers open access to information systems. Ted Harrington, executive partner at ISE, and a leader of the study, said, “Security vulnerabilities in healthcare are a result of systemic business failures. We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more.”
More than any result in the study, these findings illuminate areas for vendor education and business development, especially in regard to the intersection of data security and patient well-being