The document summarizes the increasing issue of cyber attacks on hospitals. It notes that in 2014, 40% of healthcare organizations reported malware attacks, increasing to 90% in 2015. The rise in attacks is linked to the transition to electronic medical records, though healthcare lags in cybersecurity. Stolen medical data is 10 times more valuable than credit cards on the black market. Many hospitals still lack basic security protections like antivirus software and encryption. To better secure outdated medical devices, the document proposes moving to a leasing model where devices are constantly updated.
2. Disclaimer
My views are my own and do not reflect the medical device
manufacturer or academic institution that employ me
3. Healthcare in the News
http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
4. Hospital Hacks on the Rise
• In 2014, 40 percent of healthcare organizations reported being
attacked by malware designed to steal data.
• In 2015 the stats are closer to 90 percent.
• In August 2015 , Websense reported a 600 percent increase in
cyber attacks on hospitals over the previous 10 months.
• Under federal law, hospitals are only required to report potential
medical data breaches involving more than 500 people.
http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
https://www.technologyreview.com/s/533631/2015-could-be-the-year-of-the-hospital-hack/
http://www.insurancejournal.com/news/national/2015/05/07/367165.htm
5. Why the Increase in Attacks?
• Medical organizations across the world are switching to electronic
medical records, and computer security is not always a high priority.
• Health care providers in the US have a monetary incentive to switch
to digital medical records under The Health Information Technology
for Economic and Clinical Health (HITECH) Act.
• But with all of this progress the healthcare sector is "woefully
behind" in terms of cyber preparedness. - Forrester Analyst
Stephanie Balaouras
https://www.technologyreview.com/s/533631/2015-could-be-the-year-of-the-hospital-hack/
http://www.medicalrecords.com/physicians/the-national-digital-medical-records-mandate-arra
http://blog.trendmicro.com/why-is-the-health-care-industry-so-behind-on-cyber-security-part-1-of-2/
6. Incentives for Attackers?
• Experts at Reuters suggest that medical information is 10 times
more valuable than a credit card number on the black market.
• Hackers use stolen data to create fake IDs to buy medical
equipment or drugs that they can resell.
• Hackers also may use a patient number with a false provider
number to file fraudulent claims with payers.
• The average patient interacts with 10 medical devices on each
hospital visit (each device stores patient data)
http://www.beckershospitalreview.com/healthcare-information-technology/medical-records-10x-more-valuable-to-hackers-than-c
https://www.youtube.com/watch?v=EyqwUFJKZo0
7. 2016 HIMSS Report
• 14% of medical facilities reported using no antimalware/antivirus
• 19.3% of medical facilities reported using no firewall
• 36% of medical facilities reported not encrypting data in transit
• 41.3% of medical facilities reported having no patch mgt. system
• 46% of medical facilities reported using no intrusion detection
• 60.7% of medical facilities don’t utilize multifactor authentication
http://www.himss.org/sites/himssorg/files/2016-cybersecurity-report.pdf
8. 2017 HIMSS Report
• 38% of medical facilities reported penetration testing yearly
• 51% of medical facilities reported completing a cybersecurity risk
assessment once a year
• 71% of medical facilities reported allocating a percentage of their
yearly budget specifically to cybersecurity
• 82% of medical facilities reported specifically allocating funding to
training employees in cybersecurity concepts
• 88% of medical facilities reported completing cybersecurity risk
assessments on third party products
http://www.himss.org/2017-himss-cybersecurity-survey
9. The Average Age of Medical Devices
2003
http://cocir.org/fileadmin/Publications_2003/ageprofile2003.pdf
11. …but Everything is Better Now
The average age of a medical device in the
US in 2016 was 4.7 years old
https://www.beckershospitalreview.com/supply-chain/medical-equipment-hits-oldest-average-age-since-1945.html
12. Question
How do you secure a medical device that has a 15 year shelf life who’s
embedded operating system will be out of date in 3 years…?
13. Defense in Depth
• Multi-layered approach to security
• Uses several independent methods
• Includes physical, technical and administrative
controls
• Doesn’t prevent an attack but slows an
attackers advance which allows for detection &
response
14. The Leasing Model
We move to a leasing model where medical device manufacturers are
constantly updating hospitals medical devices to the latest and greatest
most secure platform