Healthcare Organizations – Protect Yourself  from Cyber Threats When Purchasing Devices and Equipment.

 

The Problem

The 2018 Verizon Data Breach Investigations Report[1] indicates that healthcare operations are rife with error and misuse, with ransomware being endemic in the healthcare industry.  Meanwhile, healthcare organizations of all types and sizes (from large hospital systems, laboratories and health plans to smaller organizations, such as billing services and physician practices) are purchasing products which are integrated into their operations. When buying these products is cybersecurity foremost in their mind?

With HIPAA[2] regulated patient data (“PHI”) being stored on photocopiers, practice management systems, test instruments, medical devices, X-Ray machines and MRIs to name a few locations, the potential harm to a healthcare organization and its patients from a cybersecurity incident are very high.  Even small medical practices can have many pieces of equipment and medical devices integrated into their information system infrastructure,  and therefore potentially accessible to the Worldwide Web.  With that accessibility comes the potential for malware to infiltrate a system.  Some malware may just be a nuisance which slows things down, while others can capture patient information or shutdown operations.  Cybersecurity vulnerabilities in these connected devices which are not addressed or remediated may serve as access points for malicious actors to enter into the healthcare organization’s system.

As noted in an article in HealthITSecurity.com[3], IBM Security Sr. Threat Researcher John Kuhn indicated “Every time a healthcare organization adds another device to its network, it is another potential point of attack.” Recent significant cybersecurity incidents include one against LabCorp, the nationwide clinical lab testing company.  As a result of a “Samsam” ransomware attack, in July 2018, the LabCorp network had to temporarily go offline.  Its been reported that this attack resulted in Samsam encrypting thousands of systems and several hundred production servers.  Its quite clear that an incident of this nature has the potential to negatively impact the healthcare of millions of patients.

In light of malware risks, what should a healthcare organization be thinking about in evaluating new equipment or devices, as well as including in contracts for those purchases?  For medical devices subject to FDA regulation, the FDA recently issued a new Medical Device Safety Action Plan[4].  As stated in the action plan “Although medical devices provide great benefits to patients, they also present risks”.  Part of the action plan addresses cybersecurity of the devices as a patient safety concern, and the FDA requires cybersecurity to be included in product design and development.  That’s good to know for FDA regulated devices being purchased, though it’s not going to apply to the photocopier, fax machine or other non-regulated devices.

The Solution – Practical Steps To Minimize Cybersecurity Risk Associated with New Devices and Equipment[5]

In light of the escalating nature of the inherent risk from third party attacks as well as insider mistakes, healthcare providers can and should be out in front of those risks when evaluating and purchasing new products.  Due diligence is important in evaluating the seller and its commitment to cybersecurity protection elements in its products.

Vendor and Product Evaluation and the Purchase Process

Preventing a healthcare organization from suffering privacy breaches is an ongoing battle, which is not going away.  Experts continually point out the fact that healthcare organizations are high priority targets of cyber thieves.  By keeping up to date on cyber threats, and updating security, risks can be minimized, though unfortunately not eliminated.   When it comes to equipment and devices connected to an information system or network, an adequate defense starts with engaging the appropriate subject matter experts in the procurement, evaluation and contracting process.

 Notice: This article is for informational purposes only, and does not constitute legal advice.  If you are purchasing new equipment or devices for your healthcare organization you should engage the services of qualified professionals to assist in helping protect your patients and business.

David Meinhard, Esq. is a licensed attorney, and Counsel with Harwood Lloyd, LLC.  His legal concentration is in healthcare and data privacy law.

[1] The 11th annual Verizon report on data breaches,  based on information gathered by Verizon and other contributors https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

[2] The Privacy & Security regulations of the Health Insurance Portability & Accountability Act

[3] https://healthitsecurity.com/features/how-evolving-healthcare-cybersecurity-threats-affect-providers

[4] www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/UCM604690.pdf

[5] While pro-actively addressing cybersecurity in new purchases is important, don’t overlook proper maintenance of  legacy devices which may have been designed and manufactured at a time when cybersecurity concerns were not as prevalent.

[6] National Institute of Standards and Technology