Managing Technology: Medical Device Security
200,000 Systems Shutdown by Ransomware Attack
In May 2017, a hacking tool was used to access 200,000 Windows systems in hospitals. The hack affected a Bayer Medrad medical device that improves medical imaging for radiology equipment. The device delivers a contrast agent to patients receiving MRI scans, to facilitate the detection of strokes, brain trauma, tumors, etc.
The coordinated attack made the device unusable during a period of time, until Bayer sent out a microsoft patch to remedy the problem. Although the ransomware attack did not directly affect patient health, it delayed care to patients. Poor medical device security can cause serious problems. Devices such as blood glucose monitors, heart monitors, COPD inhalers for medical conditions, or a heart rate variability monitor for stress and other behavioral issues, can all be connected to the internet, making them vulnerable to cyberattacks.
Medical Device Security and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 requires organizations working in healthcare, including behavioral health practices, to have safeguards in place securing protected health information (PHI). To adequately safeguard PHI, medical device security is imperative. Many medical devices connect to healthcare networks, posing a cybersecurity risk.
As such, The Food and Drug Administration (FDA) recently released guidance for medical device manufacturers to increase cybersecurity. The FDA requires medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ during premarket reviews. Within the document, manufacturers must include a list of areas in which the device may be vulnerable.
Although this may limit attacks on new devices, devices released to market before the new guidance continue to be vulnerable. Some of the vulnerabilities can be addressed by software patches, however, it may be necessary to recall some older devices.
This is Part X of the XI-part blog series. You can also read Parts I to IX below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the tenth of which is medical device security. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
- Phishing Emails and Why Encryption Software is Warranted
- Using Clinical Email (Part II): Secured Email Protection Systems
- Securing your Network (Part III): Endpoint Protection Systems
- Limiting PHI Exposure (Part IV): Access Management
- Data Protection (Part V): Data Loss Prevention
- HIPAA Asset Management (Part VI)
- Network Management (Part VII)
- Vulnerability Management (Part VIII)
- Incident Response (Part IX)
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.