Health Standards

Healthcare & Technology Resources

  • Blog
  • Podcasts
  • #HITsm Chat
  • About
  • Authors

HIPAA, Security, and Your Devices

May 29, 2014 By Deepika Patel Leave a Comment

It’s a scary world out there when you think of hackers getting access to your bank accounts, email, or social media sites. It’s quite another thought when hackers get access to medical devices and run havoc. It almost sounds like something we would see in a movie, like “The Net.”

Oh, let’s talk about the “The Net”… For those of you who haven’t seen this movie, obviously, spoilers ahead. For those of you who saw that movie and don’t quite remember, here is a quick summary: Sandra Bullock is a systems analyst who gets herself into a sticky spot by seeing something she isn’t supposed to see. Fast forward to a scene in a hospital with Sandra and her psychiatrist. The psychiatrist is placed into the hospital due to an allergic reaction to penicillin.

Sandra leaves the hospital and comes back a few hours later. When she enters onto the hospital, she sees alarms going off in her psychiatrist’s room. She attempts to get into the room and is promptly escorted out. Her psychiatrist dies a few minutes after revival attempts. After Sandra inquires about the death, she is told it is due to insulin shock since he was checked in for diabetes treatment. At this point, Sandra has a heated discussion of why this is not correct and leaves the facility.

Let’s take a step back. This movie came out in 1995. However, this very scene, which is portrayed in many ways in many movies, books, and television shows, has many implications that exist today.

Last month, Wired published the article “It’s Insanely Easy to Hack Hospital Equipment” that discussed a two-year-old study in which a team and their leader, Scott Erven, found that most medical devices could be manipulated remotely to change settings that could prove detrimental, or deadly to a patient.

Last year, a briefing at a Black Hat hacker’s convention showed how insulin pumps can be stimulated to give more insulin or no insulin just by switching batteries. Another presentation was scheduled to discuss “how to kill a man at 30 feet by hacking his pacemaker.”

Stories that you only expect to see on television shows, in books, or movies are gradually becoming reality. You might be thinking to yourself that maybe hackers would have to get access to the hospital network to get and exploit sensitive information like this. This, however, is also far from reality.

These days, medical records sell for roughly $60 on the black market, which opens up a new whole set of issues to deal with besides manipulating devices, such as fraud. The Wall Street Journal did a basic search and was able to locate patient information on 4shared.com.

So if this behavior is becoming more rampant, what is being done to mitigate this? These types of conversations have been occurring on and off for the past decade. The Military Health System started first in 2008 by releasing the DOD Information Assurance Certification and Accreditation Process (DIACAP) to help stay in compliance with the Federal Information Security Management Act, but other groups remained stagnant. For more info see: Who’s Hacking Your PACS?

In 2012, the main problem was stated by John Halamka, CIO at BIDMC:

I can’t update them, and the manufacturers aren’t updating them, so they can become vectors for malware.

The Government Accountability Office released a report that same year stating that the “FDA should expand its consideration of information security for certain types of devices.”

After eight months, the FDA reached out to manufacturers, hospitals, and many other types of audiences to address vulnerabilities that could be exploited by hackers or viruses and provides guidance via a cybersecurity clause that allows for a post-market device to be patched without requiring re-certification.

Meaningful Use is the word around the health care vine, and it’s meant to make sure the information being captured is “meaningful” and quality data. We expect that this quality data, our protected health information (PHI) that we entrust to providers, is safe and secure as well. It takes work and testing, but the end result is comfort in knowing that your care is being taken care of and safeguarded.

So what does that mean for the rest of us? We had some idea that this type of situation could potentially occur, but maybe never realized how bad it has become. What are the next steps that we need to take?

This is something we all need to think about for the future and work as a team to make life easier and hopefully better. You decide!

The following two tabs change content below.
  • Bio
  • Latest Posts

Deepika Patel

PACS Regional Coordinator
Deepika Patel, MBA, is a certified radiologic technologist who has extensive experience as a clinical systems analyst, working directly with all clinical departments, interdisciplinary teams, and private practices. She also previously worked as a PACS administrator team lead and is CPHIMS certified. "The views and opinions expressed in this blog are Deepika's and are subject to change. They are not necessarily representative of the views and opinions of my current and past employers and/or other organizations that she works with."

Latest posts by Deepika Patel (see all)

  • Technology in the Medical World - June 9, 2015
  • Healthcare Consumerism: Who’s Really Making the Decisions? - April 28, 2015
  • Integrating the Healthcare Workplace: Diverse Roles Must Unite for Patient Care - March 10, 2015

Filed Under: Health care, Healthcare IT, mHealth Tagged With: black hat, FDA, hackers, medical device, medical device security, PHI, protected health information, security

API White Paper

Connect

  • 
  • 
  • 
  • 
Tweets by @HealthStandards

#HITSM Chat

[#HITsm chat 11.18.16] Celebrate Passing the #HITsm Torch

November 15, 2016

Moderated by Chad Johnson, @OchoTex, HealthStandards.com Editor and Corepoint Health Senior Marketing Manager. November 18th will be the last #HITsm chat under @HealthStandards. Celebrate ‘Passing the #HITsm torch’ to @techguy @HealthcareScene.

Passing the #HITsm torch

November 10, 2016

The first #HITsm tweet chat was held almost six years ago on Jan 10, 2011. Since that time, we have hosted approximately 280 #HITsm chats. While some of you may have participated in that very first chat (only 15 actually participated), I’m proud to say that the chats and the community have continued to grow […]

View More #HITSM Chat >

Podcasts

‘Hactivist’ Fred Trotter on the Cancer Moonshot, open source data in healthcare, and more

August 3, 2016

Artificial intelligence is a topic that isn’t going away in the health IT and medical community. One reason it’s come as far as it has is thanks to open sourcing, or shared data. Today’s guest, Fred Trotter, has a lot to say about the Vice President’s Cancer Moonshot initiative – which he was recognized for […]

Sue Schade on gender equality, CIO challenges, and value-based healthcare

July 27, 2016

View More Podcasts >

Copyright © 2019 Health Standards. All Rights Reserved.