First, do no harm: Medical devices
The health care field is getting a lot more mature, says Barry Caplin, CISO, Fairview Health Services.
The broad surround of digital technology that supports modern medicine – wasn't supposed to end up this way: Hijacked by rampant concerns about maintaining privacy and even ensuring the safety of care.But medical “infomatics” has proven to have a double edge – it can both save patients' lives while simultaneously putting them at risk as they must manage the long-term effects of their very personal information seeping out into the hands of bad actors. By some accounts, hackers now consider medical data to be more valuable than credit card data; a discovery that is driving information theft at hospitals, clinics and insurance companies. And while it's made great strides, the health care industry is still behind in some tech and information safeguards.
“A typical health care provider has four to five times as many smart devices as it has traditional computers and that spread is increasing,” says Barry Caplin, VP and CISO at Fairview Health Services, a complex of hospitals and medical organizations with some 22,000 employees in the Minneapolis area. And to a greater extent than almost any other field, in health care, users are very smart and educated. “They know what they want and we have to deliver it for them because patient care comes first.”
Medical devices represent another challenge. Ranging from implanted insulin pumps to giant MRI machines, they, with few exceptions, were conceived and fielded with little or no thought given to security, prompting deep concerns not only about privacy but even safety. Indeed, the computer security advocacy group, I Am the Cavalry, recently issued calls for a cybersecurity “Hippocratic Oath” to help improve practices.
Barry Caplin, VP, CISO, Fairview Health Services
Eric Chiu, president and co-founder, HyTrust
Russell Jones, partner, cyber risk services group, Deloitte
Mike Meikle, CEO, Hawkthorne Group
Jovan Miladinovic, acting CISO, Toronto Public Health
Katie Moussouris, chief policy officer, HackerOne
Suzanne Schwartz, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA's Center for Devices and Radiological Health
Chris Sherman, analyst, Forrester Research
Fortunately, observers see basic strengths in the HIPAA infrastructure to deal with garden-variety data loss and, on the device side, a positive formulation for action has emerged in new FDA device guidance. But those positives must be weighed against a host of worrisome facts.
For example, according to a survey sponsored by Bitglass, a data protection company based in Campbell, Calif., there was an 80 percent increase in data breach hacks in 2015 across the U.S. According to the“Bitglass 2016 Health Care Breach Report,” when protected health information (PHI) – including Social Security numbers, medical record data and date of birth – is purloined, it is far more costly than ordinary data thefts. The survey cites a recent Ponemon Institute report that found the average cost per lost or stolen record to be $154 overall, but $363 on average for health care organizations. Large-scale attacks, alone, compromised the records of more than 10 million individuals in 2015.
On the device side, the sad fact is that the world is awash in unsecure “legacy” medical equipment, says Jay Radcliffe a medical device cybersecurity researcher at Rapid7, a data security analytics firm based in Boston. Radcliffe underscored this on the stage of Black Hat in 2011 when he hacked his own insulin pump, revealing the potential life-threatening nature of poor security practices.
Fairview's Caplin deals with these issues on a daily basis and contends when it comes to medical information security, the attacker has the advantage. “They only need one way in, while the defender has to protect all ways in,” he says. “So the key to finding some kind of success is finding the right balance between prevention and control.”
In all areas, health care has been late to the table compared to financial services and other industries, he says. Everyone is playing catchup, but it's not easy. “Health care is a very different business that has become very expensive and very low margin. The costs to provide care are up and reimbursements are down,” he says. Therefore, in the health care field, money for security is hard-fought.
But, Caplin says, the good news is that the health care field is getting a lot more mature. “One thing I find is that we have a fantastic health care security community, at least here in Minnesota, and folks are very willing to share information,” he says.
Like Radcliffe, he sees problem with devices and with the whole spectrum of Internet of Things (IoT) adoptions. At Fairview, that encompasses everything from smart refrigerators to smart lighting that is becoming part of the treatment and recovery process.