HHS report recommends standardized guidelines, regulations and a dedicated leader to combat digital health cybersecurity threats

By Heather Mack
June 05, 2017
05:04 pm
Share

There are plenty of things that hold back innovation in healthcare – regulatory requirements, slow-to-materialize financial returns and the general complexity of the industry have all made healthcare lag behind other tech-enabled fields. Nevertheless, developers and entrepreneurs have persisted, and we now find ourselves surrounded by countless digital health devices.

But with that innovation comes risk, and the latest report from the Department of Health and Human Services’s Health Care Industry Cybersecurity Task Force shows healthcare still has a ways to go to mitigating threats to patient privacy and security. While the past decade has seen significant technological evolution in healthcare, including adoption of electronic health records, digital billing and workflow documentation software, the report noted that cybersecurity efforts were not given the same level of attention.

“With this adoption and widespread use of EHRs, effort was originally placed on installing hardware and software required to earn the incentives. Unfortunately, a majority of the health care sector made financial investments in cybersecurity only in the last five years,” the report states. “At the same time, the healthcare industry connected digital systems to the internet and began to realize both the benefits and consequences that can result from that level of interconnectivity.”

For example, the report notes, devices such as smart continuous glucose monitors and insulin delivery systems can be a boon to diabetes management for both the patients and physician, but that technology opens up vulnerabilities.

“…this connectivity increases clinical dependence on technologies that support life maintaining and lifesaving operations. If these technologies are not protected, the integrity or availability of an IV pump or a radiation medicine device could be impacted and this has the potential to harm patients,” the report stated.

Things like CGMs are just one example of the many connected medical devices and automated medication delivery systems the report authors are concerned about. Most medical devices, in their originally iterations, weren’t designed to facilitate direct communication with their users, but that’s quickly becoming the expectation of smart devices.

“Therefore, securing health care data and medical devices, consumer and clinical, is essential to protecting patients and providing them with the highest level of care. This challenge is expected to increase as health care becomes more dependent upon the IoT, including non-regulated devices that may affect privacy, safety, and patient care,” the report states. “That may include such diverse products as manufacturing systems, building control systems, and wearable devices. In addition, precision medicine (which customizes treatment based on a patient’s environment, lifestyle, and genes) is likely to provide great benefits to patient care while also generating potential risks as information is shared.”

So who is responsible for ensuring cybersecurity? The report cited the recent publication of the FDA’s final guidance for manufacturers on device security as a good sign of the agency listening to patient concerns, but noted that safety and privacy are two different things. Moreover, HIPAA laws are also insufficient, the report noted, leaving the provider to deal with the gaps in cybersecurity protections. 
 
“HIPAA’s regulations focus on both privacy and security; however, medical device manufacturers may not be covered entities or business associates under HIPAA. This leaves a health care provider using a medical device with potentially greater responsibility for assuring privacy and security protections for health information created and shared by the device,” the report notes. “While many stakeholders agree that protecting against cybersecurity threats should be a shared responsibility, to date health care providers have shouldered an inordinate amount of the burden, even when actions needed to improve security in the device have been outside their control.”

That is especially compounded at smaller practices and rural hospitals, the report noted. Without information security resources to implement protections against attacks or even identify risks as they come up, such healthcare organizations are set to suffer more than larger, more technologically advanced hospitals or clinics.

“A common, yet flawed, perception is that only large organizations are the target of cyber attackers due to the volume of sensitive, confidential, or proprietary information they possess. In reality, health care organizations of all sizes are targets due to the interconnected nature of the industry and all organizations face resource constraints,” the report stated. “This is similar to a seemingly innocuous scrape on your leg that can lead to a systemic infection that jeopardizes your life.”

While there is no one method to address cyber risk, the Task Force recommended the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to standardize risk assessment make sharing information easier while also allowing multiple stakeholders to understand the risk across different data streams. Additionally, the Task Force rallied for the creation of a cybersecurity leadership role within the HHS to “align industry-facing efforts for healthcare cybersecurity,” and to establish a requirement of federal regulatory agencies to “harmonize existing and future laws and regulations that affect healthcare industry cybersecurity.”

Tags: 
Department of Health and Human Services, Health Care Industry Cybersecurity Task Force, cybersecurity, connected medical devices

More regional news

Healthcare practitioners administering injection to patient

HealthTap enters durable medical equipment space with AeroFlow partnership

By
Anthony Vecchione
November 14, 2024
People reviewing financial data

Bluespine secures $7.2M to help self-insured employers manage medical overbilling

By
Anthony Vecchione
November 14, 2024
Person sitting at their computer drinking something out of a coffee cup

Ubie partners with PatientsLikeMe for access to AI symptom checker

By
Jessica Hagen
November 13, 2024
Share

Top Story

Healthcare practitioners administering injection to patient
HealthTap enters durable medical equipment space with AeroFlow partnership

Editor's Pick

State of digital health investment, part 1: Andreessen Horowitz
State of digital health investment, part 2: LBMC
State of digital health investment, part 3: AstraZeneca
State of digital health investment, part 4: Atropos Health
State of digital health investment, part 5: HTC Vive
State of digital health investment, part 6: Osso VR

More Stories

People reviewing financial data
Bluespine secures $7.2M to help self-insured employers manage medical overbilling
Person sitting at their computer drinking something out of a coffee cup
Ubie partners with PatientsLikeMe for access to AI symptom checker
Executives discussing business deal
Cardinal Health adds GI Alliance, Advanced Diabetes Supply Group to its portfolio
Healthcare provider and patient sitting next to each other while looking at a tablet
Society of General Internal Medicine releases position statement on genAI
Patient interacting via tablet
Rula Health, Amazon Health Services join forces to expand access to mental healthcare
Person on a computer talking and wearing glasses
Optic, Vindur Tx partner to develop effective cancer treatments and more digital health news
Healthcare provider standing beside a patient and their loved one
Babylon founder Ali Parsa launches new company Quadrivia AI
AI representation of a brain implant
Elon Musk's Neuralink rival Precision Neuroscience secures $93M