Health Informatics Cybersecurity | Main Categories of Risk

As we are at the close of this year's National Cybersecurity Awareness Month, which also marked the launch of the Healthcare.gov web site, it seems fitting to take a look at healthcare-related cybersecurity risks. Security risks are first encountered upon initial visits to Internet sites providing official or commercial information and services, and continue through engagement with providers and payers. For some patients risks extend to embedded medical devices.

Most of us will be responsible not only for our own healthcare but also that of children and/or parents who may not be capable of recognizing and avoiding security-related risks. For that reason it is incumbent on those with this responsibility to be aware of the major health care security risks, stay up to date on the evolving threat related issues, and take appropriate action when warranted.

Health informatics (or "medical informatics") is the intersection of healthcare with computer science and information science and includes computer systems used in the delivery of healthcare, medical devices, dictionaries or ontologies (such as the ICD-10 codes for diagnoses and procedures), and information systems used to assist in diagnoses, or Electronic Health Records (EHRs) used to collect and store healthcare-related information.

We are truly fortunate to live in a time when the progress in health informatics is beginning to demonstrate a positive impact on medical outcomes. However, these advances come with varying levels of risk. How you avoid, mitigate, or manage these risks varies but one caution is consistent: You are ultimately responsible for understanding and managing the security risks that you encounter. The medical community is in the early stages of a major transformation from paper to digital. The competency level among staff at medical providers, including doctors’ offices and hospitals, varies widely. When your health information or health care is at stake, do not be shy about asking questions and checking data entered into your record.

Below are what I believe to be the three main categories of risk that we must be aware of as we engage with the healthcare community.

Misleading or Malicious Healthcare Websites

Risk: Disclosure of private information that may result in identity theft, unwanted telephone calls, or email spam.

Issue: Cyber-squatters register website URLs that are similar to legitimate company or government web site URLs in the anticipation that web users will link to their site in error and be duped into disclosing private information. Typically when a new, legitimate website is planned, management will register similar sounding URLs to mitigate this. Unfortunately this was not done for Healthcare.gov and the sites Healthcare.com, Healthcare.org, Healthcare.net, Health-Care.org, Obamacare.com are all looking for your personal information. Similar problems exist on the Internet for pharmaceutical, insurance, medical equipment and other healthcare web sites.

Risk Mitigation: Beware of the threat and educate yourself with information from government or authoritative sources before providing personal information to any healthcare website.

Data Breaches

Risk: Loss or misappropriation of private information provided by you to a legitimate third party.

Issue: It is unlikely that any of us will be able to engage with the healthcare community in the future without disclosing our most private personal information. This data, if not adequately protected by those to whom we entrust it, can be used to ruin our credit, steal our property, or simply harass us with telephone calls or email related to a specific medical condition that we are now known to have. Once our private information has been compromised it is impossible to restore our privacy and we are at risk in the future for damages. Unfortunately, in my opinion, neither government nor industry have done enough to protect our private information from data breaches. There are, however, sources for information on data breaches that are available to you as a healthcare consumer:

Section 13402(e)(4) of the HITECH Act requires that breaches of health information affecting more than 500 persons be reported to the Secretary of HHS. These cases are available for review on the HHS website.

An "as-it-happens" source for general data breach incidents is provided by the website maintained by SC Magazine - the Data Breach Blog. Incidents described on the Data Breach Blog generally have useful amplifying information and you will note that breaches of health related information occur on a very frequent basis.

Risk Mitigation: Be aware of prior breaches by your healthcare provider or payer and ask questions about remedial procedures implemented to protect your information. Let them know that you are concerned and that poor security will affect their bottom line. Consider paying for a credit watch service that will proactively guard against identity theft.

Medical Device Security

Risk: Compromised medical procedures or therapies; death.

Issue: One of the risks we face with medical informatics that is not present in typical enterprise or personal IT security scenarios is actual harm to our persons through malicious interference with medical systems or devices that use wireless technologies or are directly connected to the Internet.

In June of this year, the issue was of sufficient concern to the FDA that a detailed safety communication was distributed to manufacturers and hospitals titled FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks

I recommend reading the entire notice if you are a user or candidate for a medical device, but a brief extract is provided below:

"... medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches ...

... as medical devices are increasingly interconnected, via the Internet, to hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates."

“... the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including:

  • Network-connected/configured medical devices infected or disabled by malware;
  • The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
  • Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models;
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.”

Risk Mitigation: Discuss your concerns with your doctor and educate yourself on brand- and product-specific issues with implanted medical devices that you or your relative may require (e.g. pacemaker, insulin infusion pump). Should you or a relative require hospitalization, voice your concerns and be as watchful about security risks as you are about improper medications. Remember that, according to the American Association for Justice, preventable medical errors are the sixth leading cause of death in the United States.

In addition to the FDA, two additional sources of information on medical device security are: