By Matt Murren
With recent advances in miniaturization, AI-based automated diagnoses, and cloud-based communication, the industry has reached a point where physicians can assess post-operative orthopedic patients using telemetry data—and is not so far from when pregnant patients will be able to perform wellness checks at home with a handheld ultrasound. These and other scenarios fall under the umbrella of “remote patient monitoring,” or RPM, an area with the potential to address longstanding problems related to healthcare access and quality.
Along with these prospective benefits come potential risks. Hospitals and clinical groups must decide now—before RPM becomes the norm—how to select, coordinate, secure, and maintain the devices their patients will use to monitor their health outside the walls of the clinic. This means creating the structures of ownership, accountability, and privacy to ensure that RPM-based medicine fulfils its promise for patients and providers without sacrificing their privacy or safety.
To guide their planning, leaders need to be aware of the cybersecurity vulnerabilities introduced by RPM. Here are fourof the most pressing risks:
1. Denial-of-Service (DoS) Attack
A denial-of-service attack disrupts the ability of a remote medical device—like a pulse oximeter or heart monitor—to communicate to its network. These attacks can also target the network itself, including any servers that act as mid-points between the main network and the remote devices. Attacks like these threaten the continuity of care for the patient being monitored, but their goal is simply to extract a ransom: the attackers can shut down communication until they get what they want, then turn it back on when they get their payment (or “stop”).
The way a DoS attack works is by flooding the network or the devices with so many illegitimate requests that they cause a system outage, preventing the flow of information to and from legitimate users. While biomedical engineers typically do not control the network, they may be some of the first responders to recognize that a DoS attack is taking place, as they can’t get the specific security alerts they need to monitor their equipment.
2. Data Theft (Patient Side)
Cyberattackers typically go after patient data like social security numbers and identification information to later sell it. While that specific information is not transmitted to or from remote patient monitoring devices, the biometric data that is transmitted is still considered patient data—and is thus subject to protection by the clinic or hospital and regulation under HIPAA.
The risk here, then, is that hospitals and clinics are expanding their vulnerability to data breaches and regulatory fines without also expanding their protections. All of the firewalls and antivirus software and endpoint protections that safeguard data within the walls of the clinic are largely or totally absent from patient’s homes. Through RPM, then, clinic or hospital dramatically increases their exposure to data breaches or system impact for which they may be held responsible by regulators.
3. Data Theft (Business/Institutional Side)
The same risk of data theft extends beyond patient data to the hospital’s business data as well. While cyberattackers might target patient data through a patient’s home Internet access point, they may also, instead, seek to infiltrate the clinic’s system at the point where the remote monitoring device connects to the institution. If this infiltration is successful, and depending on how the network is configured, this might enable direct theft of critical business data. A more likely scenario is that it serves as an entry point for ransomware.
The worldwide 2017 WannaCry attack, for instance, impacted data well beyond patients’ demographic or personal health information. In the U.K., the ransomware escalated through 34 hospital trusts, infecting all their digital systems (including medical devices like MRI scanners). An additional 40 hospital trusts shut down their email and digital systems as a precaution, which led to canceled appointments, postponed procedures, and other disruptions to care.[i] Ambulances headed to five of the infected hospitals had to be rerouted to find acute care elsewhere.[ii]
4. Therapy Manipulation (or “Killware”)
A DoS attack is by far the most pressing vulnerability for RPM, with data theft and network infiltration second and third on the list. However, there is another risk that, while is less likely to occur, is more disturbing than the more common risks: the possibility that someone outside the clinic will manipulate the connected medical equipment or therapy in order to cause harm.
Devices like drug infusion pumps, pacemakers, and vital sign monitors may send biometric data from the patient to a system for diagnosis and subsequent therapy. If that therapy is altered in some way—a drug dose is tripled, say, or an implantable cardioverter-defibrillator is made to jolt the heart inappropriately—it can directly threaten the patient’s health. The term “killware” has been coined to describe these unsettling scenarios.
While both the term and the concept may seem sensationalized, the flaws in RPM connections and the code necessary to alter remote therapies have been proven. One such vulnerability was the subject of a 2021 Department of Health and Human Service’s high priority alert, which instructed healthcare organizations to assess and protect certain versions of Apache Log4j, an open-source logging library used in services, software, and applications across the industry. Recognizing that medical device manufacturers also rely on Log4j, the Food and Drug Administration directed a second high priority alert to them.
Even if such weaknesses exist, why would a cyberattacker want to cause personal harm to a random individual? For the same reason as the rest of these scenarios: the attacker wants a payout. If a group claims to have infiltrated 10,000 patient medical devices, they could prove it by altering the therapy of one patient—a killware scenario—and then proceed to demand their payment. Just like a DoS attack or virus-based attack, killware threatens the organization’s operations, reputation, or both.
Addressing the New Risks
- Assessment
The first step in addressing any new risk is to assess its likelihood and specific impact. Its advised that clinics and hospitals use a criticality matrix to perform this assessment. In terms of connected medical devices, or RPM in general, a matrix like this will judge, from low to high, how the risk at hand will affect patient safety and continuity of care. This inquiry considers the sensitivity of the device’s data, the possible harms of its manipulation, its clinical use and application, and the networks it could compromise if it were to be attacked.
There is a sizeable distinction between the harm posed by a compromised blood glucose monitor versus that of an implantable defibrillator, for instance—including the fact that if the glucose monitor is down, there is a simple alternative that fulfills the same function (blood strips, in this case). If the device is used for remote diagnostics, the clinical impact of it being untrustworthy or non-operational should be factored into the assessment. A final factor is whether the device could leave open a path to the EHR or other system critical to clinical or business operations.
- Contracting and Risk Evaluation
If this assessment takes place before a remote medical device is adopted, there’s room to negotiate with the vendor to share responsibility for protecting it. Contracts with these vendors should clarify expectations for their security posture, compliance, ongoing monitoring capabilities—and should also lay out the assignment of liability in the case of harm. Hospitals and clinics probably already have a number of these RPM relationships in place, however, so assessing the various devices holistically along the criticality matrix remains important for prioritizing cybersecurity resources.
- Disaster Planning
With entire business models depending on the collection and transmission of RPM-based information, a plan B for device downtime must be established. What information will be communicated to the affected patients? What’s the severity of the downtime—can the existing devices be restored, or will patients receive entirely new devices? Thousands of linked devices might be scattered across hundreds of miles, so the logistics of restoration or replacement must be considered thoroughly.
An excellent framework is available to support hospitals in this new aspect of disaster planning. In 2021, the International Electrochemical Commission (IEC) updated cyber security standard IEC 80001-1, which “defines the roles, responsibilities and activities that are necessary for the risk management of IT-networks incorporating medical devices.”[iii] Even with this guidance available, however, many hospital’s IT departments will not have the time or resources to take on the burden of monitoring themselves—and other clinics won’t have a dedicated IT department to begin with.
- Enlisting external support
Third-party companies have emerged to fill this need. Some of these companies may provision connected medical devices and help determine how they should be integrated in the existing network, but they will all monitor security alerts and manufacturer sites for new vulnerabilities and address these with patches or fixes.
Conclusion
With the expanded access and increased ease of RPM medicine comes greater exposure to cyberattacks. With so much at stake, clinics and hospitals will need to think proactively and strategically about integrating and protecting these new technologies.
Sources
[ii] https://www.nature.com/articles/s41746-019-0161-6
[iii] https://www.iec.ch/blog/cyber-security-connected-medical-devices
Matt Murren is the CEO and co-founder of True North ITG, a Healthcare IT and Cloud Service Provider helping business stakeholders improve their bottom line with IT and Cloud services. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].