September was a busy month for significant reports about the state of healthcare information security.
More than 1.8 million medical ID theft victims last year
That’s a 19% increase over 2012’s results according to the 2013 Survey on Medical Identity Theft, conducted by the Ponemon Institute. (Publication Date: September 2013, Survey Date: June, 2013) The survey defined medical identity theft as a person using an individual’s name or personal identity “to fraudulently receive medical service, prescription drugs and goods, including attempts to commit fraudulent billing.”
One of the biggest contributors to the increase was fake or spoofed medical websites and spam emails. Medical identity theft victims who reported that cyber theft contributed to their troubles doubled from 4% in 2012 to 8% this year. Spear phishing specifically targeting medical ID theft has gone up significantly. This is not the ‘Buy Viagra here’ email but authentic looking emails from a provider.
A Deloitte report (September, 2013) confirms that healthcare organizations are in various stages in mitigating the risks created by networked medical devices. (patient monitors, infusion pumps, ventilators, pacemakers, imaging devices, etc.) Deloitte interviewed security leadership at nine large healthcare systems. Universally they said each of their organizations, and the industry as a whole, have a long way to go and that they need more cooperation from device manufacturers.
The FDA released guidance in June on the “content of premarket submissions for management of cyber security in medical devices.” The guidance suggested that device makers incorporate security features into their products to limit access to only trusted users, trusted content, and use fail-safe and recovery devices. They want manufacturers to consider threats like hacking, malware and other vulnerabilities of the device’s software and to work with providers on addressable scenarios. This is certainly an area of importance for both providers and the device manufactures. Remember all the wrangling with PCI and those payment devices? Granted, the FDA guidance is a recommendation and not a regulation like PCI so there is reluctance to include security measures in purchasing contracts.
The other issue that hospitals face is trying to secure older proprietary devices. They are closed systems so scanning for vulnerabilities is extremely difficult. Many of them run on older operating systems with known vulnerabilities. FDA regulations & restrictions make it very expensive for manufacturers to correct these problems.
Deloitte qualified where the organizations stood in several areas of InfoSec. These included: organizational leadership, risk framework, identification and evaluation, data flow, vulnerability management, vendor agreements and manufacturer engagement. If you don’t want to download the entire report, HERE is pretty good summary of the points above.
Although they didn’t issue a report recently, there’s another good source of information about medical devices. Subscribe to the medical device newsletter at the ECRI Institute.