HIPAA Compliance Also Means Securing Medical Devices

HIPAA security violations have become a cause for big fines of care providers, as levied by the Department of Health and Human Services. Here are just a few recent examples:

  • Memorial Healthcare System in Hollywood, Florida reportedly agreed to a $5.5 million settlement over potential HIPAA violations.
  • Children’s Medical Center of Dallas faced a $3.2 million fine after years of alleged non-compliance.
  • St. Elizabeth’s Medical Center in Brighton, Massachusetts received a $218,400 fine.

People tend to think of security as issues that happen with a server, web site, or data left sitting unencrypted on a laptop that is stolen. Even then, according to an HIMSS Analytics survey undertaken for telecommunications company Level 3 Communications, only a third of healthcare providers are “very concerned” about the prospect of a security breach affecting patient care.

But there’s another major weakness that gets less attention: medical devices.

According to technology vendor Cisco, the issue of securing medical devices in hospitals is, to varying degrees, seen as a concern by hospital CIOs and chief information security officers. The problem isn’t theoretical.

Back in January, the FDA alleged that a cardiovascular device had cybersecurity vulnerabilities. Someone could in theory electronically break into the device and run down the battery, leading to incorrect pacing.

In general, intelligent devices — often referred to as IoT, or Internet of Things devices — that report data back to some analytics system, or that permit remote operations, have shown some inherent security problems. For example, it is possible for someone to break into certain Wi-Fi enabled kitchen appliances and, in turn, steal photos from the owner’s phone and track their movements.

A hospital is full of intelligent devices. Anything with built-in monitoring that is connected to information infrastructure is a potential vulnerability because it is an entry-point that is trusted by the network. Once connected to the network through a device, someone who wants to break into an organization’s systems looks for common technical flaws to exploit for access to data and control.

As Cisco points out, the problem with securing medical devices is rapidly growing, as “the number of medical devices employed in the delivery of care to patients is currently growing at almost twenty percent per annum globally.” The growth rate is also increasing, many of the devices have no built-in security, and the normal anti-virus and anti-malware tools don’t necessarily work.

Executives and managers at provider organizations need to recognize the danger represented by medical device security, understand the implications for their specific operation, and take the necessary steps.

Are you interested in finding a rewarding and lucrative healthcare career that fits your individual strengths and interests? Find out how education can help you adapt to the changing healthcare landscape. American Sentinel University is an innovative, accredited provider of healthcare management degrees, including an MBA Healthcare and Master of Science Business Intelligence and Analytics.