ISACA Journal
Volume 3, 2,018 

Features 

As Hospitals Get Smart, Cybersecurity Challenges Will Increase 

Justine Bone, Violet Morris and Chadwick Williamson 

Healthcare technology is at a critical juncture of rapid growth, seamless implementation and the need for constant adaptability. The practice of medicine has progressed through many technological advancements. It is startling that only 15 years ago, healthcare specialists dreamed of remotely connecting through a televised monitor to another healthcare facility’s surgical conference room to conduct a team pre-operation (pre-op) surgical planning discussion. Today, surgeons are using robotic technologies to perform life-saving procedures from abroad through a lens and monitor. Healthcare professionals are connecting to patients through call systems for improved efficiency, speed and delivering immediate care to prevent emergency situations. Hospitals discharge patients much earlier than previously and remotely monitor their health via medical devices that communicate to practitioners in real time with alerts regarding clinical changes, needs or diagnoses.

With these major advances come myriad challenges. Technological growth may be too rapid, resulting in flawed execution and imperfect interconnectivity. Healthcare systems, slow to change long-standing processes, may be resistant to the ongoing demand for adaptation. And the greater the interconnectivity of healthcare systems—a highly desirable goal that benefits patients and hospitals—the greater the likelihood of data security breaches.

Smart Hospitals: Technology Interconnected

The smart hospital Internet of Things (IoT)-enabled ecosystem is modern and forward-thinking and is changing how patients are treated and hospitals are operated. It also affects doctors, hospital administrators and even insurance companies as these interconnected systems are involved in clinical processes, management systems and infrastructure.

New, interconnected technologies benefit patients from the time they call emergency services to the end of their healthcare treatment. Technologies include pharmacy automation, patient flow solutions, secure communications, mobile asset tracking, smart rooms and improved connected medical devices. The data created are stored and shared in a cloud computing environment and analyzed using predictive analytics and artificial intelligence (AI) software. Devices feed information to a variety of people and departments, almost always over wireless infrastructure, connecting many disciplines and caregivers related to the patient’s care. This enables oversight and a team approach from ambulances, insurance providers, physician offices, hospital staff and patients requiring home healthcare to end-of-life care.

According to a 2017 survey, 76 percent of hospitals offer secure messaging via mobile devices for patients to connect with healthcare providers; 75 percent use sophisticated analytics such as predictive modeling to improve decision making; and 32 percent have tools for real-time patient identification and tracking for value-based conditions.1

Smart Hospitals in Action

An example of a small hospital transforming to smart is Doctors Hospital in Nassau, Bahamas. It is incorporating smart technology essentials to create the best healthcare environment in the region for its local and international patients’ overall experience. Among the initiatives at Doctors Hospital, which operates 72 licensed in-patient beds, are:

  • The use of telemedicine to provide medical services to other Caribbean islands and other islands in the Bahamas
  • Conversion of many of their critical medical devices and services to be remotely connected, including connecting patients hospitalwide for improved medication management care. This enables practitioners to make a medication change rapidly if needed, while monitoring dosage and bolus.
  • Design of a patient call system with multiple touchpoints to improve patient flow in both outpatient and in-patient settings

While few hospitals claim to be fully smart, many are on their way:

  • ThedaCare, a Wisconsin (USA)-based health system, is one of a growing number of institutions adopting e-visit technology, allowing patients to connect with healthcare professionals through a secure, online portal in a US Health Insurance Portability and Accountability Act (HIPAA)-compliant fashion.
  • Mercy Health, in Cincinnati (Ohio, USA), has implemented an analytics software system to produce reports benchmarking and measuring costs in a variety of areas.2 For instance, the system showed a variance in costs among its hospitals for blood utilization. Further investigation uncovered that doctors at one facility were double-ordering blood units unnecessarily. Protocols were instituted, saving millions of US dollars annually.
  • Automation in the field of surgery depicts scenarios where robotics will play major roles in smart hospitals. For instance, the Da Vinci surgical system, a robotic surgical system developed by US firm Intuitive Surgical, has conducted approximately 200,000 surgeries. However, the high initial cost for the infrastructure and increased complexity in the integration of the systems may result in hampered market growth.

Increased Technology Equals Increased Cybersecurity Challenges

Not unexpectedly, as more smart hospital technology becomes integrated, the more cybersecurity becomes a priority.

Any system that connects administrators, doctors, nurses and patients and shares information freely among them gives hospital chief information security officers (CISOs) pause and attracts increased attention from cybercriminals. More connectivity means increased chances of system compromise. It is not only hospital security and IT executives who are concerned. The US Federal Drug Administration (FDA) has issued guidance (and has plans to release new guidelines in the coming months) regarding the regulatory approval process for medical devices to address cybersecurity concerns. Medical device manufacturers have pushed for industry-led standards and several US legislators have proposed legislation calling for more stringent testing requirements and the submission of “cyber report cards.”

The challenge will increase as hospitals get smarter and smarter. The following are likely to become more commonplace:

  • Treatment areas, departments and home care will communicate through remote connectivity.New medical devices and hospital equipment are being designed to connect wirelessly for faster/more accurate communication, be less bulky and help with patient’s mobility. This is great for the patient’s recovery at home and the hospital’s efficiency as long as the equipment is built with strong cybersecurity protection.
  • Robotics and telemedicine will be more widely used throughout the hospital. Neither of these technologies is new, but thanks to evolving capabilities that enable remote access and connectivity, physicians will be taking more of a team approach to complete a patient’s treatment and procedures. Physicians may not need to be present to speak with patients, and surgical robotic technology will increasingly be used for accuracy with less margin for error, better infection control and adherence to clinical safety standards. Robotic technology used for surgery will not entirely replace humans and will be operated by someone somewhere, but the chance of interference is always possible.

More Connected Devices, More Exposure

Doctors Hospital in the Bahamas, like all smart hospitals, faces unique challenges to keep its infrastructure secure from cyberattacks. All future smart hospitals will need to adopt and implement the highest standards of security for safe patient care.

Hospitals have traditionally been under-resourced with regard to cybersecurity, making them an attractive and relatively easy target for those who intend to profit or, worse, cause harm. Electronic health records are 10 times more valuable on black markets than credit card data.3 Privacy-driven requirements extend across the smart hospital. Patient call systems, which facilitate communication, monitoring of vital signs and patient location, must also protect the patient data, especially attractive to unidentified intruders who can quickly compromise systems and propagate throughout the environment.

Whether it is the leak of personal health information or “misbehaving” medical devices, the stakes are high. Just as everyday consumers are increasingly exposed and vulnerable, hospital environments, too, are increasingly at risk as more and more previously stand-alone devices become connected. Incidents related to unsecured medical devices that become compromised can range from downtime to device malfunction, impacting the quality of therapy the device delivers. Beyond that, vulnerable medical devices can also serve as a point of entry for an attacker as these devices become increasingly connected.

Telemedicine is a game changer for the healthcare industry. But, again, the increased connectivity required to facilitate this introduces risk. Because of the continuous change of caregivers who require access to patient data and remote in-home monitoring systems, stronger user authentication is a priority that must be implemented. Integrity and resiliency of systems become paramount when considering telemedicine and robotic solutions; their product security requirements should be in line with those required for the safe operation of planes or critical industrial control systems, as the worst-case implications of a compromised remote surgery are almost too terrifying to comprehend.

Even medical dispensary cabinets, once connected to the hospital’s network, open a new attack vector that could result in theft, shortages, overdoses or even death if security controls are not carefully implemented, heavily secured and closely monitored on a continuous basis.

Hospitals’ footprints are getting bigger as they offer more and more remote care, connecting to patients at home through medical devices and online patient portals—providing another avenue for cyberthieves.

Conclusion

As hospitals continue to evolve, new and existing technologies will be incorporated into the ways patients are treated. The manner in which hospitals are operated will evolve in ways barely imaginable today. Chief information and security executives need to be just as innovative to thwart the hackers and cybercriminals lurking just one step behind.

Endnotes

1 American Hospital Association, “Most Wired Hospitals Use Technology to Partner with Patients on Health,” Hospitals & Health Networks, 10 July 2017, https://www.hhnmag.com/ext/resources/inc-hhn/pdfs/mostWired/PressKit/Most-Wired---2017-Press-Release-FINAL.pdf
2 Hoppszallern, S.; “Mercy Health Drives Operational and Cost Improvements With Analytics,” Hospitals & Health Networks, 17 July 2017, https://www.hhnmag.com/articles/8398-mercy-health-drives-operational-and-costs-improvements-with-analytics
3 Humer, C.; J. Finkle; “Your Medical Record Is Worth More to Hackers Than Your Credit Card,” Reuters, 24 September 2014, https://www.reuters.com/article/us-cybersecurity-hospitals/your-medical-record-is-worth-more-to-hackers-than-your-credit-card-idUSKCN0HJ21I20140924?feedType=RSS&feedName=healthNews

Justine Bone
Is chief executive officer of MedSec (www.medsec.com), a cybersecurity vulnerability research and solutions company focused on medical devices and healthcare systems.

Violet Morris
Is senior healthcare solutions director at MedSec.

Chadwick Williamson
Is vice president, management information systems, Doctors Hospital Health System, and contributed to this article.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.