Report: Remote Access Is No. 1 Healthcare Tech HazardECRI Institute Calls Attention to Cyber Risks for Second Consecutive Year
Hackers remotely accessing medical devices and systems - potentially disrupting care and putting patients at risk - is the No. 1 technology hazard facing healthcare entities in the year ahead, according to a new report from the ECRI Institute, a patient safety research organization.
ECRI's annual list defines the top health technology hazards that warrant "priority attention" by healthcare leaders, the organization says.
"The list does not enumerate the most frequently reported problems or the ones associated with the most severe consequences - although we do consider such information in our analysis," ECRI's 2019 Top 10 Health Technology Hazards report notes. "Rather, the list reflects our judgment about which risks should receive priority now."
ECRI is recognizing that cyber threats are a growing concern that needs to be addressed, says Mark Johnson, healthcare security practice lead at consultancy LBMC Information Systems.
"Healthcare needs a quantum leap forward in its resilience to cyberattacks. However, we won't get there unless we change the attitude of what healthcare cybersecurity is all about. It's about cyber not compliance," says Johnson, former CISO at Vanderbilt University and Medical Center.
Among the other top tech hazards on the ECRI list are infusion pump programming mistakes, improper customization of alarms on patient physiologic monitoring systems and flawed battery charging systems and practices.
This is the second time that ECRI has named a cybersecurity threat as its top tech hazard in its annual report. The institute's 2018 list named ransomware and other cyberattacks at the top tech hazard.
"Ransomware specifically still continues to disrupt healthcare operations in various ways around the globe," Juuso Leinonen, ECRI senior project engineer, tells ISMG. "This year, however, we decided to focus on a specific technology-related concern and provide practical recommendations on how to address it."
"Cybersecurity in a healthcare facility is a multifaceted problem, and it is paramount that we focus on identifying areas where steps can be taken to make a significant impact."
—Juuso Leinonen, ECRI
Remote access to systems and devices is becoming more prevalent in healthcare because it eases clinical workflow and streamlines manufacturer system maintenance, Leinonen says. But such access can be an avenue for compromise if appropriate protections are not in place for the remote access, he notes.
"Cybersecurity in a healthcare facility is a multifaceted problem, and it is paramount that we focus on identifying areas where steps can be taken to make a significant impact," he says.
Remote access increasingly is the vector of choice for cyberattackers, says Chad Waters, ECRI senior cybersecurity engineer "This means of getting into networks has resulted in the many recent SamSam ransomware infections that have paralyzed healthcare facilities and even government entities," Waters tells ISMG.
Remote Access Risks
The ECRI report notes that potential attackers can take advantage of unmaintained and vulnerable remote access systems to infiltrate an organization's network. "Once they gain access - whether through medical or nonmedical assets - attackers can move to other connected devices or systems, installing ransomware or other malware, stealing data or rendering it unusable, or hijacking computing resources for other purposes, such as to generate cryptocurrency," the report states.
ECRI notes that "safeguarding assets requires identifying, protecting and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems and logging system access."
Phil Curran, chief information assurance officer and chief privacy officer of Cooper University Health Care, an academic care delivery system based in Camden, N.J., advises organizations to avoid allowing continuous remote access by vendors.
If a vendor that works with Cooper Health requires remote access, "they have to contact their business contact and that business contact must request to have the vendor account unlocked," he explains. "We automatically lock the vendor account at midnight in case the business owner 'forgets' to tell us the vendor is done."
In addition, he advises organizations to carefully monitor remote access activity. "Have contract language stating the vendor will use the same remote access process you use," Curran suggests.
Some security experts, including Curran, argue that although remote access is a concern, other cyber risks are even more worrisome.
"The ability to exploit remote access systems has been around for years," he says. "I believe the No. 1 hazard to healthcare is social engineering attacks, for example, phishing attacks. A single successful attack is the start of a broader attack that could potentially bring down an entity."
Another area of concern, Curran says, is distributed-denial-of-service attacks. "We continue to see these attacks grow in size and length as well as becoming more frequent," he says. "The inability to get data in or out does affect patient care."
Vulnerabilities in mobile devices and the internet of things are also a serious issue, Curran adds.
But Keith Fricke, principal consultant at tw-Security, says attacks targeting medical devices are becoming a bigger worry.
"It is reasonable to think that network-attached devices can be compromised," he says. "It is likely that many small to medium-sized organizations have not created network segments for biomedical devices. Instead, the network is 'flat,' meaning the biomed devices are comingled on the same network as computer workstations."
Fricke says that biomedical devices can be difficult to keep up to date with patches "because it usually requires a biomed technician to physically interact with each device and manually apply patches and updates. I believe that biomed devices are likely to be targets of opportunity - someone seeking unauthorized access to an organization's network via compromising the device."
Medical devices most at risk for compromise are legacy devices that run old operating systems and have weak or no access controls, "such as devices not enforcing a password of a certain length or complexity," Fricke says.
Network segmentation can help address risks to devices, he adds. "Newer technologies are available that can passively inventory all devices on networks and baseline network traffic behavior. Getting supply chain/purchasing departments involved is important too," he says. "They should be asking vendors to provide Manufacturer Disclosure Statement for Medical Device Security [MDS2] forms. These identify the security controls in place for a specific make and model of biomed equipment."
The Food and Drug Administration has been steadily ramping up its medical device cybersecurity efforts, and public-private health sector advisory groups have also been issuing warnings regarding the potential risks posed to patient safety by possible cyberattacks targeting medical devices and other related systems.
Among steps being taken by the FDA in an effort to bolster medical device cybersecurity is the release of a new "playbook" for healthcare delivery organizations, which is focused on promoting cybersecurity readiness.
Any medical device that has network connectivity is a "high-risk device," says Johnson, the consultant. "All the efforts that the FDA has been making in this arena are welcome and needed. However, with supply chain lead time, it might take years to get more cyber resilient medical devices into the environments at scale. In the meantime, we have potentially vulnerable devices across the networks for which we must come up with new ways to protect."
Erik Decker, CISO at the University of Chicago Medicine, says the healthcare sector needs to continue upping its cybersecurity ante to prevent potentially catastrophic "doomsday" events that could involve attacks on medical devices and other health IT systems.