October 4, 2018Nelson Mullins Broad and Cassel’s Paul DeMuro Elected to Medical Group Management Association Board
December 27, 2017
The medical field has undergone massive digitization in recent years with the emergence of interconnected medical devices and the broader exchange of health care information. In less than a decade, nearly all hospitals and physician offices have adopted electronic health record (EHR) systems.[i] But the adoption and investment related to cybersecurity has been slow. According to the Health Care Industry Cybersecurity Task Force, “a majority of the health care sector made financial investments in cybersecurity only in the last five years.”[ii] This expansion of digitizing critical information without an investment in cybersecurity has, in large part, led to the current environment where health care providers are easy targets for attackers. In a 2017 report, the American Medical Association found that 8 out of 10 physicians had experienced a cyberattack in practice.[iii]
In fact, 2017 introduced some of the largest and most widespread cybersecurity attacks in recent memory. The health care industry was shown to be particularly vulnerable to these threats. In 2018, health care providers should be on the watch for the following threats and should take efforts to protect against them.
Ransomware is malware that exploits vulnerabilities in a system to encrypt or remove access from the information contained on the system. The infected system displays a message informing users that their data will not be released unless they pay the demanded ransom. Industries where access to information is critical to providing services—such as health care–are particularly targeted by such attacks.
Health care providers will remember 2017 as the year of large ransomware attacks, starting with the WannaCry ransomware attack, which spread to over 150 countries and infected more than 400,000 machines in just two days.[iv] The United Kingdom’s National Health Service was hit hardest by this attack, causing it to cancel nearly 7,000 appointments – including operations – as a direct result of the attack.[v] Hospitals here in the U.S. were also affected by this attack, including medical devices such as Bayer’s MedRad device that assists in MRI scans.[vi] WannaCry was followed by another global ransomware attack in June 2017 known as NotPetya. Several hospital systems and other health care entities were impacted by this attack, including Merck, one the U.S.’s largest pharmaceutical manufacturers.[vii] Health care providers can expect to see more of the same in 2018, as neither their vulnerabilities nor their mitigation efforts have drastically changed.
The potential vulnerabilities in medical devices have long been on the radar. Successful hacks dating back to 2011 have affected a variety of medical devices, ranging from insulin pumps to pacemakers.[viii] Medical devices connected to a broader computer network have been used as easy access points for attackers to gain unauthorized entry to the network. In 2013, the Department for Homeland Security (DHS) issued a warning that 300 medical devices tested for cybersecurity vulnerabilities all failed to meet minimum standards.[ix] This warning spurred the Food and Drug Administration (FDA) to issue recalls due to cybersecurity vulnerabilities and, in 2016, to issue cybersecurity guidance for medical devices.[x] This year, Congress took notice, and the Medical Device Cybersecurity Act of 2017 was introduced.[xi] Although the bill failed to pass, by all indications regulatory and legislative actions seeking to address this concern will continue in 2018.
In the meantime, medical devices remain extremely vulnerable. Unlike other devices that receive multiple and frequently automatic updates that may protect against certain security holes, medical device manufacturers remain slow to update their products, and the process for implementing updates may be less user friendly. Further, the fact that hospitals and similar health care entities “typically have 300-400% more medical equipment than IT devices”[xii] provides more possible targets for hackers seeking access to a provider’s networks.
As an increasing number of providers deploy certain protections (backups, frequent updates, etc.) against ransomware and refuse to pay the demanded ransoms, cybercriminals undoubtedly will turn to other methods that could increase the potential harm to providers and lead to higher ransom payments. One change we may see in 2018 is the possibility that hackers, instead of making data within a medical record unavailable or encrypted, will simply change the stored data so that it is inaccurate.[xiii] If providers have no way of knowing what information in the medical record is accurate, substantial liability may arise from issuing a contraindicated prescription, amputating the incorrect leg, or being falsely alerted that a patient has flatlined. The possibility that these attacks could even more directly threaten life or safety of patients presents an opportunity for attackers to exploit and profit from ransom demands at a greater degree.
These three potential areas of cybersecurity concern, along with many others (such as mobile device and vendor security), will continue to trouble providers in 2018. As we head into the new year, health care entities should take steps to protect their information systems, the medical information they create, and the patients they serve.
[i] Joseph Conn, “Hospitals Achieve 96% EHR Adoption Rate; Data Exchange Still Needs Work,” Modern Healthcare (May 31, 2016) available at: http://www.modernhealthcare.com/article/20160531/NEWS/160539990; “EHR Adoption Rates: 20 Must-See Stats,” Practice Fusion (March 1, 2017) available at: https://www.practicefusion.com/blog/ehr-adoption-rates/.
[ii] Health Care Industry Cybersecurity Task Force, “Report on Improving Cybersecurity in the Health Care Industry” (June 2017) available at: https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf
[iii] AMA, “8 in 10 Doctors have Experienced a Cyberattack in Practice,” Practice Management (December 12, 2017) available at https://wire.ama-assn.org/practice-management/8-10-doctors-have-experienced-cyberattack-practice.
[iv] Jonathan Crowe, “WannaCry Ransomware Statistics: The Numbers Behind the Outbreak,” Barkly (May 2017) available at: https://blog.barkly.com/wannacry-ransomware-statistics-2017.
[vi] Thomas Fox-Brewster, “Medical Devices Hit by Ransomware for the First Time in US Hospitals,” Forbes (May 17, 2017) available at: https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#737b2779425c.
[vii] April Glaser, “U.S. Hospitals have been Hit by the Global Ransomware Attack,” recode (June 27, 2017) available at: https://www.recode.net/2017/6/27/15881666/global-eu-cyber-attack-us-hackers-nsa-hospitals.
[viii] See, e.g., David C. Konoff, “Cybersecurity for Connected Diabetes Devices,” Journal of Diabetes Science and Technology, Vol. 9, Iss. 5, 1143-1147 (September 2015) available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4667325/.
[ix] DHS, Industrial Control Systems Cyber Emergency Response Team, ICS-Alert-13-164-01, “Medical Devices Hard-Coded Passwords” (June 13, 2013) available at: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01.
[x] FDA, “Postmarket Management of Cybersecurity in Medical Devices” (December 28, 2016) available at: https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf
[xi] Medical Device Cybersecurity Act of 2017, S.1656 introduced by Sen. Richard Blumenthal on June 27, 2017 available at: https://www.congress.gov/bill/115th-congress/senate-bill/1656/text?format=txt.
[xiii] See Reena Ninan, “Cyber Soldiers: White-Hat Hackers,” CBSN On Assignment [video file] at 05:22 (August 21, 2017) available at: https://www.cbsnews.com/news/cyber-soldiers-cbsn-on-assignment/.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.