This article is based on an interview with SonicWall PreSales Engineer Barbara Vibbert, who spent 10 years in healthcare IT and more than 20 years in information security.
From the carts that roll from room to room checking vital signs to the tablet at the check-in desk, internet-connected devices can be seen during every hospital visit. What isn’t visible, however, is the massive infrastructure required to connect and secure them.
While these connected devices have brought countless benefits to healthcare, they also have the potential to endanger patient privacy, data integrity and even the continued survival of the hospitals themselves.
Access control in healthcare environments
Most doctors are not employed by the hospital where they work. Nor are many of the people in charge of maintaining equipment. These individuals have their own laptops, tablets and other devices that IT has no control over, but they require network access in order to do the jobs that keep the hospital running.
Hospitals’ vast access control teams are also needed to regularly onboard large numbers of people at once. In most IT departments, users are onboarded and offboarded throughout the year as employees come and go. In hospitals, however, a large influx of new users must be added each year around July 1, when hospital residencies begin. There can be hundreds of new residents and fellows per year that require onboarding, but hospitals generally only have a five-day window to get them up and running.
An equally sizeable, but completely unpredictable, wave of new users must be onboarded during nursing strikes. Depending on the size of the nursing staff, IT may have to quickly add several hundred new visiting nurses to the network with little warning.
Even within the hospital, data must be accessible for purposes not directly tied to patient care; for example, research and billing. But greater accessibility always brings with it greater risk. In May, an Ohio medical center posted an Excel spreadsheet on its website to comply with new requirements about cost transparency. However, inadvertently included in the spreadsheet were the names, diagnoses, treatment histories and other information of nearly 4,000 patients — a major violation of patient confidentiality laws.
Teleworking in healthcare environments
The online services that hospitals use also have patient privacy implications — and with many healthcare workers now working from home, this is a bigger concern than ever. For example, many hospitals don’t host their own telemedicine, relying instead on Zoom-like platforms … or Zoom itself. Because these sorts of platforms weren’t designed to comply with the heightened privacy regulations governing the healthcare industry, they can present a privacy risk.
The danger here isn’t limited to online interlopers, however. With employees no longer afforded the seclusion of their offices, a number of low-tech privacy risks emerge. For example, if a medical professional is doing a psychiatric consultation from home, a spouse, roommate or even a passer-by could potentially see and hear what’s being discussed through an open door or window.
IoT Devices in healthcare environments
Human-operated devices aren’t the only ones that need safeguarding. Hospitals use countless Internet of Things (IoT) devices, responsible for everything from monitoring patient heart rates, to regulating sleep apnea, to ensuring new parents don’t accidentally leave the hospital with the wrong baby.
You don’t need to worry about cybercriminals hacking into your blood pressure cuff or pulse oximeter, however — these devices are on a separate network that is highly secured and largely inaccessible.
This is largely due to the widespread inability to update and patch these devices. FDA approval is required for any device that comes into contact with a patient. But that approval only extends to the device’s state at the time of approval.
In other words, patching, updating or otherwise altering these devices nullifies the approval. To get around this security hurdle, hospitals make extensive use of firewalls: Without them, having a device on the network that can make the difference between life and death, but can also contain unpatchable vulnerabilities, would simply be too big a liability.
… Plus All the Usual Suspects
If that wasn’t enough, hospitals still have to contend with the standard IT hazards, such as phishing, ransomware and remote work risks. Hospital IT should be the last line of defense against phishing — busy doctors and nurses can’t be expected to investigate the legitimacy of emails when every second spent doing so is one less spent on patient care.
But given the massive uptick in attacks targeting hospitals, the number of phishing emails that get through and successfully fool employees is on the rise. According to Healthcare Finance, during a recent study employees clicked on roughly 1 in 7 simulated phishing emails, putting hospitals at risk for threats such as credential theft and ransomware.
And ransomware has the potential to be especially devastating for hospitals. Taking the billing department offline for a week can put any hospital in a tight spot, or in the case of smaller hospitals, even drive them to bankruptcy. And without the ability to collect or access patient data, facilities have to turn patients away — which can be deadly.
How hospitals, healthcare organizations can improve security hygiene
While more devices necessarily means more risk, these risks can be mitigated. One way is through network segmentation. By isolating different parts of the care practice, hospitals could reduce the potential destructiveness of cyberthreats. And with fewer people able to access each piece of patient data, privacy risks would be reduced as well.
There are also several steps individuals can take:
- Keep devices patched and up to date. This is a good habit in general, but it’s crucial when accessing hospital networks from home.
- Deploy a firewall for your home network. (Even the one built into Windows offers some protection.)
- Use next-generation antimalware protection. Today’s advanced threats can bypass traditional signature-based antivirus software.
As Champions of National Cyber Security Awareness Month, SonicWall is committed to helping organizations in every industry protect against the threats of today and prepare for the threats of tomorrow. To learn more, check back next week as we explore what future threats could look like, and how we as individuals can help prevent them.