Читать книгу Do No Harm - Matthew Webster - Страница 13

What does not often come to mind is the data risk related to internet-connected medical devices. Data can be as potentially deadly a risk as any device. An insulin pump that received the wrong amount of information can potentially kill someone with diabetes. A number of events can cause errors—everything from human error to machine flaws. This too deserves a much deeper dive as the data is far more interconnected than at any point in history, and that interconnection is only going to accelerate with the advent of new internet-connected medical devices.

Some risks are due to existing flaws in medical devices combined with the desire for people to have a better quality of life. For example, diabetics have hacked their own pumps to achieve innovation the manufacturers have not. While many of the devices have been recalled, people have been hurt by insulin overdoses as a result of hacking their own devices.¹¹ Keep in mind that this was with commercial-grade systems that were attacked. These are not systems purchased off the black market.

Not everyone opts for commercially viable solutions. The cost associated with some of these solutions is too high for many to afford. As a result, they go through alternative sources that may not have the strict quality control that the commercial world has. In some cases, unknowingly, people will work with devices that are actually from the black market, such as insulin pumps that may be even less secure because they are not subject to the stronger regulation that exists today.¹²

While ransomware is taking the spotlight as of late, a host of other attacks are related to internet-connected medical devices. These will be described in greater detail in Chapter 8, but suffice it to say that numerous attacks can be leveraged, many of which could be avoided with sufficient cybersecurity practices. In many of these attacks, the attacker could have complete control of the data on the device. A few of the attacks against connected medical devices are listed in Figure 1-1, but this is far from a complete list. The lesson here is that quite often the vulnerabilities that can physically harm someone can also be leveraged to steal data. Data theft, by far, is much more common than the physical harm that could occur as a result of the internet connection. The stark difference is that the harm of data theft may or may not be known.

Figure 1-1: Example types of attacks against internet-connected medical devices

The vulnerabilities related to internet-connected medical devices are having an impact on organizations, and these weaknesses are not just trivialities. Nuspire, a managed security services provider, put out a few interesting statistics. The first statistic is that “18% of medical devices were affected by malware or ransomware in the last 18 months.”¹³ That is not a small number. Roughly 1 out of 5 devices have been affected by malware. If there is an average of 15 devices around a patient, roughly 3 of them have the possibility of being infected. Further, that malware can often be used to infect other devices. The other statistic that Nuspire mentioned was that “89% of health care organizations have suffered from an IoMT Related Security Breach.” IoMT is short for internet of medical things. For our purposes, think of IoMT as internet-connected medical devices. That alone is another concerning statistic. It means that the connected medical devices are a serious concern for healthcare organizations. It makes protecting these critical organizations all the more difficult.

If risks to human life are on one end of the spectrum, the other end of the spectrum relates to data risks. Healthcare data is one of the most sought-after data types on the internet. Security reports over the years have shown the value of a healthcare record to be worth anywhere from $10 to $1,000. By contrast, the typical credit card is worth only a few dollars. The reason is that most credit card companies have robust fraud departments that stop fraudulent transactions relatively quickly. After one or more transactions, the card is usually cut off. This is not typically true for health records. The process of detecting problems can take much more time.

From a patient perspective, the associated fraud can be a painful and lengthy road to deal with. Advisory Board, a leader in the healthcare advisory space, had an article that illustrated this quite clearly. A patient's identity was stolen, and the result was $20,000 worth of medical procedures that the victim was responsible for. It kept up over billing cycles, and the perpetrator was eventually caught and jailed, but there are still serious questions about the integrity of the victim's medical files.¹⁴ Imagine what that can do to the victim. There may be conflicting information about the health information contained in many hospital records. In a worst-case scenario, this can be life threatening.

From a hospital's perspective, it means that they can lose a great deal, too. They can perform procedures essentially for free because they performed surgery on a misauthorized individual. The victims also have a great deal to do because they have to work through the fraud with the hospitals and the insurance companies—at no fault of their own. Health and Human Services, in conjunction with the Office of the Inspector General, put out a report citing they won or negotiated $2.6 billion dollars in fraud adjustments in 2019. There were 1,060 new criminal investigations in 2019.¹⁵ Undoubtedly the numbers are much higher if you consider the cases that were thrown out or were never detected. It takes constant vigilance to detect fraud cases.

The protection of the data related to medical records is absolutely critical. We have only touched the tip of the iceberg finding all the different forces that tie into the safety of information. It is such a complex web of interrelated societal forces that need to be explored more fully to ultimately understand the ripple effect from a few vulnerabilities in connected medical devices and how everything is related to Medicine 2.0—the type of next-generation healthcare we are entering into now.¹⁶