The CIO of a Texas hospital shares security horror stories from his experience in the telecom industry and calls unsecured devices "a big, big, big problem."
As HIMSS gets underway, the healthcare IT world is still shaking from last month's audacious privacy breach at a California hospital. Hollywood Presbyterian Hospital paid a $17,000 ransom to a criminal enterprise that broke into the hospital's system, encrypted data, and demanded an even larger payment.
While the concept of "ransomware" is not new, the very public ransom payment by Hollywood Presbyterian once again ratchets up the pressure in healthcare executive suites and boardrooms to do something different, and soon, to protect healthcare's digital assets.
As these things usually go, we may not learn exactly how the ransomware crooks found their way into Hollywood Presbyterian's systems and data. Perhaps to guard against further intrusions, or as a bulwark against lawsuits, enterprises tend not to divulge publicly just what the root cause of breaches are.
With that in mind, I spoke last week with a CIO who is sounding the alarm about an attack vector which, to my knowledge, has not yet been publicly blamed for any major breach in a US healthcare system, but has to be on the list of culprits.
Aaron Miri is chief information officer of the 100-bed Walnut Hill Medical Center in Dallas, Texas. "I came out of the telecom space," he says. "Healthcare is probably 10, 15, 20 years behind the finance, telecom, and other industries, and rapidly catching up, but very much behind.
"Medical devices are one of the top issues for CIOs, due to the fact that the rules of the road apply differently to hospitals than they do to the medical device manufacturers, the EMR vendors, and to all the different verticals within healthcare that make up the continuum of healthcare."
The issue, Miri says, is that too many medical device manufacturers do not meet the definition of a covered entity as defined by HIPAA. Where a covered entity such as Walnut Hill has to abide by all of HIPAA's provisions to encrypt data at rest or in transit, the non-covered-entity device manufacturers can avoid placing basic security provisions in their equipment—provisions such as specific, secure logins.
"Those medical devices and those devices out there in the field are absolutely a risk point, because they have to touch a corporate network in some form or fashion to translate that data back to your EMR or whatever application is ingesting that," Miri says.
At this point, I noted the lack of specific callouts to unsecured medical devices as a root problem on the HHS Office of Civil Rights' notorious "wall of shame" of HIPAA breaches.
Miri's response took the form of an example. "In one of my previous lives, we had a newborn hearing test [device] that goes into the newborn's ear, [and] was plugged in, via a serial cable, to a vendor-provided laptop," he says.
"That was all considered a standalone solution. But it was really a laptop connected to this medical device, all supported by the vendor. But it could not be encrypted for latency purposes. So we had to do all sorts of mitigating factors around it to make sure that, because it wasn't encrypted, that we accepted the risk, that we understood what the risk was, and so forth and so on. We had a business associate agreement with that vendor, and so that vendor dealt with the whole kit and caboodle, the whole solution. However, that was a risk point."
Sure enough, Miri says, "we did have an issue that we had to report to the OCR, because that laptop ended up stolen. These things happen all the time; however, given the nature of how clinical devices are somewhat a hodgepodge of laptops, computers, and/or a medical device, it may not qualify as a standalone device that must be reported."
A Big, Big, Big Problem
Windows XP is also a continuing headache in too many medical devices, Miri says. "I just saw one the other day in the UK, where a Windows XP device that was actually a lab instrument was infected with malware and had inadvertently infected an entire NHS hospital."
Another example Miri cites is medication-dispensing machines. "In my previous life, I had three brand-new medicine-dispensing machines shipped to me, brand new, still in the shrinkwrap," he says. "We put them into a brand new unit we had just built. We turned them on. We plugged them in the network. Immediately, my systems started going haywire. Sure enough, these things came infected from the factory with malware, because their underlying operating system was Windows XP. This was just a year and a half ago.
"Based on my conversations with other CIOs, [we] don't even know what's happening because of how unmanaged these devices are." He likens these devices to "little pockets of individual freedom floating out there that must attach to your network because the FDA mandates it must do so, without any ability to get your arms around the product, because they play by a different set of rules. So it's a big, big, big problem."
In Washington, groups such as CHIME and HIMSS are calling for tougher rules on medical device manufacturers, but Miri notes that responsibility for solving the problem is divided by between the FDA, the FTC, and the HHS Office of Civil Rights. "Who is the true sheriff of the road?" he asks. "Anybody who knows anything about government knows that once you have multiple agencies playing, they seem to get in each other's way."
The White House has a cybersecurity coordinator, but Miri says there is an effort to augment this with, effectively, a national chief information security officer, to stop the finger-pointing among agencies. A provision in the Cybersecurity Information Sharing Act of 2015, signed into law by President Obama in December, may help put such a czar in place.
It's a big, big, big problem.
"Some action is better than no action, but there is still no mandate, and I am still able to go buy medical devices on the market without any encryption, or without following the same rules that I am forced to go by as a covered entity," Miri says.
For now, CIOs such as Miri will have to rely upon a protective superstructure of security software, overlaid upon their computer networks, to try to detect intrusions, and limit the amount of damage that a rogue device can do upon a network. Miri relies on commercial solutions from vendors such as Imprivata to manage important aspects such as single sign-on, user access controls, and auditing.
"Especially when it comes to IT, I'm competing for every dollar I need to spend against a dollar that could be spent on a new bed or a new instrument, so if I cannot show ROI, you can bet your bottom dollar the CFO is going to give me any money to spend."
"So beyond the convenience and quality and safety factors of being able to audit, track, and disseminate what's going on with my community, I am able to show time saved. I am able to show a maximization of the time spent at the bedside with the patient."
Miri described other techniques that are making a difference, including virtual desktop interfaces (VDI) which provide further control of desktops. But I came away from our conversation believing it is high time that we crack down on those devices that represent one of the most vulnerable attack vendors of healthcare IT today.
It's not difficult to believe that if we do not act much more aggressively, a lot more ransoms shall be demanded by cyber criminals. At this crucial time in healthcare, it's the last thing any of us need.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.