Healthcare: From Privacy to Security

The benefits of networked medical devices are impossible to deny. These devices, such as insulin pumps, pacemakers, and other monitoring systems, allow doctors to remotely monitor the health of their patients in a non-invasive way. They can also transmit a patient’s vitals and other pertinent information directly to a doctor, so they can monitor their high-risk patients and ultimately prevent adverse health issues.

Like all technological advances, these benefits come with risks. HIPAA regulations have helped the industry focus on keeping sensitive patient information private.  Since it’s passing in 1996, the industry has made great improvements regarding the privacy of data.  However, privacy is not the same as security. These privacy regulations are a step in the right direction for health information technology, but they have not done enough to keep this information protected from hackers.

Unsecured medical devices could be the single greatest threat to the future of healthcare technology, putting at risk patients’ personal information (PPI), patients’ health, and healthcare organizations.

Risks of Unsecured Networked Medical Devices

Patient Personal Information

Protecting patient information is a high priority in today’s healthcare. Today, 78% of hospitals and practices use electronic medical records systems, storing and transmitting PPI, which includes DOB, SSNs, credit card credentials, and insurance information. By not encrypting communications from one networked medical device to another, a hacker could steal a healthcare employee’s login credentials, log in to a hospital’s connected ecosystem, and exfiltrate PPI, which sells at a higher price on the black market than credit card credentials. These data breaches are time-consuming and can be financially devastating for a healthcare organization.

Patient Health Risks

Health risks to patients are another reason that networked medical devices must be secure. Recently, researchers found that a hacker could access and gain control of a hospital’s infusion pumps, giving them the ability to administer fatal doses to patients. Likewise, in mid-2013, security researcher Barnaby Jack explained how he was able to hack a pacemaker and administer a lethal shock to a patient.

Networked medical devices are not the only devices within hospitals; other connected devices within a hospital could indirectly affect patient health. For example, a hacker could access a system of connected refrigerators that store vaccines. The hacker could raise the temperatures of the refrigerators thereby tampering with the effectiveness of the vaccines. The likelihood of this scenario actually happening is small, but it is possible

PKI Offers Solutions

PKI is a proven method. It helps protect patients and healthcare organizations alike through both encryption and authentication. PKI encrypts communications transmitted over a network, preventing a potential hacker that could intercept these communications from being able to use them.

Authentication helps secure networked medical devices by only allowing other authenticated users to issue commands to the device. Take the example of the system of connected refrigerators I used earlier. If the system of connected refrigerators were secured using a digital certificate, any hacker attempting to connect to that system and issue commands would be unable to do so without an authenticated certificate.

Ultimately, PKI is a proven solution for protecting the millions of networked devices coming into the market.

Using PKI to secure devices is something DigiCert has been doing for over a decade. We issue security certificates to servers, fax machines, and other devices connected to the Internet and have a perfect record of security in this area. In reality, the new IoT movement isn’t a new era, we have simply given it a new name because of the number of connected devices that are emerging.

We have focused too long on privacy issues, and while important, privacy doesn’t matter if your data isn’t secure. Data security should be at the top of any healthcare executive’s priority list.

Posted in Healthcare Security, Internet of Things, SSL, Uncategorized