Cybersecurity and the “Internet of Health Things:” Risk Management for Health Delivery Organizations Cybersecurity and the “Internet of Health Things:” Risk Management for Health Delivery Organizations

Cybersecurity and the “Internet of Health Things:” Risk Management for Health Delivery Organizations

The Internet of Things (“IoT”)—a network of physical objects connected to the Internet and each other through embedded sensors and wired and wireless technologies—is growing exponentially across all facets of American life.[1] These connections offer many benefits to device users and other data constituents. Smart devices and the networks that incorporate them generate and store vast quantities of information available for immediate analysis. When this information is properly secured, it can be used to make consumers safer, healthier, and more comfortable; make workplaces more efficient and productive (and therefore more profitable); and keep decision-makers better informed. Health care exemplifies this potential.
 
The health care industry is at the forefront of IoT implementation, and this technology is radically changing the field for patients, as well as health care providers, hospitals, health care facilities, and health systems (“Health Delivery Organizations” or “HDOs”). However, embracing the IoT has a significant impact on the HDO’s risk profile. A compromised networked device threatens not only data (confidentiality, integrity, and availability), but also the device itself (utility, safety, resilience, control). This can have a detrimental effect on patient safety.
 
An HDO’s security management system must keep pace with these risks and shift from a records-based to a health-based focus. A rush to implement IoT technology can leave the HDO and its constituents vulnerable if the HDO has not appropriately identified, assessed, and mitigated threats and vulnerabilities affecting associated data. While a number of recognized cybersecurity standards exist for medical device manufacturers,[2] there is little specific guidance for HDOs that incorporate medical devices into their IT networks (“Implementing HDOs”). How can Implementing HDOs put appropriate administrative, physical, and technical safeguards in place to reduce IoT-related risk to a reasonable and appropriate level?
 
The Stage
 
In its February 2017 report, Hewlett Packard Enterprise’s subsidiary, Aruba, estimates 60% of health care organizations worldwide are already using IoT technology, with an 87% use rate expected by 2019:[3]
 
  • The most common uses of IoT in health care include patient monitors (64%) and x-ray and imaging devices (41%).
  • Among the largest benefits to health care organizations are using sensors to monitor and maintain medical devices and remotely track assets by location.
  • 73% of users report cost savings as a result of IoT adoption, and 80% of users report increased innovation.
  • The most-anticipated future benefits include increased workforce productivity (57% of respondents citing); cost savings (57%); creation of new business models (36%); and improved collaboration with colleagues and patients (27%).[4]

These advantages do not exist in a bubble: attendant to them are unique threats and vulnerabilities that contribute to risk. In its June 2017 Report on Improving Cybersecurity in the Health Care Industry,[5] an HHS task force emphasized that “[h]ealth care cybersecurity is in critical condition.” Contributing factors include:
 
  • “Severe” lack of security talent. HHS notes that most HDOs “lack full-time, qualified security personnel.”[6]
  • Data sensitivity. Health data are particularly sensitive, and breaches can be particularly harmful. A breach that impacts confidentiality may subject the patient to embarrassment, adverse employment or insurance determinations, or identity theft. Compromised data integrity or availability may undermine care or delay payment.
  • Volume and quantity. Like all other devices that collect, store, and transmit data, connected medical devices are vulnerable to internal and external compromise. More devices means more potential breach vectors, and more data means more to be compromised if a breach occurs.
  • Availability. Because many health IoT devices are lifesaving or care-critical, they cannot simply be taken offline when threatened.
  • Equipment and system vulnerabilities. The HHS task force describes an “epidemic” of vulnerabilities, many of which directly impact patient care.
  • Underground market value. Health care information is an attractive target for wrongdoers, because it contains data points that make financial and medical identity theft possible.
  • Premature/over-connectivity. According to HHS, meaningful use requirements[7] “drive hyper-connectivity without secure design & implementation.”[8]
  • “Low-hanging fruit.” Compared to commerce and finance, health care is late to the cybersecurity table. An HDO’s security management plan may devalue networked devices as threat vectors, or simply overlook them. Workforce members, occupied with preserving life and health, may deprioritize cyber hygiene or suffer from chronic “Dammit Jim! Syndrome” (“Dammit Jim, I’m a doctor, not an IT expert!”). Perhaps most concerning are the competing expectations around security management, with each stakeholder thinking another is responsible. Those who automatically think “IT has it” may be surprised to learn that IT is unaware of this expectation.
  • Legacy equipment. HHS states that “[e]quipment is running on old, unsupported, and vulnerable operating systems.”[9]
  • Complex regulatory environment. OCR, CMS, FDA, ONC, and others all have a role in regulating HDOs, with some HDOs subject to multiple agencies. There may be gaps, overlap, or both.
Executives at Implementing HDOs are rightly concerned. Device malfunction, loss, or theft—or simple human error—can negatively impact data, HDO networks, and the device itself. Regardless of cause, compromise is a source of considerable risk for HDOs and patients and one traditional health IT channels may not adequately address. Thus, a conundrum: safe, effective patient care depends on deeper connectivity, but insecure connections can “betray” the very goals they purport to advance.[10]
 
Guidance and Solutions for Managing Risk
 
Given the diversity of HDOs, there can be no “one size” approach to IoT cybersecurity risk management. Flexibility is critical. For example, under the HIPAA Security Rule, regulated entities “must” consider at least the following factors when deciding what data security measures to implement: (1) size, complexity, and capabilities; (2) technical infrastructure, hardware, and software capabilities; (3) cost; and (4) probability and criticality of potential risks.[11] Implementing HDOs should consider these and other entity-specific factors when designing and implementing their own security management process.
 
 - Immediate “Micro” Steps
 
Implementing HDOs—and every entity with cybersecurity concern—should allocate time and resources to get the most protection efficiently. These items should be high on an HDO’s list when prioritizing outside counsel and consultant dollars:
 
  • Developing a data map and device inventory to identify sensitive electronic information within the HDO. The data map shows data flows into, within, and out of the HDO. The device inventory identifies the number, types, and locations of networked devices; the data they transmit; how they are configured; and their security features.
  • Performing a data classification exercise to determine the number and types of security controls appropriate to safeguard data. A set of security controls reasonable and appropriate for one category may be overkill or insufficient for another. Data can be classified according to the potential impact of compromise on the HDO’s patients, operations, or assets.
  • Conducting and implementing the HDO’s risk analysis, generally defined as an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive data, including from IoT devices.
  • Developing, instituting, and evaluating the HDO’s risk management plan: the implementation of security measures sufficient to reduce identified threats and vulnerabilities to a reasonable and appropriate level. This may include instituting cybersecurity compensating controls—safeguards or countermeasures the HDO deploys “in lieu of, or in the absence of controls designed in by the device manufacturer.”[12]
  • Managing residual risk—the risk remaining after applying security measures—, identifying risk acceptance criteria, and deploying mitigations.
  • Reviewing vendor contracts with an eye toward safety issues and risk management. Significant issues include indemnification, data ownership, product lifecycle support, and privacy and security by design.
  • Evaluating cyber-insurance. Many HDOs lack adequate protection; either they have no coverage at all, or they think they have more than they do.
 - Larger, “Macro” Steps
 
The 2017 HHS report identifies six “imperatives,” with corresponding recommendations and action items, the health care sector should implement to increase cybersecurity industry-wide. Implementing HDOs should recognize these as primary areas of concerns for HHS, and consider how to apply them individually:
 
1. Define and streamline leadership, governance, and expectations for IoT cybersecurity.
 
While data security has “historically” fallen within IT’s purview, data governance is a different animal and should include “information stakeholders” as well.[13] It is no longer appropriate to focus on technology to the exclusion of people, processes, and policies.[14]
 
2.  Increase the security and resilience of IT networks that incorporate IoT devices.
 
The HHS task force identifies “legacy systems” as a primary area of risk. HDOs must take appropriate steps to secure these systems. Mitigation strategies include meticulously inventorying unsupported devices and operating systems and prioritizing vendors that adopt rigorous and transparent cybersecurity standards for product development, operations, and maintenance. Where possible, HDOs should position these vendor attributes as a competitive advantage during the RFP and bid process.
 
3. Develop the workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
 
Building from imperative #1 (identifying and assigning a cybersecurity leadership role), HDOs should also plan for, model, and train a qualified cybersecurity workforce with IoT-specific knowledge and capabilities. When appropriate, HDOs should explore ways to migrate legacy system data to secure environments.
 
4. Increase organizational readiness through improved cybersecurity awareness and education.
 
HDOs should adopt a holistic, collaborative cybersecurity strategy in which workforce members work toward a common goal of protecting patients and each other, the HDO’s most “critical assets.” HHS cautions that skimping in this area can jeopardize patient safety as well as the HDO’s assets and reputation.[15] An educated workforce, and an informed public, is critical.
 
5. Identify mechanisms to protect research and development efforts, and intellectual property, from attacks or exposure.
 
HDOs should consider best practices that balance academic freedom, intellectual property, and health care services.
 
6. Improve information sharing regarding industry threats, risks, and mitigations.
 
Membership in industry-specific information sharing organizations can streamline threat assessments and create valuable efficiencies for HDOs with a small or part-time information security staff.
 
Conclusion
 
The HHS cybersecurity task force emphasizes that “for the health care industry, cybersecurity issues are, at their heart, patient safety issues ….”[16] To keep your patients safe, you must secure the information, which the IoT generates and uses for patient treatment. 
 
----------------------------------------------------------------------
John Gilligan is a partner at Ice Miller LLP where he focuses his practice on resolving or trying difficult business disputes often involving financial services companies or governmental entities. With forty years of trial experience, he has tried more than 70 cases to decision, the majority by jury verdict, in federal and state courts, the Ohio Court of Claims and to arbitration panels. He can be reached at john.gilligan@icemiller.com or 614-462-2221.
 
Kim Metzger is a partner in Ice Miller LLP's Litigation Group, concentrating her practice in drug and device litigation and data security and privacy, particularly HIPAA privacy compliance. She is a Certified Information Privacy Professional/US, Certified Information Privacy Manager, and Fellow of Information Privacy with the International Association of Privacy Professionals (IAPP). She may be reached at kimberly.metzger@icemiller.com or 317-236-2296.
 
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 


[1] The FTC estimates there are currently more connected devices than people, and by 2020, there may be as many as 50 billion devices in use worldwide – by some estimates, nearly one for every two persons who have ever lived.
[2] For example: FDA Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices(2009); IEC Technical Specification 62443-1-1 Ed. 1.0 2009-07 – Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models (2009); IEC Technical Report 62443-3-1 Ed. 1.0 2009-07 – Industrial communication networks – Network and system security – Part 3-1: Security technologies for industrial automation and control systems (2009); IEC International Standard 62443-2-1 Ed. 1.0 2010-11 – Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program (2010); IEC/TR 80001-2-2:2012: Application of risk management for IT networks incorporating medical devices – Part 2-2: Guidance for the communication of medical device security needs, risks, and controls (2012); FDA Guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2014); AUTO11-A2 – IT Security of In Vitro Diagnostic Instruments and Software Systems; Approved Standard(2014); AAMI TIR57: Principles for medical device security – Risk management (2015); FDA Guidance, Postmarket Management of Cybersecurity in Medical Devices (2016).
[3] Hewlett Packard Enterprise, The Internet of Things: Today and Tomorrow. Aruba queried 3,100 IT and business decision-makers across 20 countries to “evaluate the current state of IoT and its impact across different industries.”
[4] Id.
[5] HHS Health Care Industry Cybersecurity Task Force (June 2017): Report on Improving Cybersecurity In the Health Care Industry (“HHS Report”), p.1, Figure 1.
[6] Id.
[7] The federal government introduced the meaningful use program in 2009 as part of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Under HITECH, healthcare providers receive incentives for showing “meaningful use” of a certified electronic health record (“EHR”).
[8] Id.
[9] Id.
[10] Id. at p. 1.
[11] 45 C.F.R. 164.306(b)(2).
[12] U.S. Food & Drug Administration, Center for Devices and Radiological Health (2016). Guidance for Industry: Postmarket Management of Cybersecurity in Medical Devices, p. 9.
[13] Id. p. 22.
[14] Id.
[15] Id. p. 40.
[16] Id. p. iii.

View Full Site View Mobile Optimized