The health care profession has undergone massive digitization in recent years with the emergence of interconnected medical devices and the broader exchange of health care information.

In less than a decade, nearly all hospitals and physician offices have adopted electronic health record (EHR) systems. While long term and post-acute care (LT/PAC) adoption of EHRs still lags behind other settings, referring and treating providers, pharmacy vendors, and others have helped speed up EHR adoption.

Many LT/PAC providers face unique resource challenges due in part to budget constraints, such as inadequate information technology (IT) infrastructures, staffing constraints, and various barriers across multiple facilities. Experts have found that these providers “are implementing or updating their IT systems in a gradual but haphazard manner,” according to a 2014 issue of the Journal of Health Organization and Management. This leaves the LT/PAC community particularly vulnerable to cybersecurity threats.

Protecting Against Attacks

Some of the largest and most widespread cybersecurity attacks in recent memory made headlines in 2017. And, 2018 is off to a quick start. In early January, the Spectre and Meltdown vulnerabilities, which impacted nearly all computer and mobile devices, were exposed. These vulnerabilities exploited flaws in Apple and PC hardware that would allow attackers to gain access to data previously considered protected.  In response, manufacturers quickly issued updates to existing software to protect against these exploits.

As the year progresses, LT/PAC providers should make cybersecurity a priority, watching out for these four threats and taking efforts to protect against them.

1. Vendor Failure to Protect Data

Since adoption and implementation of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, health care providers have been required to place some focus on third-party vendors that access or use protected health information through the required business associate agreements, which are typically formal documents required to be in place between providers and vendors that use or access public health information (PHI) and spell out certain obligations of the vendor related to its access and use of PHI. Yet vendor breaches remain one of the largest causes of security failures, with an estimated two-thirds of all breaches being directly or indirectly related to third-party vendors.

Vendor services are a necessary component to the health care profession. This is certainly true for the LT/PAC community as often critical areas are handled by vendors, including pharmacy, therapy, and billing services. These vendors are almost always business associates, as that term is used under HIPAA. While many providers will have business associate agreements placing certain security requirements on such vendors, this alone is not enough. In 2016, a business associate’s failure to safeguard nursing facility residents’ data resulted in a $650,000 HIPAA settlement.  

LT/PAC providers, in addition to having a compliant business associate agreement in place, should perform periodic third-party vendor assessments. These assessments should evaluate the access to data and systems—ensuring access is limited to only the minimum data necessary for that vendor to perform its duties, that appropriate HIPAA security standards protecting the data are implemented (such as encryption, data backups, and having a designated individual responsible for information security), and that key policies are in place and followed.  

2. Interconnected Medical Devices

The potential vulnerabilities in medical devices have long been on providers’ radar. Successful hacks dating back to 2011 have affected a variety of medical devices, ranging from insulin pumps to pacemakers. LT/PAC providers frequently serve the aging population that enters their centers with such devices.  Further, medical devices used in providing therapy, monitoring patients, and so on that are connected to a broader computer network may be used as easy targets for attackers to gain unauthorized access.

In 2013, the U.S. Department of Homeland Security issued a warning that 300 medical devices tested for cybersecurity vulnerabilities all failed to meet minimum standards. This warning spurred the U.S. Food and  Drug Administration to issue recalls and, in 2016, to issue cybersecurity guidance for medical devices.  Congress took notice, and the Medical Device Cybersecurity Act of 2017 was introduced. Although the bill failed to pass, by all indications, regulatory and legislative actions seeking to address this concern will continue in 2018. 

In the meantime, medical devices remain extremely vulnerable. Unlike other devices that receive multiple and frequently automatic updates that may protect against certain security holes, medical device manufacturers remain slow to update their products, and the process for implementing updates may not be user-friendly.

Further, the fact that hospitals and similar health care entities “typically have 300 to 400 percent more medical equipment than IT devices” provides more possible targets for hackers seeking access to a provider’s networks, according to the website of the Healthcare Information and Management Systems Society.