The risk of being hacked is something we all assume when we connect to the Internet, and the risk has grown considerably even in just the last few years as we fill our lives with new devices and commit more and more of our lives to a digital format. We know that without appropriate safeguards, our computers and the data on them are at risk of being compromised by cyber criminals. Data is a hot commodity, and there is no shortage of examples in the last few years of major companies, and even the federal government, being hacked, resulting in the personal information of millions of people being compromised. Our files aren’t the only targets, however. Hackers have been known to take over webcams and even baby monitors on unsecured networks. Recently, it was demonstrated that a hacker could take control of an Internet-connected vehicle. That’s a frightening prospect, but here’s one that is perhaps more frightening: a hacker commandeering a medical device you depend on to live.
This risk sounds like a plot line from a movie, but the risk is real. So much so, in fact, that the U.S. Food and Drug Administration recently released an alert to healthcare providers advising them to discontinue the use of Hospira’s Symbiq Infusion System due to cybersecurity vulnerabilities.
Infusion therapy is a form of treatment by which medications are delivered continuously into a patient’s bloodstream. The FDA warned that the system, which can connect to a provider’s network, is vulnerable to hacking, stating, “Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies."
The good news is that healthcare providers should already have the tools in place to help protect their connected medical devices and their patients, even though those tools may not currently address these types of risks. As covered entities, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”) require providers to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic health information held by the covered entity...”
Covered entities must also “review and modify the security measures implemented ... as needed to continue provision of reasonable and appropriate protection of electronic protected health information” and “perform a periodic technical and nontechnical evaluation ... in response to environmental or operational changes affecting the security of electronic protected health information."
Thus, a risk analysis is not a one-time occurrence—conducted when you set up a network and never again. Healthcare providers need to conduct an initial risk analysis and update it regularly—especially if new equipment is added to or removed from a network, the provider becomes aware of a new internal or external threat (such as the one raised by the FDA), or if the provider’s network is actually compromised. Whether or not a provider’s medical devices store protected health information, if a medical device connects to a network, a provider should consider the device as a potential conduit for an unauthorized party to gain access to the provider’s network and thus possibly the provider’s cache of electronic protected health information. Furthermore, patient safety needs to be added to the list of concerns when conducting a risk analysis.
In the event of an audit by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”), one of the first things OCR will request from a healthcare provider is a copy of their risk analysis. A healthcare provider who suffers a data breach and hasn’t conducted an adequate risk analysis can face stiff administrative penalties. (See Data breach results in $4.8 million HIPAA settlements.) That’s just for compromising data. While we are aware of no cases in which a patient has been harmed by the hacking of a medical device, healthcare providers would be wise to keep in mind that if a patient is harmed by a hacked medical device, Exhibit A in the negligence suit against them may be that provider’s risk analysis, or lack thereof.
As the healthcare industry becomes more and more reliant on connected technology to provide care to patients, healthcare providers now need to consider carefully how such technologies might be compromised to the physical detriment of their patients.