5 ways to close common medical device vulnerabilities
The U.S. Department of Veterans Affairs is no stranger to cyberattacks. In March, roughly 1.2 billion cyberattacks targeted the VA network, CIO Stephen Warren said at the Medical Informatics World conference in Boston. That's a sharp increase from 330 million attacks in November.
Amid all that activity, the VA saw a sharp drop in protected health information breaches in March, with 383 veterans the victim of a PHI breach in March compared to 891 in February, FierceHealthIT previously reported.
Admittedly, the VA benefits from a level of security that not all healthcare organizations have--namely, the Department of Homeland Security's control points, known as Trusted Internet Connections, as well as advanced security measures that even Warren doesn't know about.
That said, the VA has taken several steps to shore up security in a common point of vulnerability: Medical devices. With criminal attacks now the leading cause of healthcare data breaches, according to a recent Ponemon Institute report, organizations would be wise to address five key threats posed by medical devices.
Windows XP: Microsoft stopped supporting this operating system more than a year ago. Connect a device running XP to the Internet and it will be compromised within seven seconds, Warren said. Keep these devices offline.
Irreplaceability: Those devices running Windows XP remain in use because organizations believe they are too costly to replace. But the cost to mitigate a data breach can exceed $2 million, according to Ponemon, and Anthem faces damage control costs in excess of $100 million following its February cyberattack. The VA replaces medical devices regularly--as of March 5, only two devices across the 152 medical centers in the entire VA system represented a liability, Warren said.
No antivirus or antispyware software: Push the market to change this, Warren said. If you plan to replace devices regularly, it's in a manufacturer's best interest to protect those devices better. If you still have devices without software to detect vulnerabilities, meanwhile, make sure clinical staff know why these devices pose such a threat, he said.
No software updates: The VA pushes patches to its devices "multiple times a day" to ensure they remain protected against the latest threats, Warren said. Again, if devices cannot be updated regularly, they should remain offline.
Email access: Even with all of the above protections in place, medical devices remain vulnerable if people use them to check personal email--which they will do if administrative restrictions forbid them from doing so on any other computers in the building, Warren said. Give clinical staff as well as device repair contractors a place to check email, and take that opportunity to shore up email security.
Most health data breaches caused by criminal attacks
VA sees sharp drop in PHI breaches in March
Lack of resources the biggest hurdle for healthcare organizations in defending cyberattacks
Healthcare industry 'behind by a country mile' in email security