Your doctor’s office likely doesn’t have any digital security for its mammography machines, heart pumps and other devices that are vulnerable to hacking, according to a new study.
In a survey of 80 health care organizations in the U.S., the Ponemon Institute found that nearly three-quarters said they don’t secure their medical devices, even though they contain sensitive patient data. The organizations were not named.
“This finding may reflect the possibility that they believe it is the responsibility of the vendor — not the health care provider — to protect these devices,” said the report by Ponemon, an independent research organization.
The results point to a new danger to patients’ privacy at a time when medical providers are moving toward electronic records and the sharing of files on so-called health information exchanges.
The digital risks for health care firms are growing. Hacking attacks against medical providers are becoming more frequent and breaches are getting more expensive, Ponemon found. Ninety-four percent of respondents said they had at least one data breach in the past two years, up from 86 percent in 2010. Many breaches cost the organizations more than $1 million.
For the health care industry, these breaches may cost as much as $7 billion per year, according to Ponemon, which gets sponsorships for its studies from industry partners. ID Experts, a firm that sells identity-theft protection services, paid for the latest survey.
One particularly alarming incident emerged in July, when a surgical center in Illinois revealed that hackers had broken into its computer network, encrypted patients’ electronic medical records and demanded ransom.
Hackers historically haven’t had much interest in medical devices, which weren’t connected to the Internet. But the bull’s eye has grown as some of these devices have gained the ability to communicate patient data wirelessly and with personal computers that are online.
As Bloomberg.com’s Tech Blog has reported, researchers have demonstrated scary vulnerabilities affecting insulin pumps and pacemakers, prompting the U.S. Government Accountability Office to conclude that the Food and Drug Administration needs to exercise more scrutiny over medical devices’ security, not just their safety and reliability.
The vulnerabilities could enable a hacker to scan a crowd with a handheld antenna and force pumps to dispense lethal doses of insulin. To date, the attacks have only been demonstrated in research labs.
As unsettling as the lack of security for medical devices is, there’s another way to look at the issue.
According to Ponemon, 69 percent of respondents said their data-security policies don’t cover medical devices. But that means 31 percent said their policies do cover the devices. The report doesn’t offer a year-over-year comparison, but the fact that nearly a third of organizations find the threats important enough to impose some safeguards is significant. Medical devices have not been a focus of the computer-security industry.
The statistic may still be of little comfort, but it does indicate that some health care organizations are waking up to this realization: Their medical devices are becoming just another set of computers, ready to be hacked.