At this point, computer users who swear off antivirus systems might as well be asking to get hacked. Retailers that don’t invest in enterprise-grade transaction security are virtual sitting ducks. And banks that fail to secure their most sensitive online assets flirt with criminal negligence.
But what about medical device manufacturers that make life-saving and improving products for implantation in the human body? Or diagnostic equipment makers that develop cutting-edge technologies capable of peering through our flesh and spotting previously undetectable anomalies? Or the hospital systems that collect, store and use intimate data from thousands — millions — of patients? These organizations do painstaking, critical work that quite literally holds lives in the balance.
According to the BBC, nefarious hackers are putting those lives at risk. They’re also exposing a major data security shortcoming that could have long-lasting implications. Here’s a look at the potential scope of the problem — and what healthcare consumers (like you!) can do about it.
Many Machines & Devices Have a Presence on the Public Internet
According to healthcare attorney David DelCollo, this has potentially huge implications for patient privacy and data security. Before you agree to any procedure or test, ask your provider whether the required equipment is web-connected. If so, confirm that they take all reasonable precautions to protect it from hackers.
Malware Can Be Used to Devastating Effect
Stuxnet was an ingenious malware program developed by the U.S. and Israeli governments a few years back. Its sole purpose: to infect and sabotage Iranian nuclear centrifuges so that they couldn’t be used to make material for nuclear bombs. Stuxnet did its job exceedingly well, accelerating thousands of spinning centrifuges out of control and crippling Iran’s nuclear program. Now imagine that same power in an X-ray machine, surgical instrument, or implanted medical device. The consequences are almost too grim to contemplate.
Data Security for Health Records Is Uneven at Best
Most large and midsize healthcare systems, and growing numbers of smaller systems and private practices, use electronic health records (EHRs) to collect, store and utilize patient information. EHRs come with varying layers of security that can be made substantially more secure through direct action by practices and health systems.
Unfortunately, as the U.S. government’s health IT authority notes, providers themselves are responsible for data security. Many lack the will or resources to handle these matters internally. That’s a major worry for patients who simply can’t know for sure what their providers are or aren’t doing to keep their information safe. Before you come onboard with a new provider, demand transparency and accountability around data security.
It’s Not Quite Time to Panic
Time for a deep breath. The scope of the medical ecosystem’s vulnerability is potentially vast, but it’s not yet time to panic. White hat hackers are working tirelessly to uncover and board up the unguarded back doors into medical devices and equipment. The BBC’s MRI machine vulnerability was itself detected by white hats and presented at Derbycon, a conference devoted to security hacking.
As a consumer, the most important step you can take to lessen the risk of medical hacking is to encourage your providers to hew to all relevant best practices around data and device security, regardless of the upfront cost — and refuse to do business with providers that aren’t transparent on this front.
