Remote Access System Hacking Is No. 1 Patient Safety Risk

Hackers attacking healthcare through remote access systems and disrupting operations is the number one patient safety risk, according to the ECRI Institute's annual Top 10 Health Technology Hazards for 2019. From a report: ECRI Institute said it published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period. "Remote access systems are a common target because they are, by nature, publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes," the report warned.

The ECRI report [PDF] said that once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining. "The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death." The report recommended that healthcare organizations identify, protect, and monitor all remote access systems and points of entry, and adopt cybersecurity best practices, such as a strong password policy, maintaining and patching systems and software, and logging system access.

Re:Not listing to your IT Staff #1 Patient Risk

[demonlapin]

Hey, you, IT guy? I'm a doctor. Here's the other side of the same thing:

I didn't want the hospital IT system I got. They asked me (and all the other doctors) what we wanted, then ignored our responses. I went to administration to tell them that I wanted to be part of every committee that had something to do with the EMR purchase and deployment (however bad I may be, I can guarantee you I'm better than almost anyone else you'll get), and got ignored. So... nobody cares what the people who use the thing on a daily basis think? Not a good starting point.

Multi-factor ID: not really a major issue when, say, I'm at home and want to log in to do a bit of work; that's pretty straightforward. But here's the thing about the ten-minute lockout and twenty-second login process: I don't have a desk at work. I migrate from place to place, and I do it a lot. Twenty seconds per login is around thirty minutes of my day, on average. If you can't come up with a faster, better solution that allows me to do my work, the problem isn't with me - it's with your solution. And I'm somewhat unusual among doctors, because I only work at one hospital - many have to memorize information at three or four different hospitals, all with different criteria on what qualifies as an adequate password and different time frames for changing them.

Forced encryption on devices: nothing is stored on my device, so it doesn't need encryption except for during transmission of information. I've seen this play out in very negative ways, because "forced encryption" is generally a synonym for "managed by IT" - which means that the power-mad person in charge of IT is watching what I do with my iPad when I'm at home. My tastes are pretty vanilla, but if you want to monitor everything I do with my devices and read all my email, then (at a bare minimum) you can pay for dedicated devices, ISP, and home office to put them in, and you can give me a work email address for hospital business - I'm not an employee of the hospital, so I don't have one currently.

I don't hate IT people. You do a difficult and largely thankless job. But from the user's perspective, we have a lot of "tr0ub4dor&3" vs "correct horse battery staple" problems. My current work password is really simple - about as simple as one can be if you have to have a capital letter, a lowercase letter, and numbers, with a minimum length of eight characters, changed every three months, with no recycling of the past nine passwords. I've got a good password for my important personal things. It is not going to show up in a dictionary attack, I won't forget it, and even if you know me really well, it's not an easy guess - but I don't have ten passwords like that.