Slashdot Mirror
Remote Access System Hacking Is No. 1 Patient Safety Risk (healthitsecurity.com)
Hackers attacking healthcare through remote access systems and disrupting operations is the number one patient safety risk, according to the ECRI Institute's annual Top 10 Health Technology Hazards for 2019. From a report: ECRI Institute said it published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period. "Remote access systems are a common target because they are, by nature, publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes," the report warned.
The ECRI report [PDF] said that once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining. "The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death." The report recommended that healthcare organizations identify, protect, and monitor all remote access systems and points of entry, and adopt cybersecurity best practices, such as a strong password policy, maintaining and patching systems and software, and logging system access.
The ECRI report [PDF] said that once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining. "The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death." The report recommended that healthcare organizations identify, protect, and monitor all remote access systems and points of entry, and adopt cybersecurity best practices, such as a strong password policy, maintaining and patching systems and software, and logging system access.
I always thought it was the antibiotic resistant bacteria, incompetent doctors, and greedy hospital boards and administrators.
Shouldn't all the access issues be covered under existing acts like HIPAA?
Two Factor Authentication should be the minimum requirement for remote access to anything in a hospital or within a patient...
One time I took a friend to the ER and she wasn't injured and couldn't really represent herself. The nurse who was going to check us in couldn't get the job done because her tablet kept getting a BSOD. All IT systems can go down, but goddamn, wouldn't you think that having Windows in the ER would be beyond "asking for it" ? I'm not the biggest fan of AIX, but at least the other ER I took her to could check her in, they used an AIX based patient system. Unbelievable. I bet they have insecure-as-hell Android and iOS systems handling patient records, too. What's the advantage of that? Nurses can take selfies while the system is down (or being spied on by Russians and Chinese) ?
A coworker's daughter has one, and the software has locked up several times requiring her to remove the battery to get it working again. It's also required several software updates. If it failed and provided too much insulin, it could easily kill her.
So true, I once worked for a hospital with no 2F on the remote access system, and the head of the ER department used his last name as his password, and refused to change it.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Hey, you, IT guy? I'm a doctor. Here's the other side of the same thing:
I didn't want the hospital IT system I got. They asked me (and all the other doctors) what we wanted, then ignored our responses. I went to administration to tell them that I wanted to be part of every committee that had something to do with the EMR purchase and deployment (however bad I may be, I can guarantee you I'm better than almost anyone else you'll get), and got ignored. So... nobody cares what the people who use the thing on a daily basis think? Not a good starting point.
Multi-factor ID: not really a major issue when, say, I'm at home and want to log in to do a bit of work; that's pretty straightforward. But here's the thing about the ten-minute lockout and twenty-second login process: I don't have a desk at work. I migrate from place to place, and I do it a lot. Twenty seconds per login is around thirty minutes of my day, on average. If you can't come up with a faster, better solution that allows me to do my work, the problem isn't with me - it's with your solution. And I'm somewhat unusual among doctors, because I only work at one hospital - many have to memorize information at three or four different hospitals, all with different criteria on what qualifies as an adequate password and different time frames for changing them.
Forced encryption on devices: nothing is stored on my device, so it doesn't need encryption except for during transmission of information. I've seen this play out in very negative ways, because "forced encryption" is generally a synonym for "managed by IT" - which means that the power-mad person in charge of IT is watching what I do with my iPad when I'm at home. My tastes are pretty vanilla, but if you want to monitor everything I do with my devices and read all my email, then (at a bare minimum) you can pay for dedicated devices, ISP, and home office to put them in, and you can give me a work email address for hospital business - I'm not an employee of the hospital, so I don't have one currently.
I don't hate IT people. You do a difficult and largely thankless job. But from the user's perspective, we have a lot of "tr0ub4dor&3" vs "correct horse battery staple" problems. My current work password is really simple - about as simple as one can be if you have to have a capital letter, a lowercase letter, and numbers, with a minimum length of eight characters, changed every three months, with no recycling of the past nine passwords. I've got a good password for my important personal things. It is not going to show up in a dictionary attack, I won't forget it, and even if you know me really well, it's not an easy guess - but I don't have ten passwords like that.
Well, here's the thing: a lot of "hackable" stuff consists of things like pacemakers, that really have almost no security in place at all - they just rely on the fact that they have failsafe modes (and they do), and on the fact that very few people have a pacemaker interrogator handy.
Aside from that, medical records have to be remotely accessible if there is to be any point in having an EMR - paper charts had their downsides, but physical security against outside attacks was pretty good, and you certainly couldn't do a mass-scale info swipe. My wife and I are both doctors, and she regularly does work while we're on vacations. She's looking up records, reading notes, interpreting labs... sure, you could lock her out, but you will kill most of the value of EMR when you do so. You'll also be requiring most doctors to drive in every time they get a phone call from the ER - which is not going to be a popular move.