We’ve never had more information about our health stored electronically than we do today, and the quantity being generated is steadily increasing. Wearables track our every step and heartbeat, test results can be viewed online, hospitals are using more IoT devices to help with our care – the list goes on. Protecting that data has been a struggle for some time.
The United States passed legislation called HIPAA in 1996 to help keep medical information private. In 2016, a string of ransomware attacks across the United States and Canada frequently made the news for locking down hospital systems and patient data.
Between the data generated within medical institutions and the data we generate on our own through medical devices, apps and at-home test kits, there’s no shortage of privacy and security challenges.This is reflected in the statistics: a popular paper from IEEE Access points out several reports, one of which found that 40% of the 43 health and fitness apps they inspected “imply high risk” to users’ privacy. Another found that of 24,000 health-related apps for iOS and Android, “95.63% of the apps pose at least some potential damage through information security and privacy infringement.” For hospitals, the threat surface is varied and hard to manage.
According to Kayne McGladrey, IEEE Member and Director of Security and Information Technology at Pensar Development, “Medical institutions are deploying an increasing array of IoT devices from a variety of vendors. This is not always by choice of the medical institution; rather, as vendors have connected all of their products to the Internet, it forces buyers to adopt heterogeneous IoT technologies.”
Features that are meant to make life easier can also contribute to the issue. Karen Panetta, IEEE Fellow and Dean of Graduate Education, Tufts University, says “Third-party modules, add-ons, guest accounts and remote accessibility continue to be the access points of choice for these attacks.”
A main reason ransomware attacks have continued is that they’re still profitable. It’s easy to get hung up on the injustice – after all, incapacitating a hospital’s computer system when people are receiving life-saving treatment isn’t easy to stomach. But hospitals often pay the asking price that the hackers set. Why? McGladrey’s answer is simple: “The costs associated with paying a ransom in these environments would be considerably lower than the litigation and fines if people were to be harmed by the lack of availability or the destruction of medical data.”