More and more the healthcare industry is using connected medical devices that do cool things, like creating efficiencies in the delivery of patient care and automating tasks for healthcare providers and their staff. But, what about the security of these connected devices? Has anyone thought about that? Well, Ponemon and Cynerio did a study on just that topic and the results are very concerning.
In this episode:
Are Connected Devices Secure? – Ep 377
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
PriSec Session of the Week
Daily Focus Concept
SCRiM- Mar 12 2023 half day
Supply Chain Risk Management (SCRiM) for BAs vs CEs vs others
Vendor Selection and Vetting
Contract Management and Negotiations
HIPAA Say What!?!
[09:48] David read a question in an MSP forum where the MSP was asking for recommendations for a HIPAA compliant credit card processing company.Other MSPs jumped in with things like:
“I don’t think HIPAA applies to credit card info”
“PCI DSS is the standard for credit card processing”
“HIPAA is for PHI only; you need PCI”
Then, one smart guy tagged David in the post to get some expert clarification on the matter. Here is what David posted so that others could learn:
Payment information from a patient is actually PHI (Protected Health Information)… HOWEVER… HIPAA allows for the use and disclosure of PHI for Treatment, Payment, and Healthcare Operations. In this case, I’ll just address the payment for services portion. Although HIPAA allows for this, there are additional things that are necessary.
Minimum Necessary: A covered entity must develop policies and procedures that reasonably limit its disclosures of, and requests for, PHI for payment to the minimum necessary. A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to PHI for payments, based on those who need access to the information to do their jobs.
Notice of Privacy Practices: Any use or disclosure of PHI for payments must be consistent with the covered entity’s notice of privacy practices. A covered entity is required to provide the individual with adequate notice of its privacy practices, including the uses or disclosures the covered entity may make of the individual’s information and the individual’s rights with respect to that information.
I should just put this out there too… Nearly every scenario where HIPAA is concerned is a fact-specific determination. Meaning… My answer is based on the little bit of info in the OP. There are more questions I would have to have answered if I were consulting with the client. The actual answer, with all the pertinent information, could change slightly.
405(d) Tip of the Week
[07:05] Today’s entire episode is about one of the Top 5 threats in healthcare and a focus of HICP. We want to remind you that the 405(d) website has resources that you can use to educate yourself and your team about attacks on connected devices and how implementing HICP can help mitigate these risks.Attacks on Connected medical Devices – 405(d) Five Threat Series PDF
Put Patients First: Protect Connected Medical Devices – Poster
Cyber Incident Reporting… Act
[19:05] CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act | Inside Privacy- A 24-hour requirement to report any ransomware payments to CISA; and
- A 72-hour requirement to report all covered cyber incidents to CISA.CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
Are Connected Devices Secure?
[22:21] The Ponemon Institute teamed up with Cynerio to examine the impacts cyberattacks have on connected devices in healthcare. We thought it was a great idea because “attacks on medical devices” is one of the top five threats in healthcare. The report provided very concerning information.The Insecurity of Connected Devices in Healthcare 2022
The very first point the report makes is that due to frequent attacks the lack of accountability notably impacts patient care. That’s something we’ve stressed time and time again. It’s about patient care.
They point out that it’s like flipping a coin and they stress that things cannot continue down this path. Patient care is significantly impacted by these cyber attacks and it’s not going to get better. There are new technologies and best practices out there now that can help organizations reduce the risks IoT devices pose to networks.
[29:02] We’ve all heard the horror stories of how a hacker takes over a insulin pump and delivers too much or too little to a patient or locks down equipment in operating rooms rendering them useless or something similar. But, cyberattacks don’t just impact the IoMT (connected medical devices) themselves, they can impact the delivery of patient services and patient care. Even if you can restore data or functionality to a device, it matters how long it takes you to do so. That impacts patient care as well and can lead to increases in mortality rates.The stark difference between healthcare and other entities is in most industries, the true impact of cyberattacks is financial. It’s a dollar amount. But in healthcare, it’s measured by changes to mortality rates and complications and quality of life.
[37:36] IoT devices create new challenges that we’ve never had to deal with before. Yes, they typically deliver new cool features and make tasks more efficient or automated, but security can NOT be the last thing that is thought about. These devices have to be evaluated for security risks and kept up to date on the latest firmware and software updates. That’s not always an easy task.So, who should be responsible for evaluating and securing IoT devices? Should it be the healthcare organization, the third party vendor, the manufacturer of the device or someone else? The survey results from the study varied greatly and showed people pointed fingers at everyone from the CIO/CTO to the Compliance Team to the CEO to users themselves. So, everybody thinks that it’s somebody else’s problem, and it really needs to be a specific assignment that is someone’s concern.
If you have IoT devices, especially medical devices, on your networks this report is worth downloading and reading. Attacks on healthcare environments are driven by opportunity and the inactivity of efforts to secure networks and the devices connected to them. We have got to do better. It’s about patient care.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
