The challenges of securing medical devices from cyberattacks are increasing as more and more devices are connecting to the internet for data transfer and system updates. Sending and updating information directly from your CPAP machine or insulin pump, for example, to healthcare professionals improves patient care but it also presents a risk that the devices and data can be compromised.
In 2019, the U.S. Food and Drug Administration (FDA) warned that some insulin pumps made by Medtronic MiniMed may be at risk for a cybersecurity breach. In response, Medtronic recalled the affected Minipumps and provided patients with alternative pumps.
As the healthcare industry introduces more IoT devices and wearables for the sake of improved patient care, there is also a clear downside to the trend. These same medical devices can pose a serious threat to patients and providers. Device vulnerabilities can lead to security breaches that could potentially impact the safety and effectiveness of the device. If that wasn’t risk enough alone, the high value of healthcare data increases the likelihood of risk rapidly.
Healthcare organizations and patients must weigh the risks and rewards of relying on medical devices the same way they already consider the pros and cons of their other network connected devices. Laptops, tablets and phones are critically important pieces of technology, delivering cutting-edge patient care as well as organizational efficiency. For large hospitals, small doctors’ offices and every healthcare provider in between, mobile medical technology is how modern patient care is delivered. And it makes a real, positive difference in people’s lives.
But securing patient data — including personal information, payment details, health histories and more — on vulnerable endpoints is a real problem for the industry. In 2019, there were 572 healthcare data breaches of 500 or more records – that’s up more than 48 percent from 2018 with an impact on more than 40 million people.
Government regulations that oversee the protection of personal information — including HIPAA in the U.S. and a host of others — are trying to keep up with breach investigations.
Read: Absolute Software Guide to HIPAA Compliance
Large fines are doled out when there are compliance failures and the pilfering by hackers continues at a relentless clip. At the same time, security spend is also on the rise, motivated by organizations scrambling to fend off attackers. So where is the gap? If security spending is up, why isn’t hacking down?
Because security spending alone isn’t enough. You have to have the right systems to solve the right problems and those systems must be in working order at all times.
A strong security posture must start with unparalleled visibility — because you can’t secure what you can’t see. This is the approach Allina Health, the major healthcare provider for the state of Minnesota took when they implemented Absolute across their fleet of more than 10,000 devices.
Now Allina Health can see all of their devices, whether they are on the network or not, identify devices that are missing or not being used, and prove security controls (patch management, antivirus and encryption) are in place. Additionally, Allina Health has been able to save over one million dollars by identifying underutilized assets, prove compliance with HIPAA by validating that encryption is in place on all devices, at all times, and achieve 95 percent laptop auditing accuracy.
“I sleep better at night knowing that if a device goes missing, we have the tools and services that Absolute provides to track it down…and validate that encryption was in place [when the incident occurred],” said Danielle Bong, IT Asset Manager, Allina Health.
Healthcare endpoints are key to providing better patient care and improving organizational efficiency – security improvements must be made for the benefit of everyone but the hackers.
To learn more about how Allina Health uses Absolute, download our case study: Allina Health Ensures HIPAA Compliance.