Healthcare providers face stringent regulations when it comes to protecting patient information. They’re obligated to safeguard E-PHI (electronic protected health information), patient identity and payment methods all while remaining compliant with federal regulations:
- Health Insurance Portability and Accountability Act (HIPAA)
- HIPAA Security Rule: What Is It and Why Does It Matter?
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Sarbanes-Oxley Act
- Gramm-Leach-Bliley Act
- FACTA Disposal Rule
- Patriot Act of 2002
- PCI Data Security Standard
- Identity Theft and Assumption Deterrence Act
Ever-changing technology and devices that transmit E-PHI over networks make protecting patient information a topic that healthcare providers must stay on top of. Few healthcare organizations or medical facilities specialize in data destruction and IT recycling. After all, the doctors, nurses, and staff already have a lot on their plates, and worrying about what to do with old laptops, x-ray machines, hard drives and other medical equipment isn’t top of mind.
Healthcare Devices at Risk
The push toward modernization and the related need to automate tasks as medical facilities operate with fewer staff has led to a dramatic increase in the number of devices that can be connected and centrally controlled.
This prompted researchers to look at the growth of tech in hospitals and attempt to identify what equipment and connections posed a risk and would be possible targets for hackers:
- Pacemakers and other devices inside of people
- Computers used to create electronic medical records (EMRs)
- Servers that store E-PHI, EMRs, and payment information
- Defibrillators (including those implanted in people) that are Bluetooth enabled
- X-ray machines, both preventing usage and hacking into the system to generate image backups on a hacker’s network
- Temperature settings for connected coolers and refrigerators that contain blood, organs, medicine, and other elements — hacking piggybacks controls used to monitor temperature and make adjustments if the device becomes too hot or cold
- CT scan machines, where radiation exposure limits could be adjusted
- MRI and other machines that rely on operators located in separate rooms or facilities for controls, settings, results recordings, and maintenance.
The list of hackable devices even includes those in-room screens and devices designed specifically to track who you are and what your medicine needs are. A simple hack can reset these back to square one, or create changes in your chart that would cause the wrong medicine to be administered.
Essentially, almost any connected device in your local hospital, medical facility, and healthcare organization is vulnerable.
Can Risks Be Stopped?
Thankfully, the FDA has taken some steps to limit risks. Part of the FDA’s work has included guidelines to ensure devices are patchable when a vulnerability is found.
The FDA also notes that devices can be updated with cybersecurity information and protections without having to go through recertification, making devices easier to secure for manufacturers and hospitals.
Just like in recent ransomware attacks, another way to minimize risks is to always update systems as soon as an update is available. Hundreds of thousands, if not millions, of dollars could be protected each year in the U.S. alone if system administrators at hospitals, corporations, and small businesses would apply patches as soon as they were made available.
Here at Securis, we focus on protecting patient information, passwords, and other sensitive data left in computers and other medical equipment.
Simply throwing out an old PC, copier, smartphone, or hard drive can put you at significant risk because you can’t be sure that data lurking on these devices has been cleansed.
We tout the thorough shredding and destruction of these devices because it is a simple and effective way to prevent information from getting into the wrong hands. And, in the cases of healthcare facilities and hospitals, it helps you adhere to local and federal regulatory requirements protecting patient information.
It’s how we can do our part, and we welcome a conversation with you about how you can do your part to protect your organization, customers, and even the environment.
You may also be interested in our article on 8 Common HIPAA Violations And How To Avoid Them.
Have questions? Visit our FAQ page.