Medical devices are becoming increasingly popular as people adopt new technology into their lives. However, with this increase in usage comes an increased risk of cyber-attacks. Unfortunately, they are most vulnerable to hackers due to a lack of security features and protocols. This leaves patient data open to theft and exploitation. And not only is the patient’s data at risk, but the patient’s health is also at risk.
The Health Insurance Portability and Accountability Act (HIPAA) was created to help protect patient data. The HIPAA privacy rule regarding how medical professionals can store and handle protected health information (PHI) also applies to a healthcare device. However, most organizations need to do more to improve security.
What are Medical Devices?
For a product to be defined as an FDA regulated medical device, it must meet the definition in Section 201(h) of the Food, Drug, and Cosmetic Act which states that a medical device is, “an instrument, apparatus, implement machine, contrivance, implant, in vitro reagent, or another similar or related article, including any component, part, or accessory, which is (A) recognized in the official National Formulary, or the United States Pharmacopeia, or any supplement to them, (B) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or (C) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes.“
Therefore, to determine whether your device qualifies as a medical device, first, you must describe the intended use and indications for medical purposes. Further information can be found on the FDA website.
The FDA goes ahead to classify products using various classifications that come with specific regulatory requirements. For example, class I and class II devices are low risk and do not require marketing approval from the FDA, while class III high-risk medical device does.
What Medical Devices Are Regulated by HIPAA?
The HIPAA privacy rule regulates the use and disclosure of PHI by covered entities, defined as health plans, healthcare clearinghouses, and healthcare providers. The rule applies to all “protected health information” (PHI), which relates to an individual’s physical or mental health, including demographic information.
PHI can be in the form of electronic protected health information (ePHI) or paper records. ePHI is any PHI created, received, maintained, or transmitted in electronic format. So, if your medical device creates, receives, maintains, or transmits PHI in electronic form, it is subject to HIPAA.
How Can Medical Devices Be Hacked?
There are several ways this can happen:
The most common way a device is hacked is through wireless connections. The attacker will find a way to access the device remotely, often by exploiting known security vulnerabilities. Once they have gained control of the device, they can do whatever they want with it, including stealing data or altering its function.
Another common way is through malware. Malware is software designed to damage or disable computers and computer networks. Hackers often use malware to gain control of a medical device remotely. Malware is also the most prevalent method that cybercriminals use to hack healthcare organizations.
Social engineering is a technique where the attacker uses deception to get the victim to divulge sensitive information and credentials. This can be done by pretending to be someone they are not or by tricking them into clicking on a malicious link or opening an infected file. Once they do so, they expose their credentials or other sensitive data. According to IBM Security, 20% of breaches are caused by compromised credentials, with each breach costing organizations an average of $4.37 million.
Hackers used a combination of the techniques above to steal/compromise about 45 million medical records affecting between 500,000 and 1,000,000 Americans.
How to Protect Medical Devices
There are several things you can do to protect a medical device from being hacked and, in the process, comply with HIPAA:
- Update firmware and software regularly: Firmware and software updates should be one of the top priorities for any organization. It is essential to install these updates as soon as they become available to fix known security vulnerabilities.
- Use strong passwords: A medical device should also be password protected with strong passwords changed regularly. In addition, limit access to authorized users only.
- Limit access to authorized users only: To limit access, you should create a separate network for your devices and restrict access to authorized users only.
- Install security patches as soon as they become available: Security patches should also be installed when released to fix known security vulnerabilities that compromise software functions.
- Use firewalls and antivirus applications: Firewalls and antivirus software should be used to help protect against malware.
- Ensure devices are properly encrypted: Encrypt to protect data if they are ever lost or stolen.
- Monitor activity on your network: It is also important to monitor activity on your network for any suspicious behavior. This can help you detect and prevent a security breach before it happens.
Devices are vulnerable to hackers and can be exploited to steal data or alter their function. However, using the tips above can help protect your devices and comply with HIPAA regulations. We also recommend using HIPAA-compliant data storage, backup and recovery, and encrypted file sharing solutions to keep away from legal trouble that could result in costly fines and reputational damage.