In our connected world, if it’s technological, it’s hackable. And while not all medical devices are as mission-critical as implantable cardiac transmitters, they still need to be compliant with the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). The FDA approval process now also covers cybersecurity. So paying attention to protected health information (PHI) isn’t optional.
Sad to say, there are criminals who put patients’ data—and therefore their lives—at risk by compromising the medical devices you sell. Over 100 major breaches were reported in 2016, and those are just the big ones. Here are some of the threats to look out for, with advice on how remote access software can foil them.
Layer 1: Physical device security
Can it be hacked? From the smallest electronic health record (EHR) database to the latest MRI scanner, any device that collects patient information needs to comply with HIPAA’s rules on patient privacy.
Because today, a host of medical devices are connected to other equipment in a way they weren’t just a decade ago. Bedside infusion pumps. Defibrillators. Pacemakers. Patient monitors that report back vital signs to physicians. Radiation therapy machines where dosage is within narrow parameters. Recently, testing discovered an insulin pump used by 114,000 patients could theoretically be compromised, and the dose changed by a hacker with malicious intent.
Many hospitals are using remote access software that’s already HIPAA-certified, like TeamViewer. This first layer of security is guarded by blacklisting and whitelisting: to connect to a device, the connecting machine must be explicitly approved by the systems administrator. Regardless of the hacker’s black-hat skills, if he’s not on the list, he’s not getting in.
Layer 2: Secure data connections
A hack may do nothing more than copy information — but if the information gets out, it’s a breach of patient confidentiality. For the patient it may lead to identity theft; for the device manufacturer it can mean a disastrous loss of business.
This is becoming more important with the adoption of EHR Stage 2 by six of ten hospitals, where a patient’s arrival at the emergency room generates an automatic notification to his/her physician, allowing other information, such as allergies or special conditions, to be communicated back. It’s a great initiative — but it needs a secure connection.
A remote access solution such as TeamViewer adds to its first layer of security by combining device and user IDs. Both person and device have an assigned ID — in the machine’s case, a unique fingerprint generated from the machine’s configuration — and both must be valid before the device can connect. There’s a twist: devices are assigned to specific individuals and the IDs must match. So a borrowed laptop doesn’t grant access to anyone but those associated with it — even if that user is authorized on other devices.
Layer 3: Integrity of information
With both patient privacy and data security protected, our last layer of security involves the information itself. A patient’s condition and vital signs can change in an instant, with a torrent of information being produced 24/7. Physicians today need to be data analysts as well as physicians.
Increasingly, physicians are solving this with solutions like TeamViewer. Rather than needing a human to keep constant watch, the application can operate passively, monitoring indicators for change and sounding the alarm if metrics go beyond acceptable levels. Sometimes that device isn’t even a recognized clinical tool; over 100,000 health monitoring apps are available on phone platforms.
This check on information integrity keeps it accurate — and useful. This enables faster diagnosis and faster response when things go awry. Stepping up in scale, it’s enabling healthcare systems to model the health of entire communities, such as vaccination levels and whether herd immunity is dropping below safe levels. Fortunately, TeamViewer excels at scaling up, with over 20 million devices connected to each other through it at any one time, day or night.
CONCLUSION: Rewarding patient trust
The right approach to security at every level leads to an outcome not easily measurable, but with a huge impact on your business: trust. When patients feel confident of your device, usage becomes widespread and the pool of research data becomes deeper, enabling better decision making.
To win that trust, start with the fundamentals, like choosing a HIPAA-certified remote access solution for patient data. Make data security part of your culture — keeping up to date with new threats, checking that all your software and services are doing their job, and keeping your black and white lists accurate. Remote access can improve both patient experience — and bottom-line profits. Why not see how TeamViewer can deliver for you?
- HIPAA compliance is made easy with remote access solutions that have two-step authentication and whitelists.
- Remote access means you can passively monitor your patient’s vital signs and act when it’s necessary.
- Make data security part of your culture — it’s about attitude as much as it is about software.