Riskiest Connected Medical Devices Revealed

Posted by HIPAA Journal

Through the Internet of Medical Things (IoMT), an array of medical devices have been connected to the Internet, allowing them to be operated, configured, and monitored remotely. These devices can transmit medical data across the Internet to clinicians allowing rapid action to be taken to adjust treatments and data collected from the devices can be automatically fed into electronic medical records. The use of IoMT devices is growing at an extraordinary rate, with the number of devices used by smart hospitals expected to double from 2021 levels to 7 million IoMT devices by 2026.

While Internet-connected medical devices offer important benefits, they also increase the attack surface considerably. Vulnerabilities in IoMT devices are constantly discovered that can potentially be exploited by malicious actors to gain access to the devices and the networks to which the devices connect. According to a 2022 report from the FBI, 53% of digital medical devices and other Internet-connected devices contain at least one unpatched critical vulnerability.

The asset visibility and security company Armis has recently conducted a comprehensive analysis of data collected from medical and IoT devices to identify the riskiest IoMT and IOT devices. The data came from more than 3 billion assets that are tracked through the Armis Asset Intelligence and Security Platform. The analysis revealed the riskiest connected medical devices were nurse call systems, 39% of which had unpatched critical vulnerabilities and 48% had other unpatched vulnerabilities. A critical vulnerability is a flaw that can be exploited in a direct or indirect attack by a malicious actor that will result in decisive or significant effects. If flaws in medical devices are exploited, hackers could gain access to the networks to which the devices connect, steal sensitive data, or alter the functionality of the devices themselves and put patient safety at risk.

Infusion pumps were the second riskiest connected medical device with 27% of analyzed devices having at least one unpatched critical flaw and 30% having other unpatched vulnerabilities, followed by medication dispensing systems with 4% containing unpatched critical flaws and an astonishing 86% having other unpatched vulnerabilities. Armis notes that 32% of the analyzed medication dispensing systems were running on unsupported Windows versions. Overall, across all connected medical devices, 19% were running on unsupported operating systems, as IoMT devices often have lifespans that exceed the lifespans of the operating systems on which they run.

IoT devices can also introduce considerable risks and provide hackers with an easy opportunity to gain a foothold in healthcare networks. Armis monitors IP cameras in clinical environments and found that 56% have unpatched critical vulnerabilities and 59% had other unpatched vulnerabilities, which makes IP cameras the riskiest IOT devices, followed by printers (37%/30%) and VoIP devices (53%/2%).

Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” said Mohammad Waqas, Principal Solutions Architect for Healthcare at Armis. “Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

The growing number of wireless, Internet- and network-connected devices and increasing cybersecurity threats targeting the healthcare sector prompted the U.S. Food and Drug Administration (FDA) to take action. Manufacturers of medical devices will soon be required to provide information about the cybersecurity of their devices in pre-market submissions as part of a drive to improve medical device cybersecurity. Those requirements include a software bill of materials to allow vulnerable components to be identified and patched, cybersecurity measures to secure the devices and sensitive data, and a plan to issue security updates for the lifespan of the devices.

The post Riskiest Connected Medical Devices Revealed appeared first on HIPAA Journal.

Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR

Posted by HIPAA Journal

If you are a HIPAA-covered entity and use tracking technologies on your websites or apps, you must ensure that they are HIPAA-compliant. The Director of the HHS’ Office for Civil Rights has confirmed that this aspect of compliance with the HIPAA Rules is now an enforcement priority for OCR and the department is actively looking into noncompliance by HIPAA-covered entities.

OCR Director, Melanie Fontes Rainer, confirmed in an interview with Information Security Media Group that enforcement actions will be taken very soon against HIPAA-regulated entities that use tracking technologies that disclose protected health information to third parties without authorization or business associate agreements. OCR has recently undergone restructuring to improve efficiency which will allow it to undertake more enforcement actions against HIPAA-regulated entities for non-compliance with the HIPAA Rules.

Tracking technologies, often referred to as pixels, are snippets of code that are added to websites and apps that collect the data of website users and are typically used for website analytics to improve the quality of websites and services. While there is nothing wrong with improving services for website and app users, these tools often pass the data they collect to the third-party providers of the code. When an individual visits a healthcare website, the information collected may include data classed as protected health information, and disclosing that information to third parties not authorized to receive that data is a HIPAA violation.

The disclosure of PHI via tracking technologies is not permitted by the HIPAA Privacy Rule unless the third party to which the information is disclosed is a business associate under HIPAA, the disclosure is permitted by the HIPAA Privacy Rule, and a HIPAA-compliant business associate agreement is in place. Alternatively, authorization must be obtained from website visitors prior to the collection and transmission of PHI.

Over the past two years, analyses have been conducted on the use of these technologies by healthcare organizations such as hospitals, counseling providers, and telehealth companies which suggest they have been extensively used. One study indicates 99% of hospitals had added the tools to their websites.

Last year, OCR issued guidance to HIPAA-regulated entities on the use of these tools and confirmed how HIPAA applies to these tools. HIPAA-regulated entities have had several months to assess their websites and apps and either remove tracking code or ensure it is used in a manner compliant with the HIPAA Rules. The continued use of these tools and/or failure to send breach notifications when there have been confirmed disclosures of PHI to third parties will likely result in enforcement actions. The Federal Trade Commission is also cracking down on the use of these tools by non-HIPAA-regulated entities.

If you are a HIPAA-regulated entity, it is important to conduct an audit of your websites and apps to identify if any tracking code is in use and if there is the potential for PHI to be impermissibly disclosed to third parties. If such code is identified, it must be made HIPAA-compliant or be removed. If unauthorized disclosures of PHI have occurred breach notifications must be issued to OCR and the affected individuals.

The post Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR appeared first on HIPAA Journal.