Healthcare facilities are not immune to hacking; a reality made painfully clear when last year’s WannaCry ransomware crippled organizations around the world, including healthcare facilities. And according to a 2017 Identity Theft Resource Center report, just over 25% of all data breaches occurred in the healthcare industry.
There is no denying the tremendous impact technology advancements have had on the care and well-being of patients, family members and staff within healthcare facilities. And each year brings new technology, trends and improvements all intended to improve experiences and patient outcomes. But along with advancement comes growing concerns over the security of information.
Healthcare technology comprises all systems within a facility and the integration between these systems. A result of such integration and interconnectedness is that information security has really become a shared responsibility across systems and administrative areas. If one system or unit lacks appropriate security controls the entire system may be vulnerable.
In this interview with Parkin Architects, Phil Crompton, founder and principal at Vantage Technology Consulting Group, sheds light on the link between healthcare technology evolution and information security.
How do you define technology as it pertains to healthcare settings?
We classify technology as anything which provides or uses information. For example, a light switch is technology in one perspective because it provides information and tells you whether the light is turned on or turned off. That’s an extreme example; typically, we don’t design light switches but even that’s starting to change. A patient in their room can now turn on the lights from their TV or own smartphone or tablet.
“We think of technology as anything that is creating, processing or using information.”
We think of technology as anything that is creating, processing or using information. And a big component of technology that most people don’t even realize exists is the integration between systems. You can have a security system, a real-time location system and a patient entertainment system all doing their individual thing. But on a different level, they are integrated together to enable the sharing of information and to provide additional functionality that benefits the patient, family and staff.
For example, let’s say a nurse walks into a patient’s room. The real-time location system identifies that the nurse has entered the room and places the nurse’s photo and name up on the screen so that the patient knows that the person that just walked into the room is a nurse employed by the hospital. That’s an integration. Those systems don’t do that natively.
We create a lot of integrations with security where you build a rule set that triggers when a wheelchair is leaving a building and determines whether there is a transportation badge within two feet of that wheelchair; if there is that’s probably okay since that probably means a transportation staff member is pushing a patient in the wheelchair. But, if a wheelchair is leaving and there is no transportation tag anywhere near it then the system automatically notifies security to look to see if someone is stealing a wheelchair or if someone is leaving the Hospital who shouldn’t be.
“The basic concept is to combine the information…to create something greater than the sum of its parts.”
The basic concept is to combine the information from all these different databases, which now include electronic medical records and human resources information, to create something greater than the sum of its parts. A question we now ask a lot of our clients is: How are you going to share information between these various databases and what value will that provide? We want to know how we can make staff’s life easier and how this will impact the care and condition of patients and family members.
With such a broad view of technology, how does security play into this?
A lot of technology systems don’t have good information security controls natively built into them and can be easy targets for someone who wants to cause trouble and break into the system. For instance, in building management systems, there is a protocol called Building Automation and Control Networks (BACnet). That protocol was not designed with security in mind because it was intended that any device running that protocol can communicate with any other BACnet device for speed and ease-of-use. Do you remember the Target breach where Target lost all their credit card information? Those hackers got into Target through the building management system via a BACnet interface. From there they were able to connect eventually to the server which had credit card information stored on it.
“We recognize that information security must be baked into everything that we do.”
We recognize that information security must be baked into everything that we do and we have specialists on staff to advise our clients about the importance of thinking about information security early in a technology deployment project.
Ten years ago, we wouldn’t have thought about someone breaking into a server or accessing data this way. Does it change the way you view information security?
Ten years ago, the systems were not as connected as they are today. You couldn’t access large amounts of data and there was no benefit in trying to do so. Ten years ago, if you wanted to change the temperature in your patient’s room, you had to go in and adjust the thermostat. Now, the patient can do it from their TV or the device they brought with them to the hospital. We have created this ability to give individuals much more control over their environment but by doing so, we have created a potential access point for criminals and mischief-makers to get in too. Consequently, information security needs to take an enterprise-wide approach; we can’t consider it solely on a system-by-system basis.
“Information security needs to take an enterprise-wide approach”
Best practice is to establish what the security level needs to be for all systems in an environment and then insist that each individual system vendor meets those requirements. If they can’t meet them, they may be taken off the job.