Cybersecurity experts warn that as more healthcare is provided in patients’ homes, the flow of data between those locations, vendors and providers raises the risk for ransomware attacks.
In the wake of the Change Healthcare attack, cybersecurity consultants are scrutinizing home-based care — particularly the storage and transfer of data through telehealth, remote patient monitoring and wearable devices. An aging population is increasingly seeking easier access to care since the COVID-19 pandemic, with an estimated $265 billion or 25% of traditional Medicare and Medicare Advantage health services expected to move into the home by next year, according to business consulting firm McKinsey and Company.
Related: Change Healthcare attack: What to know about cybersecurity
The theft of data from in-home technology across potentially unsecured wireless networks is a big concern for the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group. The organization collaborates with the U.S. Department of Homeland Security to prevent cyberattacks across the healthcare industry.
“All of these [technologies] are increasing the attack surface,” said Greg Garcia, the group’s executive director. “All of that uncontrolled technology outside of the hospital that connects into the hospital network is where the vulnerability is, whether it’s hospital-at-home or a more simple device like a [smart] watch that can transfer data over to the doctor.”
On Feb. 27, less than a week after the Change Healthcare attack, the cybersecurity working group published a five-year strategic plan that calls on executives across the healthcare industry, from providers to device manufacturers, to implement more robust cybersecurity protocols that will ensure the protection of patient security and data. The recommendations include more accountability from corporate leaders on cybersecurity, better workforce training and quicker responses in the event of attacks.
The National Association for Home Care and Hospice said in an email it has been actively working with technology companies to ensure the protection of patients' medical and financial information transmitted through telehealth visits, texting and record-sharing devices.
Medical device manufacturer Medtronic, which makes a number of devices used in patients' homes, has added layers of encryption to its devices to prevent criminals from stealing or changing patient data, according to Chris Reed, the company’s vice president of product security.
He said the company builds customized security features for all medical devices, including bedside home monitors and wearable devices, such as insulin pumps.
“If one [layer] breaks, the other one keeps operating safely until we get the other layer fixed,” Reed said. “We don’t assume that wireless networks or networks that we are plugging into are safe and with that assumption, we design controls to make it safe.”
Russell Teague, chief information security officer at cybersecurity consulting firm Fortified Health Security, said providers need to be aware of the risk of deploying devices for home use. The Food and Drug Administration last year began requiring medical device manufacturers to build more robust firewalls into equipment to guard against cyberattacks. But medical devices manufactured before 2023 that do not have additional security built into them or have not been updated could be vulnerable to a cyberattack, Teague said.
“A security architect or security engineer for the hospital needs to be reviewing that solution that is being provided by the manufacturer to determine if it is safe because the hospital is the one that ultimately is responsible for delivering safe, secure patient care,” Teague said.
The American Hospital Association said in an email its members are aware that they have sensitive data and must be mindful of protecting it from a cyberattack, but it also called on the government to do more to stop the theft of data.