In a recent workshop held in Yangon, Myanmar by antivirus company Kaspersky, their representatives mentioned that 76% of medical devices in healthcare facilities (e.g. hospitals and clinics) in the Philippines may be infected by malicious code, while 44% of medical devices in Thailand’s healthcare facilities may be infected.
These are alarming numbers, and certainly demand that healthcare facilities take a serious look at their infrastructures, data storage, and human resources, to see how best to secure not just data of patients, but also secure all devices, from computers, laptops, mobile phones, to medical IoT devices that are critical for medical care and emergencies.
“We’re definitely entering the era of the ultra-connected medicine. And I have to say that, while we welcome these advancements, we cannot deny that these will open wider doors for cybercriminals,” said Yury Namestnikov, head of global research and analysis team for Kaspersky.
Data breaches from medical facilities have also surfaced in recent years, especially due to the ultra-connectivity of systems.
Tim Mackey, principal security strategist, Synopsys Inc.’s Cybersecurity Research Center, commented: “While in some countries it’s possible to remediate financial damage caused by malicious actions, health care data is far more difficult to change. Concepts like “pre-existing” conditions as a determining factor for insurance coverage can have direct implications on the insurance rates charged – or even the potential for a client to receive coverage. In countries where private medical insurance isn’t a factor in health care decisions, health history will be a factor when a physician prescribes medications.”
Given the generally open nature of medical facilities, protecting the security of physical devices can be a challenge. For example, a clinician often escorts a patient to a treatment room where the patient may be alone for several minutes. The treatment room may have medical devices of various types, including computers and diagnostic equipment.
“This window of opportunity could allow malicious individuals access to infect the devices with any types of malware or even to install a service on a device connected to a trusted hospital network,” said Mackey.
He warned that, with the rise of cybersecurity concerns in medical care, patients are well advised to review any statements listing care provided and compare them against the actual care received.
“If any discrepancy is discovered, immediately raise the issue to the provider. Additionally, if anyone proactively reaches out to a patient following care, it’s worthwhile to contact the facility directly. While some providers are proactively soliciting feedback on the level of care received and others may be seeking payment for services rendered, in all cases if there is any doubt as to the legitimacy of the communications, contact the provider directly.”