The following is a guest article by Narinder Singh, Co-Founder and CEO at LookDeep Health
In 2016, attackers gained unauthorized access to Banner Health’s systems through the payment processing system used in the organization’s food and beverage outlets and used it as a gateway to access patient information. The risk of security breaches through indirect access to other systems, like telemedicine solutions, can expose the entire health system.
As inpatient telemedicine experiences rapid growth within hospitals, it presents unique challenges to Chief Information Officers (CIOs) and Chief Security Officers (CSOs), particularly regarding potential security risks associated with medical devices and other hardware.
Despite warnings over the past decade, many healthcare systems have only recently begun to address the security risks of medical devices. Subsequently, a new threat emerges: older telemedicine solutions that have often been exempt from broader security standards. With the rise of inpatient telemedicine in response to COVID, these systems are becoming more visible targets.
Hospital CEOs and boards must no longer exempt telemedicine solutions from their security policies. CIOs need to be proactive in addressing potential issues, and CEOs should be asking, “Is our use of video in the hospital secure?”
To safeguard your hospital from potential telemedicine security risks, consider taking the following first steps:
- Require SOC2 Type II security audits or equivalent for vendors: Insist that telemedicine vendors undergo a rigorous SOC2 Type II security audit or equivalent, including third-party penetration analysis. Relying solely on your hospital’s own security reviews, customer references or a vendor’s history is insufficient and can increase risk while slowing the adoption of new innovations.
- Mandate CIO and CEO approval for security standard exemptions. By establishing a process where the CEO must review and authorize deviations from a hospital’s security policy, the organization creates a safeguard that ensures exemptions are rare and accompanied by risk mitigation strategies. If the mere involvement of the CEO in the approval process is sufficient to redirect the organization, it demonstrates that the rationale for granting exemptions may not be very convincing.
- Isolate telemedicine networks: Ideally, telemedicine endpoints should be isolated from the hospital’s main network. This separation helps mitigate potential vulnerabilities by creating an additional layer of protection. Further, adopt an approach to security that trusts no one and requires constant verification and validation of access (zero trust). Treat every device as a potential risk, even if it belongs to your organization.
- Beware of older Microsoft operating systems: The WannaCry ransomware attack in 2017 disrupted the UK’s National Health Service (NHS), costing the NHS nearly one hundred million pounds. The attack exploited a vulnerability in older Windows systems, emphasizing the importance of isolating networks to minimize damage. Microsoft had stopped supporting Windows 7 and earlier versions, making them more susceptible to cyber threats. Ensure that your hospital’s telemedicine solutions are running on up-to-date operating systems and are regularly patched to eliminate known vulnerabilities.
Hospital security is complex and challenging, but smart security starts with making the simple things simple. An effective security program not only safeguard hospitals and patients; it also serves as an enabler for innovation. Further, requiring vendors to demonstrate their commitment to security is just as vital as ensuring the credentials of staff caring for patients.
By contrast, a poor security program creates confusion, stifles all change and misses its core purpose – like a falls prevention program that results in substantively reducing patient mobility.
Replacing security theater – the act of looking like you’re taking security seriously – with substantive and objective standards will draw vendors who can meet your clinical and security needs. Verify, then trust to lower risk and increase the sustained pace of innovation, thereby improving the cost and care of patients in the hospital.
About Narinder Singh
I’m a technologist who has oscillated between trying to run towards and away from that identity since I first became enamored with a computer. I believe technology can change the world for the better and am passionate about applying that energy to improving healthcare. I love to laugh and learn, feel guilty for not doing enough, and believe if you are doing the right things with the right people it seldom feels like work.
After beginning my career at Accenture’s Center for Strategy Technology I led several R&D teams at webMethods, an integration startup that eventually went public. After a corporate strategy role in the Office of the CEO at SAP I co-founded Appirio which raised funds from Sequoia, GGV and General Atlantic, became the largest independent partner of salesforce, Workday and Google enterprise, and grew to over 1200 people before its acquisition.
From there I decided to work on something that could serve others. I went back to school to learn about medical devices and AI, yet it was later that healthcare became personal. My mom endured an unexpected twelve weeks in a hospital with multiple major surgeries – culminating in a successful bilateral lung transplant. I spent over a thousand hours in the hospital with her and the experience led me to write a guide for how families could navigate the crisis of critical care. Through that the eventual mission of LookDeep – to help hospitals ‘Be Present for Every Patient at Every Moment’ – became my obsession.
Applying emerging technology to help patients in the hospital and those that care for them is the most important professional experience I’ve ever had the fortune to work on.
