Top health industry issues of 2018

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Securing the internet of things

Internet-connected medical devices are holding the health system together—playing critical roles in such tasks as patient care, medical records and billing—but each connected device is a potential door for cybercriminals.

loading-player

Playback of this video is not currently available

Laura Robinette, PwC, US Pharma Life Sciences Assurance Leader, talks about preparation for when – not if – a cybersecurity breach occurs

Following a year marked by major, industry-wide cybersecurity breaches and a 525 percent increase in medical device cybersecurity vulnerabilities reported by the government, hospitals must take quick, decisive action to maintain data privacy, secure connected medical devices and protect patients (see Figure).1

Hospitals have become a popular target for so-called “ransomware” attacks, such as WannaCry, in which intruders gain access to files, encrypt them and demand payment in cryptocurrency in return for access to the files.2 In 2017, at least two US hospital systems experienced problems after being hit by WannaCry,3 and 16 hospitals in the UK were unable to access internet-connected devices.4 PwC’s Global State of Information Security (GSIS) survey found that 16 percent of all providers and payers suffered a ransomware attack in 2016.5 Eleven manufacturers of medical devices issued warnings about the potential for the WannaCry event to affect their devices, and several were confirmed to have been affected.6

Many hospitals have thousands of medical devices connected to their networks.Some, lacking purchasing controls or strict networking rules, don’t even know how many such devices they have, let alone how secure they are. PwC’s GSIS survey found that just 64 percent of providers and payers said they have performed a risk assessment of connected devices and technologies to find potential security vulnerabilities, and only 55 percent of those said they have put security controls in place for these devices.8

Staff training, too, remains a critical problem. Only 31 percent of healthcare payers and providers plan to train their employees on security practices for the internet of things this year.9 Another 31 percent say they plan to establish policies for internet-connected devices this year.10

“Everyone is rethinking their security practices in the wake of WannaCry,” said Chantal Worzala, vice president of health information and policy operations at the American Hospital Association. The problem, she said, is that “hospitals literally deploy thousands of devices, and trying to remediate all of those devices is a pretty daunting challenge in the heat of the moment if there’s a cybersecurity attack. This is particularly true when many device companies do not provide information about potential vulnerabilities or updates and patches to fix vulnerabilities.”

Another problem is that regulators can be slow to alert the public. It took more than a year for the FDA to issue a warning about a critical device vulnerability after researchers discovered it in late 2014.11

Implications

Hacks are like a “non-natural” disaster

Hospitals and life sciences companies should prepare for cybersecurity incidents to happen more often and invest in the planning, defensive measures and personnel required. They can do so by preparing as they would for a natural disaster. They should create and test cybersecurity breach and remediation plans. Facilities should be prepared to respond if their devices go down, or even if they suspect that their network has been breached. And they should create business continuity plans that are accessible offline.

View more

Understand the risks to your organization

Security failure can mean devices rendered inoperable, critical patient records being stolen or unavailable, and even facilities being shut down as a precaution. The financial and reputational cost of a breach affecting patient health can far exceed the lost revenue from business disruption. Twenty-six percent of consumers affected by a hacking incident say they’ve decided to change doctors, hospitals, insurers or medical organizations because their medical information had been stolen in a hacking incident.[12] Thirty-eight percent say they would be wary of using a hospital associated with a hacked medical device.[13] The increasing use of connected devices in EHR systems means companies’ value-based payments also could be at risk if there’s concern about the collected data’s integrity.

View more

Providers should strategically consider how they manage internet-connected devices

Cybersecurity risks can be managed using a layered approach, including limiting who has access to devices and limiting what the devices can do. While 95 percent of provider executives think their practice is secure against cybersecurity threats, just 36 percent of providers and payers have access management policies in place, and 34 percent have a cybersecurity audit process in place.[14] Many companies also lack in-house cybersecurity expertise and will need to find it externally. Companies can also use language in vendor contracts to establish what device manufacturers are responsible for, including security updates and security support. The Mayo Clinic, for example, requires its vendors to adhere to security standards before Mayo will purchase their products.[15]

View more

1 HRI analysis of data reported by US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

2 Kim Zetter, “Why Hospitals Are the Perfect Targets for Ransomware,” Wired, March 3, 2016, https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

3 NH-ISAC, “HHS ASPR/CIP HPH Cyber Notice: On-Going Impacts to HPH Sector from WannaCry,” June 2, 2017, https://nhisac.org/wannacry-ransomware-update/

4 Bill Chappell and Maggie Penman, “Ransomware Attacks Ravage Computer Networks in Dozens of Countries,” NPR, May 12, 2017,                                                                                                                                                                                                 http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-attack-hits-englands-nhs-hospital-system-ransoms-demanded

5 PwC, “The Global State of Information Security Survey 2017,” 2016

6 HRI analysis of data reported by US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT); Thomas Fox-Brewster, “Medical Devices Hit By Ransomware For The First Time In US Hospitals,” Forbes, May 17, 2017, https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#7a259438425c

7 Wired, “Medical Devices are the Next Security Nightmare,” March 2017, https://www.wired.com/2017/03/medical-devices-next-security-nightmare/

8 PwC, “Uncovering the potential of the Internet of Things,” 2016, http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-internet-of-things.pdf

9 PwC, “The Global State of Information Security Survey 2017,” 2016,

https://www.pwc.com/us/en/cfodirect/issues/cyber-security/information-security-survey.html

10 PwC, “The Global State of Information Security Survey 2017,” 2016

https://www.pwc.com/us/en/cfodirect/issues/cyber-security/information-security-survey.html

11 US Food and Drug Administration, “Symbiq Infusion System by Hospira: FDA Safety Communication - Cybersecurity Vulnerabilities,” July 31, 2015,

https://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm456832.htm; Monte Reel and Jordan Robertson,

“It’s Way Too Easy to Hack the Hospital,” Bloomberg, November 2015, https://www.bloomberg.com/features/2015-hospital-hack/

12 PwC Health Research Institute, “Consumer Survey,” 2017

13 PwC Health Research Institute, “Consumer Survey,” 2017

14 PwC Health Research Institute, “Provider Executive Survey,” 2017; PwC, “The Global State of Information Security Survey 2017,” 2016, https://www.pwc.com/us/en/cfodirect/issues/cyber-security/information-security-survey.html

15 AAMI, “Mayo Clinic Emphasizes Security with Device Vendors,” April 2016, http://www.aami.org/productspublications/articledetail.aspx?ItemNumber=3199

 

Contact us

Kelly Barnes
US Health Industries and Global Health Industries Consulting Leader, PwC US
Tel: +1 (214) 754 5172
Email

Benjamin Isgur
Health Research Institute Leader, PwC US
Tel: +1 (214) 754 5091
Email

Gurpreet Singh
Health Services Leader, PwC US
Tel: +1 (312) 298 2160
Email

Karen C. Young
US Pharmaceutical and Life Sciences Leader, PwC US
Tel: +1 (973) 236 5648
Email

Follow us