Is remote patient monitoring the new cybercrime target?
Healthcare organizations each faced an average of 109 cyberattacks per week last year, by far the most of any industry.
While hospitals health systems may have well-honed cybersecurity protocols to prevent or mitigate such attacks, the growth of care-at-home technologies – including remote patient monitoring hospital at home – has created another layer of concern.
Patients who are monitored or managed at home using a health system’s technology likely do not have such strict safeguards in place. In this interconnected world, patients could spread ransomware or other types of malware to their providers.
Milan Shah is chief technology officer at Biofourmis, a Boston-based virtual care digital therapeutics technology vendor. Healthcare IT News interviewed him to discuss why criminals are targeting patients at home, how criminals are trying to access hospital health system servers through patients’ homes, what healthcare CISOs, CIOs, other security IT leaders should be doing to protect their patients organizations from these kinds of breaches.
Shah also talks about the experiences of a close family member undergoing remote patient monitoring at home.
Q. Why are cybercriminals targeting patients at home?
A. Around the world, threat actors have recognized that due to COVID-19, more people have been connecting with their providers using a computer or mobile device. That care has been for short, appointment-based telehealth visits all the way to continuous, around-the-clock remote patient monitoring.
“Monitoring” could more accurately be updated to “management” due to the level of streaming data that can now be collected analyzed to guide clinical decision making.
Many patients are not as tech-savvy or as cybersecurity-aware as providers staff in healthcare facilities – they might be less vigilant against attacks if they are feeling sick, fatigued or in pain. Threat actors recognize this vulnerability as well as the fact that RPM technology systems are accepting data traffic much more openly from the outside.
By hiding malicious code inside the flow of incoming data from patients – as we have seen is possible with vulnerabilities such as the Log4j flaw that was discovered in December – attackers hope to gain control of the rich data assets on those servers exploit the deeper pockets of a health system through the ransomware attacks we see in the news.
While cyberattacks against consumers have been common since the advent of email, those specifically aimed at infiltrating holding a health system’s data servers hostage through RPM technology are, at this point, quite rare. However, as adoption of virtual care continues to grow, expect the threat actors to shift their resources to these targets.
Q. How are they trying to access hospital health system servers through patients’ homes?
A. Cybercriminals have deeply developed tools, techniques practices that they apply to nearly all of their victims, whether that is a government or e-commerce website or electronic health record system. So far, the techniques used to gain access to health system data assets through patients are not new.
For example, just like with clinicians in the hospital, an attacker may attempt to spread malware through a fraudulent email sent to the patient, hoping they will click on an attachment or link that will enable the attacker to gain control of the patient’s device then spread the software to the provider’s systems.
This cybersecurity risk grows exponentially if the patient uses their home computer or personal mobile device for RPM. Such devices are adequate for short, periodic telehealth visits with providers.
Personal devices, however, do not offer patients or providers adequate protection from a data breach for RPM where active passive data collection are more frequent, if not continuous. Providers cannot secure, control monitor a patient’s personal device as they could with their own equipment.
Q. What should healthcare provider organization CISOs, CIOs, other security IT leaders be doing to protect their patients organizations from these kinds of breaches?
A. Simply put, C-level health system leaders need to give remotely managed patients a health system-owned secured “locked-down” mobile device to communicate share data with providers.
Vendors that are well-versed in security can provide the devices as part of their engagement with the health system or hospital. The device may have Bluetooth Wi-Fi capabilities to exchange data wirelessly, but it is not able to download third-party apps or use a web browser that enables the patients to click on a potentially malicious link.
The patient would use the digital tablet to input data from their monitoring devices, such as wearables that track various vital signs to conduct telehealth visits with providers in a hospital or clinic. The tablet may also enable the patient to access educational content such as videos guides about their condition.
Other than this tightly focused set of capabilities, the tablet remains relatively unused – thus largely invisible to threat actors.
Simplicity also can make the tablet easy to use, which is a must for adherence. Keep in mind, if RPM is utilized as part of an acute hospital-level care-at-home program or for post-acute recovery, then the patient will not want to figure out how to operate a complex device or piece of software.
Nor will the patient be inclined to comply with a multi-step login procedure to verify their identity each time they want to use the device. Both device RPM solution must require a minimal number of taps with very little required navigation by the patient.
Some CIOs may be tempted to offer the patient a secure app for their personal mobile device to reduce upfront expense, but that strategy could end up costing their organization more in the long run. An app is acceptable for short telehealth visits, but health systems are unnecessarily exposing their data systems to vulnerabilities if they are connected to a patient’s largely unsecured personal device for an extended period of time.
Q. You have a close family member being managed in his home remotely via wearable biosensors a patient-facing dashboard. How has this remote patient monitoring/cybersecurity issue hit home for you?
A. My close family member has heart failure is now also battling stage 4 cancer. Simultaneously managing both of these serious health conditions means he has been hospitalized several times. After every admission, he returns home stable, but weaker.
Now that he is using RPM, however, I have witnessed first-hhow his providers can detect signs of decompensation intervene before he needs to call an ambulance or visit the emergency department.
For example, if they notice from the remote data collection that his heart rate is dropping below his personalized baseline at certain times of the day, they can call or arrange a video visit, learn about what he was doing when this is occurring adjust his medication based on all those factors.
On the other hand, if he visited his cardiologist about this low heart rate, it likely never would have gotten that low because he was in the doctor’s office his vitals would be elevated due to the travel, exertion anxiety. The physician would have had less information to support their decision.
The RPM system my family member uses at home is incredibly simple. He wears a biosensor around his arm all day that can collect more than 20 physiologic signals including basic vitals such as heart rate, temperature respiration rate, as well as data on his sleep position his movements during his daily activities, such as climbing steps.
Each day he uses his tablet to answer a few questions about symptoms or his medications has a telehealth visit with one or more of his providers.
The importance of user experience, however, was really driven home when he had severe nausea one day. In a few taps, he was able to talk face-to-face with a provider, who was able to make him more comfortable.
I could not imagine how much more difficult it would have been if my family member had to find the correct app, type in a password or perform some type of two-factor authentication. He might have given up gone to the hospital.
There have been several occasions like this. In all, I would estimate he has avoided three or four hospital admissions because his providers have been able to intervene stabilize him at home. Not only has his quality of life improved, but his conditions are better managed now than they were before RPM.
It is not solely due to the care model, of course, because there is an amazing new medication for his type of cancer that is working very well for him. Our family is very fortunate in that sense, but we are also thankful for the RPM that enables him to remain at home where he is most comfortable able to rest.