Is the patient monitoring remotely the new target of cybercrime?

All healthcare organizations experienced an average of 109 cyber attacks per week in the past year, the most in any other industry.

While hospitals and health systems may have good cybersecurity protocols in place to prevent or mitigate such attacks, the growth of in-home care technologies — including remote patient monitoring and in-home hospitalization — has created another layer of concern.

Patients who are monitored or managed at home with health system technology likely will not have such strict precautions. In this interconnected world, patients can spread ransomware or other types of malware to their providers.

Milan Shah is Chief Technology Officer at Biofourmis, a Boston-based retailer of virtual care and digital therapy technology. Healthcare IT news He was interviewed to discuss why criminals target patients at home, how criminals are trying to gain access to hospital servers and the health system through patients’ homes, and what CIOs, CIOs, and other security and IT leaders should do to protect their patients and organizations from these types of violations.

Shah also talks about the experiences of a close family member who is remotely monitoring the patient at home.

Q: Why do cybercriminals target patients at home?

a. All over the world, attackers have realized that due to COVID-19, more people are communicating with their providers using a computer or mobile device. This care was for short, appointment-based telehealth visits all the way to remote patient monitoring around the clock.

Monitoring can be more accurately updated to Management due to the level of data flow that can now be collected and analyzed to guide clinical decision-making.

Many patients are not as tech-savvy or cybersecurity-aware as providers and staff in healthcare facilities – and may be less alert to attacks if they feel sick, overwhelmed, or in pain. The threat actors are aware of this vulnerability, as well as the fact that RPM technology systems accept traffic more openly from the outside.

By hiding the malicious code inside the flow of data from patients — as we’ve seen to be possible with vulnerabilities like the Log4j flaw discovered in December — attackers hope to gain control of the rich data assets on those servers and exploit the deep pockets of a health system through the ransomware attacks we see. in the news.

While cyber attacks against consumers have been common since the advent of email, those that specifically aim to infiltrate health system data and servers and hold them hostage through RPM technology are very rare at this point. However, as adoption of virtual care continues to grow, expect threat actors to shift their resources to these goals.

Q: How do they try to access hospital servers and the health system through patients’ homes?

a. Cybercriminals have deeply developed tools, techniques, and practices that they apply to nearly all of their victims, be it a government website, an e-commerce website, or an electronic health record system. So far, the technologies used to access health system data assets through patients are not new.

For example, just as with doctors in a hospital, an attacker might try to spread malware through a fraudulent email sent to a patient, hoping that they would click on an attachment or link that would enable the attacker to take control of the patient’s device and then spread the software on the patient’s systems provider.

The cybersecurity risk increases exponentially if the patient is using their home computer or personal mobile device for RPM. These devices are suitable for short and periodic visits to telehealth services with service providers.

However, personal devices of patients or providers do not provide adequate data breach protection for RPM where active and passive data collection is more frequent, if not continuous. Providers cannot secure, control, and monitor a patient’s personal device as they can using their own devices.

s. What should CIOs, CIOs, and other IT and security leaders in a healthcare provider organization do to protect their patients and their organizations from these types of abuse?

a. Simply put, C health system leaders need to give remotely managed patients a “locked” mobile device that is owned by the health system and guaranteed to communicate and share data with providers.

Security-savvy vendors can provide devices as part of their interaction with a health system or hospital. The device may have Bluetooth and WiFi capabilities for wireless data exchange, but is unable to download third-party applications or use a web browser that enables patients to click on a potentially harmful link.

The patient will use the digital tablet to enter data from their monitoring devices, such as wearables that track various vital signs, and conduct telehealth visits with providers in a hospital or clinic. The tablet may also enable the patient to access educational content such as videos and guides about their condition.

Other than this highly concentrated set of capabilities, the tablet remains relatively unused – and thus largely invisible to threat actors.

Simplicity can also make the tablet easy to use, which is a must-have for the commitment. Keep in mind, if RPM is used as part of a home care program at the acute hospital level or for post-acute recovery, the patient will not want to know how to operate a complex device or part of the program.

The patient will not be tempted to comply with a multi-step login procedure to verify their identity each time they want to use the device. Both device solution and RPM should require a few taps, with very little mobility required by the patient.

Some CIOs may be tempted to offer a secure application to the patient for their personal mobile device to reduce upfront expenses, but this strategy may cost their organization more in the long run. The app is acceptable for short telehealth visits, but health systems needlessly expose their data and systems to vulnerabilities if they are connected to a patient’s highly insecure personal device for an extended period of time.

Q: You have a close family member managed in their home remotely via wearable biosensors and a patient-facing dashboard. How has the problem of cybersecurity/remote patient monitoring affected your home?

a. One of my close family members suffers from heart failure and is now battling stage 4 cancer. Dealing with these two serious health conditions at the same time meant he was hospitalized multiple times. After each entry, he returns home stable, but weaker.

Now that he’s used RPM, however, I’ve seen firsthand how his providers can spot signs of noncompensation and intervene before he needs to call an ambulance or visit the emergency department.

For example, if they notice from remote data collection that his heart rate drops below his allotted baseline at certain times of the day, they can call or arrange a video visit, see what he was doing when that happened and adjust. Medication depends on all these factors.

On the other hand, if he visited his cardiologist about his low heart rate, he would probably never have dropped that far, because he was in the doctor’s office and his vitals would be up due to travel, effort, and anxiety. The doctor had less information to support their decision.

The RPM system that my family members use at home is very simple. He wears a biosensor around his arm all day that can collect more than 20 physiological signals, including basic vitals such as heart rate, temperature and respiratory rate, as well as data on his sleep position and movements during his daily activities, such as climbing steps.

Every day he uses his tablet to answer some questions about his symptoms or his medications, and he also visits telehealth with one or more of his providers.

However, the importance of user experience was really driven home when he had severe nausea one day. In a few clicks, he was able to talk face to face with the provider, who was able to make him more comfortable.

I couldn’t imagine how hard it would have been if my family members had to find the right app, type a password, or perform some kind of two-factor authentication. He may have given up and gone to the hospital.

There have been several such occasions. Altogether, I would estimate that he avoided three or four hospitalizations because his providers were able to step in and stabilize him at home. Not only has his quality of life improved, his conditions are now better than they were before RPM.

And it’s not just down to the model of care, of course, because there’s an amazing new drug for his type of cancer that’s working incredibly well for him. Our family is very fortunate in that sense, but we are also grateful to RPM for being able to stay in the home where he is most comfortable and able to rest.

Twitter: Tweet embed
Contact the author: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.