The Crucial Cybersecurity Needs of Healthcare Technology

August 25, 2022

What if someone hacked the x-ray equipment in your doctor’s office, to deliver a lethal dose of radiation. Could that actually happen?

Cybersecurity in the health industry is a huge and growing field. When the Health Insurance Portability and Accountability Act of 1996 (HIPAA) passed in 1996, it ushered in an avalanche of new practices surrounding the privacy of patient health information. Medical providers and other entities were required to take whatever steps were needed to ensure that sensitive health data in electronic form was protected against security threats.

Reviews of the effectiveness of HIPAA in achieving its aims are mixed. However, the legislation did attempt to establish–and enforce compliance with–thorough standards for safeguarding sensitive medical data.

No such comprehensive legislation exists to monitor or regulate the security for the tangle of other medical systems that rely on electronic communications.

Officially, regulation of medical devices falls under the purview of the U.S. Food and Drug Administration (FDA). In 2013, this agency was galvanized to issue its first ever guidance on cybersecurity issues after a hacker demonstrated that an insulin pump could be compromised to deliver a fatal overdose. Since then, additional advisories have been issued as concerns have intensified regarding risks surrounding implantable devices.

But that’s just one division of the enormous medical goliath that has transformed the American economy over the last 20 years. Medical spending now accounts for close to 20 percent of the entire GDP, tempting actors both mischievous and malevolent into tampering with the sector’s electronic data. Just this month, The Washington Post reported that the technology powering the nation’s organ transplant network is out-of-date and has crashed for lengths of time that threaten the viability of organs waiting for transplant.

The internet of things offers especially attractive opportunities for hackers bent on malfeasance. Intrusion on a single device could permit data corruption across a broad swath of records and interconnected equipment. Altering a patient’s diagnosis, for instance, could result in improper medication, dosing, testing or even surgery. But device manufacturers often lack sufficient staff or budgeting to fully secure their own products.

In April of this year, the FDA released a draft version of new recommendations regarding medical device cybersecurity. This guidance was last updated in 2018. Some observers question if this frequency is appropriate to the gravity of the threat posed by new technology.

For fiscal year 2023, the FDA is requesting a medical device cybersecurity budget of $5.5 million. Contrast this with the average $5 million - $20 million the average mid-size American corporation will spend annually on cybersecurity.

However, interim FDA publications have addressed guidance on software functions, and on the development of devices reliant on artificial intelligence and machine learning. At least some healthcare executives believe the US is actually ahead of other countries in developing effective monitoring and regulation in these areas.

Only about 3 percent of American college graduates have any cybersecurity-related skills, in a job market that currently offers several million unfilled cybersecurity positions. As Robert Herjavec, CEO of the cybersecurity firm Herjavec Group of Shark Tank fame notes: “If you know cybersecurity, then you have a job for life.’’ For those dependent on the American healthcare system, attracting new talent to this field is more critical than ever. Capitol Tech’s own cybersecurity program offers a full range of training in the science, and has been designated a National Center of Academic Excellence by the National Security Agency and Department of Defense. Capitol Tech also offers a Ph.D. in Healthcare Cybersecurity, for those who are abundantly passionate about making groundbreaking discoveries in the realm of healthcare cybersecurity research. 

For curious Master's-level students with inquisitive and data-driven minds, Capitol Tech also offers a Master's in Healthcare Data Analytics.


Works cited:

FDA releases Medical Device Cybersecurity Draft Guidance. Healthcare IT News. (2022, April 12). Retrieved August 25, 2022, from https://www.healthcareitnews.com/news/fda-releases-medical-device-cybersecurity-draft-guidance

Jaret, P. (2018, November 12). Exposing vulnerabilities: How hackers could target your medical devices. AAMC. Retrieved August 25, 2022, from https://www.aamc.org/news-insights/exposing-vulnerabilities-how-hackers-could-target-your-medical-devices

Kijewski, M. (2022, June 13). Council post: Medical device manufacturers need to act as regulators sharpen their cybersecurity guidelines. Forbes. Retrieved August 25, 2022, from https://www.forbes.com/sites/forbestechcouncil/2022/06/10/medical-device-manufacturers-need-to-act-as-regulators-sharpen-their-cybersecurity-guidelines/?sh=13edeb965dd6

Macy, D. (2022, January 24). How much do companies spend on cybersecurity? Security Forward. Retrieved August 25, 2022, from https://www.securityforward.com/how-much-do-companies-spend-on-cybersecurity/#:~:text=As%20per%20a%20Deloitte%20report,annual%20IT%20budget%20in%20cybersecurity.

Only 3 percent of U.S. bachelor’s degree grads have cybersecurity ... (n.d.). Retrieved August 25, 2022, from https://cybersecurityventures.com/only-3-percent-of-u-s-bachelors-degree-grads-have-cybersecurity-related-skills/

Wetsman, N. (2022, August 1). The US organ transplant network is built on Shaky Technology, reports say. The Verge. Retrieved August 25, 2022, from https://www.theverge.com/2022/8/1/23287266/unos-organ-transplant-network-tech-us