Data on 29,000 Patients Potentially Exposed
Roosevelt General Hospital reported a malware infection on a medical imaging server impacting nearly 29,000 patients.
A breach stemming from malware infecting a medical imaging server at a small, rural New Mexico hospital serves as a reminder of medical equipment data security and privacy vulnerabilities and risks faced by facilities of all sizes.
In a statement, Portales, N.M.-based Roosevelt General Hospital says: “As soon as the breach was identified, the IT department immediately secured and restored the server and patient information was recovered,” the 22-bed hospital reports.
“An evaluation of server vulnerabilities has been performed, and all other risks have been mitigated. There is no evidence at this time that any patient data has been wrongfully used. … The malware identified on the radiology server was contained and terminated immediately upon detection. The breach did not affect our electronic health records or billing systems.”
Potentially exposed information includes patient names, addresses, birth dates, drivers’ license numbers, Social Security numbers and some insurance and medical information, the hospital says. The hospital did not identify the type of malware involved in the incident.
The hospital reported the breach to the Department of Health and Human Services as a hacking/IT incident involving a network server and affecting nearly 29,000 individuals, according to HHS’ Office for Civil Rights HIPAA Breach Reporting Tool website. Commonly called the “wall of shame,” the federal website lists health data breaches affecting 500 or more individuals.
The hospital did not immediately respond to Information Security Media Group’s request for additional information about the incident.
Growing Threat Landscape
While Roosevelt General says in its statement that the malware infecting a digital imaging server did not affect EHRs, the risk of medical device security incidents also affecting records systems is a growing worry, some experts say.
“The interplay between medical devices and electronic heath records creates a vulnerable threat surface that will only increase over time,” says Kevin Fu, a professor at the University of Michigan and founder and chief scientist of its Archimedes Center for Medical Device Security.
Many security and privacy incidents involving medical devices are never detected or publicized, some observers say.
“This happens for many reasons. The first one is that clinical engineering and IT [departments] are not aligned in terms of mission or reporting structure in most hospitals,” says former healthcare CIO David Finn, an executive vice president at security consulting firm CynergisTek.
“Most provider organizations have very little visibility into the medical device fleet. Even if they know they have the devices, they likely do not know what operating system or software it is running, when it was updated or patched or even where it is deployed on the network,” he says.
“There are times when a desktop is a desktop and there are times when it is a ‘medical device.’ Same with servers – if it is only ‘serving’ medical devices, clinical engineering may not want IT to touch it or IT may not want to touch but it really still another server. It may have been part of a purchase of imaging devices, so it goes undetected by purchasing or IT as a ‘server’.”
The healthcare sector faces threats and vulnerabilities “that neither clinical engineering, device makers, nor healthcare executives have quite caught up with,” Finn says. “This is what has to change.”
In recent years, white hat hackers have demonstrated plenty of potential scenarios of cyberattacks affecting the functionality of medical devices. And many device makers, as well as regulators, have issued alerts – and mitigation advice – about those concerns. (See FDA Issues Alert on Medical Device IPnet Vulnerabilities).
Safeguarding medical devices and related equipment “is not rocket science and it is not dissimilar to what you have to do with every other connected device,” Finn says.
“Understand that medical devices represent a real threat to the providers’ operations and patient safety. … Providers should validate that they have an accurate inventory – including information specific to medical devices, not just a standard IT inventory. And the medical device management process should be tightly integrated with the IT and/or security department so that compensating security controls can be implemented if the devices, themselves, cannot be secured.”
The medical device management process should also be tightly integrated with compliance and risk management efforts, Finn advises. “As we have learned, without oversight and attention at the appropriate management levels, these risks can adversely impact not only the provider’s security and privacy posture but also patient safety when devices are not available or cannot be trusted.”