The health care profession has undergone massive digitization in recent years with the emergence of interconnected medical devices and the broader exchange of health care information.
In less than a decade, nearly all hospitals and physician offices have adopted electronic health record (EHR) systems. While long term and post-acute care (LT/PAC) adoption of EHRs still lags behind other settings, referring and treating providers, pharmacy vendors, and others have helped speed up EHR adoption.
Many LT/PAC providers face unique resource challenges due in part to budget constraints, such as inadequate information technology (IT) infrastructures, staffing constraints, and various barriers across multiple facilities. Experts have found that these providers “are implementing or updating their IT systems in a gradual but haphazard manner,” according to a 2014 issue of the Journal of Health Organization and Management. This leaves the LT/PAC community particularly vulnerable to cybersecurity threats.

Protecting Against Attacks

Some of the largest and most widespread cybersecurity attacks in recent memory made headlines in 2017. And, 2018 is off to a quick start. In early January, the Spectre and Meltdown vulnerabilities, which impacted nearly all computer and mobile devices, were exposed. These vulnerabilities exploited flaws in Apple and PC hardware that would allow attackers to gain access to data previously considered protected.
In response, manufacturers quickly issued updates to existing software to protect against these exploits.

As the year progresses, LT/PAC providers should make cybersecurity a priority, watching out for these four threats and taking efforts to protect against them.
1. Vendor Failure to Protect Data
Since adoption and implementation of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, health care providers have been required to place some focus on third-party vendors that access or use protected health information through the required business associate agreements, which are typically formal documents required to be in place between providers and vendors that use or access public health information (PHI) and spell out certain obligations of the vendor related to its access and use of PHI. Yet vendor breaches remain one of the largest causes of security failures, with an estimated two-thirds of all breaches being directly or indirectly related to third-party vendors.

Vendor services are a necessary component to the health care profession. This is certainly true for the LT/PAC community as often critical areas are handled by vendors, including pharmacy, therapy, and billing services. These vendors are almost always business associates, as that term is used under HIPAA. While many providers will have business associate agreements placing certain security requirements on such vendors, this alone is not enough. In 2016, a business associate’s failure to safeguard nursing facility residents’ data resulted in a $650,000 HIPAA settlement.  

LT/PAC providers, in addition to having a compliant business associate agreement in place, should perform periodic third-party vendor assessments. These assessments should evaluate the access to data and systems—ensuring access is limited to only the minimum data necessary for that vendor to perform its duties, that appropriate HIPAA security standards protecting the data are implemented (such as encryption, data backups, and having a designated individual responsible for information security), and that key policies are in place and followed.  
2. Interconnected Medical Devices
The potential vulnerabilities in medical devices have long been on providers’ radar. Successful hacks dating back to 2011 have affected a variety of medical devices, ranging from insulin pumps to pacemakers. LT/PAC providers frequently serve the aging population that enters their centers with such devices.
Further, medical devices used in providing therapy, monitoring patients, and so on that are connected to a broader computer network may be used as easy targets for attackers to gain unauthorized access.

In 2013, the U.S. Department of Homeland Security issued a warning that 300 medical devices tested for cybersecurity vulnerabilities all failed to meet minimum standards. This warning spurred the U.S. Food and
Drug Administration to issue recalls and, in 2016, to issue cybersecurity guidance for medical devices.

Congress took notice, and the Medical Device Cybersecurity Act of 2017 was introduced. Although the bill failed to pass, by all indications, regulatory and legislative actions seeking to address this concern will continue in 2018. 

In the meantime, medical devices remain extremely vulnerable. Unlike other devices that receive multiple and frequently automatic updates that may protect against certain security holes, medical device manufacturers remain slow to update their products, and the process for implementing updates may not be user-friendly.

Further, the fact that hospitals and similar health care entities “typically have 300 to 400 percent more medical equipment than IT devices” provides more possible targets for hackers seeking access to a provider’s networks, according to the website of the Healthcare Information and Management Systems Society. 
3. Mobile Device Vulnerabilities and Use
While medical devices present easy gateways into networks due to a lack of or difficulty in patches to potential vulnerabilities, LT/PAC providers that permit their workforce to use mobile devices may face additional security issues.

During 2017, two key security issues impacting nearly all mobile devices made headlines. First, during the 2017 DEF CON hacking conference, researchers demonstrated the “Broad-pwn” vulnerability, which exploited the Broadcom Wi-Fi controller used in nearly all cell phones, allowing an attacker to take over the device and further infect other connected devices and networks.

Following Broadpwn, Belgian researchers announced a flaw in nearly all Wi-Fi-connected devices known as “Krack,” which, like Broadpwn, allowed attackers access to devices through the wireless connection of devices, with mobile devices being particularly vulnerable to such attacks. In both cases, mobile device manufacturers quickly released updates and patches to protect against such attacks, but without these updates being applied by the user, the devices remain vulnerable.

These types of attacks, along with malware applications users may place on their phones unwittingly, present low-hanging fruit that attackers will continue to exploit in 2018. At a minimum, providers should have a “Bring Your Own Device” (BYOD) policy in place and educate their workforce regarding the guidelines, including that staff update their devices regularly to protect against malicious applications. 
4. Ransomware
Ransomware is malware that exploits vulnerabilities in a system to encrypt or remove access from the information contained on the system. The infected system displays a message informing users that their data will not be released unless they pay the demanded ransom. Industries where access to information is critical to providing services—such as health care—are particularly targeted by such attacks.

Providers will remember 2017 as the year of large ransomware attacks, starting with WannaCry, which spread to over 150 countries and infected more than 400,000 computers and other devices in just two days. The United Kingdom’s National Health Service was hit hardest by this attack, causing it to cancel
nearly 7,000 appointments—including operations—as a direct result.

Providers in the United States were also affected by this attack, as were medical devices such as Bayer’s MedRad device that assists in MRI scans.

WannaCry was followed by another global ransomware attack in June 2017 known as NotPetya. Several health care entities were impacted by this attack, including Merck, one of the largest pharmaceutical manufacturers in the United States. Although the largest of providers hit by these attacks were named in the news coverage, ransomware attackers typically take a quantity-over-quality approach, wanting to affect as many systems and entities as possible to increase the number and likelihood of a payout.

LT/PAC providers that lack sophisticated and updated IT systems remain extremely vulnerable to ransomware attacks. At a minimum, providers should update their security policies to address ransomware and develop a response plan should they find themselves under attack. 

These four potential areas of cybersecurity concern, along with many others (such as employee error), will continue to trouble LT/PAC providers in 2018. They should take steps to protect their IT systems; the medical, financial, and sensitive information they create; and the patients they serve.
Bradley J. Sayles is Of Counsel in the Nashville office of Nelson Mullins Riley & Scarborough, where he practices health care law. He assists clients in navigating the highly regulated health care landscape to ensure they are compliant with industry standards and state and federal laws. He can be reached at: or 615-664-5329.