Patient data need protection | Bangkok Post: tech

The increasing integration of medical devices in hospital networks and the use of off-the-shelf technologies increases the risk of faulty devices and can threaten the security of patient information stored in various systems.

The integration of devices can lead to an open enterprise network being attacked easily, compromising the protected health information (PHI) system, according to a report on medical equipment management and cyber security by Integrating the Healthcare Enterprise (IHE), an international group that deals with medical technology.

Medical devices are mostly sourced from different vendors with proprietary hardware and software systems. Manufacturers are keen to develop platforms and systems to support various vendors' applications. Consequently, maintaining and upgrading those systems can be costly and time-consuming.

For instance, most hospitals purchase all of their infusion pumps from a single manufacturer in order to minimise training time and costs while optimising maintenance. Bulk buying also leads to better discounts.

However, providers need to weigh the benefits of integration against the possibility of virus attacks, as huge damage could result if the entire medication delivery system has to be shut down for repairs.

Viruses are getting more sophisticated and many can spread by themselves once a virus infects one device or workstation, which could compromise the monitoring systems of all patients.

In the field of networked medical devices, there are two different areas of concern: privacy, especially the protection of PHI stored on or transmitted by a device; and security, or the protection of the device itself against cyber threats.

The IHE researchers said that while they had not seen any targeted attacks on medical devices, there were cases where devices became casualties of a larger malware outbreak, or where a device was the entry point for an attack.

Thailand needs to be aware of the challenges and address security in healthcare including data privacy and protection of the citizen, said Dr Sutee Tuvirat, a member of the executive committee of the Thai Medicine Informatics Association.

The Public Health Ministry can play an important role as a regulator in healthcare security, similar to the way the Bank of Thailand regulates online banking, he said.

"Security in healthcare has a direct impact on patients' lives, unlike security in banking [where breaches can lead to] losses of money," he said. "Over the last two years, the association has tried to raise this issue but with little response from healthcare providers, as evidenced by the lack of implementation of ISO 27001 security standards."