Consider vulnerabilities that can be exploited remotely and the level of skil required to execute exploitation.
Earlier this month, I wrote an article addressing the importance of including automated dispensing cabinets (“ADCs”) in the annual risk analysis, which is required under the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 1996) (“HIPAA”) Security Rule, 45 CFR § 164.30(a)(1)(ii)(A). In light of the spikes in cyber crime attacks in the healthcare sector and other sectors during the coronavirus pandemic, this is one area not to overlook because hospitals are “deeply vulnerable” to attacks, as well as other providers and business associates.
In order to further clarify vulnerabilities associated with ADCs, I drew on my past experiences as an operating room aide, a dietary aide, and a spinal implant sales representative, where I saw various types of ADCs utilized on a daily basis. First, let’s look at the cabinets that are similar to ADCs, but dispense items other than medications. For example, Becton, Dickinson and Company (“BD”) is a market leader in medication and supply management platforms–both of which are meant to document utilization, require individual medical personnel user-name and password log-in, and either create, receive, maintain or transmit protected health information (“PHI”) in relation to the items (i.e., medication or supplies) being dispensed and charged to a particular patient.
Having established that an ADC or other supply management platform should be part of any risk analysis, there are some key items to focus on. First, consider vulnerabilities that can be exploited remotely. Second, look at the level of skill required to exploit the vulnerability. Next, look at the adequacy of policies and procedures. Finally, assess the various technical, administrative and physical safeguard requirements of the Security Rule in relation to prevention, detection and correction.
Trending: Smart investing for physicians
Here are some specific examples, which the Department of Homeland Security (“DHS”) noted as being problematic for BD:
Additionally, in 2016, security researchers found 1,417 remotely exploitable flaws in CareFusion’s Pyxis SupplyStation. “715 of those vulnerabilities in ‘automated supply cabinets used to dispense medical supplies’ have a severity rating of high or critical.”
The take-aways from this article and the article published earlier this month cannot be stressed enough. Many covered entities and business associates overlook automated dispensing machines as part of their risk analysis, despite the knowledge that cybercriminals are looking for ways to exploit vulnerabilities in the healthcare sector. In light of COVID-19 and the increase of cyberattacks, the need for an adequate risk analysis, as well as policies and procedures and related controls is crucial.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.