Why are ophthalmologists easy prey?
Modern medicine has been pushed into a numbers game where optimal efficiency with low overhead is demanded. Few practices have dedicated IT staff that can protect, test, and monitor the security of the systems needed to keep an ophthalmology practice moving. Too often, this task is left to the staff member or doctor who has the most computer knowledge and spare time.
Combine this with the particular nature of ophthalmology practices and the vulnerabilities become frightening:
- Private exam rooms where patients are left alone behind closed doors with access to equipment
- Waiting rooms with WiFi access
- Low tolerance for business disruption
- High premium on reputation
- Staff with little or no training in IT security or cyber hygiene
- Typically well-funded
Then, there is the imaging equipment. These, and similar devices, are driven by internal and external computers that are hard to update. Often, they contain patient information and are connected to networks.
A senior security engineer at Battelle estimates that 1 of every 4 medical devices is connected to a network. In of itself this is fine, but they are also situated in such a way as to give easy and discreet access to patients and others.
Diagnostic and life support equipment, as well as therapeutic equipment, such as surgical lasers, can be hijacked, corrupted, and even have their settings altered and safety measures disabled.
It is predicted that by 2020, more than 25% of identified enterprise attacks will involve these and other connected devices that are part of the exploding Internet of Things (IoT). The consensus among security experts is that half of IoT products are insecure.
Some vendors are working to find ways to shield these devices from attack so that practices can continue to use legacy equipment securely.
If these devices are not properly backed up and restored, an attack can render some very expensive equipment useless.