Running head: CYBERSECURITY RISKS IN HOME HEALTHCARE 1

Cybersecurity Risks in Home Healthcare

Steven Zhang

ENLC 556 Management of Health Care System Quality Outcomes and Patient Safety

University of San Diego

CYBERSECURITY RISKS IN HOME HEALTHCARE 2

Cybersecurity Risks in the Connected Home Healthcare Environment

We live in a world in which constant connectivity and instant feedback is the norm.

Work, entertainment, and even healthcare can now be done at the comfort of your own home. In

fact, home health care is one of the fastest growing healthcare sectors in the United States.

According to Business Insider, “the U.S. home healthcare market is projected to grow about 7%

annually from $103 billion in 2018 to $173 billion by 2026—outpacing growth in all other care

types” (Business Insider). As such, the increase in remote patient monitoring tech, telehealth, and

various medical devices associated with home healthcare are expected to grow with it. As the

number of medical devices used increase in the home setting, so does the risk associated with

criminals and hackers stealing sensitive data for nefarious purposes.

Unlike traditional healthcare organizations, cybersecurity for home healthcare present

unique challenges. According to ECRI Institute’s special report of top 10 health technology

hazards for 2020, some unique cybersecurity risks are “the reliability and dependability of the

home network—which health care providers cannot control.” (ECRI Institute, 2020). Physical

access to the device since it is no longer within medical offices or hospitals, and the level of

proficiency from the patient to use said medical devices correctly and safely (ECRI institute,

2020). These three challenges will challenge healthcare cybersecurity experts to design robust

systems and processes to ensure continuous connectively between the patient and healthcare

providers, ensure proper security to prevent protected healthcare information (PHI) from being

stolen, and ease of use for nonmedically trained patients and aids.

The implications of these challenges are that no standardized cybersecurity playbook for

home healthcare. The technology is outpacing healthcare organizations ability to build

safeguards to protect patient health and their PHI.

CYBERSECURITY RISKS IN HOME HEALTHCARE 3

It is important to explore this topic because the there are two major risks associated with

failure to adequately reduce cybersecurity risks in a home healthcare environment:

1. Any delays and stoppage in connectively between home care patients and their primary

care physicians can result in misdiagnosis and delay in care- which could complicate and

prolong recovery time.

2. Stolen PHI data can lead to loss of trust, stolen identity, and possible financial losses.

The goal of this paper is to provide healthcare organizations a high-level overview of the

risks associated with home health and what policies, policies, and technology can address reduce

the dangers of this increasingly connected world.

Literature Review

A total of five articles were selected to begin my research into cybersecurity in a home

health setting. Each article discusses the important of protecting medical devices used by health

care organization from criminals who will endanger both patient safety and their electronic

protected health information. Each article acknowledges health care organizations are slow

compared to other industries in protecting their device from cyber criminals, and the best way to

protect medical devices is to design devices with cybersecurity in mind. All of the authors

argued healthcare organizations, federal government, and medical devices manufactures need to

collaborate to build a system that will proactively address the ever-changing cyber threats.

In HealthCare Cybersecurity Risk Management: Keys to An Effective Plan, Cornado and

Wong explored the need for increased cybersecurity protection in medical devices in a health

care organization. The authors purposed that a systematic approach of “an effective device

management plan also starts at the procurement stage” (Cornado & Wong), and creating a

standard operating procedure for cybersecurity event is necessary to relay information. Methodist
CYBERSECURITY RISKS IN HOME HEALTHCARE 4

Hospital of Southern California was used as an example to demonstrate organizational success

when risk assessment, mitigation, and continual management improve patient physical safety and

their electronic protected health information through medical devices.

The article Privacy by Design and Cybersecurity for Safe, Effective and Reliable Home

Health Care for Aging in Place (Fournier, Molyneaux, Kondratova, & Ali,) explores how

advancements in modern medical technology can deliver a safe, effective, and reliable home

health care for senior citizen. It goes on to explore how remote monitoring can help seniors live

more independent lives at their own homes. The technology reviewed in this article is a

telehealth application for android-based cell phones. The authors’ argument is cybersecurity of

medical devices designed for home health should be a proactive event, not a reactive one. This

article highlights seven software design areas for medical devices manufactures.

Kramer and Fu’s Cybersecurity Concerns and Medical Devices: Lessons from a

Pacemaker Advisory serves as a warning to the potential dangers of cybersecurity for home

health medical devices. In 2016, there was an alert of a potential vulnerability of the wireless

capabilities of pacemakers that are already implanted into patient’s body. Although no patient

suffered harm from this vulnerability, the potentiality of pacemakers being hacked highlights the

potential dangers of not only but the entire medical devices industry. The need for healthcare

organization, federal government, and medical device manufactures will need to collaborate and

improve security and privacy requirements as technology continues to advance at an exponential

rate.

In Cybersecurity Vulnerabilities in Medical Devices: a Complex Environment and

Multifaceted Problem (Williams & Woodward), the authors explored in depth the challenges

associated with addressing cybersecurity concerns in medical devices. The goal is to find the
CYBERSECURITY RISKS IN HOME HEALTHCARE 5

balance between patient safety and PHI protection. The article explains that current federal

regulation is not enough to ensure proper protection of patient’s safety and their PHI

information. It explores the current state of medical devices and recent attacks, the current

relationship between manufacture and federal regulations. It explores the value of PHI to cyber

criminals and their motivations and where vulnerabilities are within the current generation of

medical devices. Ultimately, the authors main argument is that addressing cybersecurity of

medical devices require a “coordinated proactive approach that includes standard cybersecurity

assessment and control, together with specific medical device data and workflow consideration”

(Williams & Woodward).

Cybersecurity in Healthcare: A Systematic Review of Modern Threats and Trends (Kruse,

Frederick, Jacobson, & Monticone) is an in-depth exploration of the current state of malicious

cybersecurity tacticsidentifying possible counter measures to guard and protect sensitive patient

safety and electronic protected health information inside medical devices. A team of researchers

learned that the healthcare industry lags other industries in data protection. Thus, medical

cybersecurity is becoming a prime target to criminals unless actions are taken to ensure proper

protections are made to protect patient well-being.

Identified Solution

The solution I would like to pursue is the proactive multifaceted development of

cybersecurity technology intended for home use. Due to the complexity of healthcare

cybersecurity, which involve compliance with the federal government (Health Insurance

Portability and Accountability Act, Health Information Technology for Economic and Clinical

Health Act, and the Federal Drug Administration), medical device manufactures, healthcare

organizations, and IT security experts; a systematic approach is necessary to build a proper

CYBERSECURITY RISKS IN HOME HEALTHCARE 6

foundation for medical device companies to build upon. Without this proactive collaborative

system, medical devices will continue to be a prime target for cyber criminals that will steal vital

patient information but also jeopardize the safety of patients.

A collaborative taskforce comprised of cybersecurity experts, IT professionals, medical

professionals, healthcare organizations, and the government need to work together to build new

unified regulatory standards for medical devices. The complexity of medical devices used in the

home healthcare environment requires a comprehensive approach to address its’ cybersecurity

concerns.

Currently, cybersecurity management for medical devices is segmented amongst various

groups and work independently of each other. Each stakeholder (clinicians who monitorthe

machines, IT and network specialists who ensure connectivity, cybersecurity experts who

protects the data, government who sets certain regulations, and the patients that use the devices)

create ad hoc relations with medical device companies to build machines that meet their own

specific needs. Due to the vast differences of each stakeholder, a meaningful holistic

collaboration is needed to build a multifaceted process to mediate system to protect patient safety

and ePHI.

Once established, specific new policies can be created at the national level to create a

baseline protection for all medical device companies to follow. The current trend of technical

advances is outpacing the FDA’s ability to keep up, and thus a more aggressive plan is needed to

ensure that manufactures have up-to-date and specific requirements for medical companies to

follow through.
CYBERSECURITY RISKS IN HOME HEALTHCARE 7

A standardized system of feedback and notification is needed for medical devices so the

information can flow quickly to this new team. Once the report is analyzed, cohesive feedback

can be given to respond to these cybersecurity risks.

Auditing is another aspect of cybersecurity that needs to be standardized and agreed upon

by these the government, medical device companies, and health care organizations. Auditing is

to ensure agreements about rules are being followed and the highest level of care are given to

patients and their families.

The creation of this cybersecurity medical devices taskforce will improve safety and trust

of patients who use home health services. This multifaceted approach in developing

cybersecurity measures will ensure a holistic mitigation of cybersecurity risk for medical

devices. Thus, patients and clinicians can have peace of mind knowing medical devices that

meets these requirements are safe and protected from cyberattacks. Whether at the hospital or at

home, patients can be assured that medical devices in any a hospital or home environment will

project paitent information.

A Failure Mode Effects Analysis is a tool used to measure possible failure points within a

flow chart process. The Likelihood, likelihood of detection, and severity are measured to create a

risk profile number- which is then used to determine what issues to be addressed first.

Quality Measure

The quality outcome that will be measured is to reduce the number of cybersecurity

breaches related medical devices. The creation of a unified set of federal cybersecurity
CYBERSECURITY RISKS IN HOME HEALTHCARE 8

regulations/standards will make it easier for companies to follow. The program team that lead the

cybersecurity taskforce will oversee measuring the quality outcome of their solution.

A benchmarking will be done to measure before the implementation of our solution to

capture the current state of cybersecurity in the home health setting. This is done to create a base

to measure the effects of the new streamlined regulations- to see if it made a positive or negative

impact. The benchmarking process will allow team-members to collect data from the past 20

years and record all successful and attempted thief of ePHI, malicious network hijacks and/or

stoppages, and any medical device issues that lead to adverse patient events.

The data will be collected and presented in a control chart. This method was chosen

because we are recording data over an extended period. Data will be pulled from the national

database of adverse events. The control chart is the ideal method of measurement since it records

the number of incidents over an extended amount of time. Additionally, with the addition of

statistics, one can speak with a certain percentage of certainty whether this solution is producing

the results we are expecting.

Measurements after the implementation of our proposed solution will be done once every

quarter. Data will be collected for the following: adverse events directly affecting patients,

compliance from medical device manufactures, and new risks that are not being addressed by our

current set of regulations. Once a year, the taskforce will get together to review the year’s

findings and adjust the current policies to stay up to date with the ever-evolving world of

cybersecurity.

Conclusion

Cybersecurity of medical devices in the connected home healthcare environment requires

new century thinking. The complexity brought on to deliver dependable and safe care for
CYBERSECURITY RISKS IN HOME HEALTHCARE 9

patients in a home healthcare environment has never been greater. Current federal regulations

cannot keep up with the exponential growth of technology the past few decades.

As the articles selected in this review showcase the known vulnerabilities of our current

cybersecurity of medical devices. Various industries within the healthcare industry build

requirements and regulations within their own ninth; however, a holistic cybersecurity taskforce

comprised of healthcare organizations, medical devices companies, and cybersecurity experts

have never been attempted.

This taskforce, backed by the United States Federal Government, will be comprised of a

holistic group of healthcare industry leaders from both the clicnical and technology side. They

will work together to build a set of regulations and security requirements that can effective

reduce the risk potential cybersecurity attacks within the healthcare system.

Further research will be needed to explore alternative ways to address cybersecurity in a

home health environment. Specifically, a new programming language or the use of blockchain

can be customized to fit the privacy and security needs of patients and healthcare organizations.
CYBERSECURITY RISKS IN HOME HEALTHCARE 10

References

Alkhatib, S., Waycott, J., Buchanan, G., & Bosua, R. (2018). Privacy and the internet of things

(IoT) monitoring solutions for older adults: A review. Studies in health technology and

informatics, 252, 8–14. Retrieved from https://pubmed.ncbi.nlm.nih.gov/30040675/

Cornado, A. J., & Wong, T. L. (2014). Cybersecurity risk management: Keys to an effective

plan. Biomedical Instrumentation & Technology: Cybersecurity In Healthcare, 48(s1),

26-30. doi:10.2345/0899-8205-48.s1.26

Dzissah, D. A., Lee, J. S., Suzuki, H., Nakamura, M., & Obi, T. (2019). Privacy enhanced

healthcare information sharing system for home-based care environments. Healthcare

Informatics Research, 25(2), 106–114. doi:10.4258/hir.2019.25.2.106

Herzog, A., & Lind, L. (2003). Network solutions for home health care applications. Technology

and Health Care: Official Journal of the European Society for Engineering and

Medicine, 11(2), 77–87.

Lin, C. H., Young, S. T., & Kuo, T. S. (2007). A remote data access architecture for home-

monitoring health-care applications. Medical Engineering & Physics, 29(2), 199–204.

doi:10.1016/j.medengphy.2006.03.002

Williams, P. A., & Woodward, A. J. (2015, July 20). Cybersecurity vulnerabilities in medical

devices: a complex environment and multifaceted problem. Retrieved from

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/
Running head: CYBERSECURITY RISKS IN HOME HEALTHCARE 11

Appendix A

Implementation Process Map For New Cyber Security Task Force

1.Start- A Health care organization, clinicians, 1 .Start -Healthcare IT experts and cyber security
nurses, and frontline staff leaders meet and experts formulate a plan that can minimize the risk of
discuss their requirement of medical devices medical devices for designed for home health

Goes back and repeats until a collective Goes back and repeats until a collective
list of requirements is completed list of requirements is completed

Yes

No No
Industry leaders selected and list
of suggestions of security
requirements made for medical
devices?

2. New Medical Device Security committee is formed with

industry leaders and the federal government

3. A standardized requirement of security for medical devices are

agreed up and put into motion

4. New laws are established for all medical devices companies to

following and a plan to bring current devices up to this standard

5.STOP: Annual Reviews of current requirements and makes

necessary updates to address new security threats.
CYBERSECURITY RISKS IN HOME HEALTHCARE 12

Appendex B

Potential Solutions for Failure modes

Table A1

1 Process step Industry experts formulate a set of requirements that can minimize the risk of medical devices for designed for home health.

2 Potential failure Key industry leaders missing from Unable to come up with a collective Too many or too basic requirements
mode conference agreement
3 Potential cause(s) -Scheduling, issues with other -Siloing, -Unclear instructions,
responsibilities -Entrenched ideas, -poor facilitation/ moderators ----
-Lack of interest, failing to see the -Poor collaboration, challenging attendants to come up with
benefits of attending -Industry politics creative and innovative ideas.
-Doesn’t understand the mission and -Active sabotage -Poor meeting set up and no filtering
vision of this process to weed out bad ideas and goals.
-Travel visas issues from aboard
4 Severity 5 5 5
Process step #1

Unprecedented event as something of Unprecedented event as something of Unprecedented event as something of

this caliber has not be done before. this caliber has not be done before. this caliber has not be done before.
There are many moving pieces. There are many moving pieces. There are many moving pieces.
5 Probability Frequent Frequent Frequent

6 Hazard score 8 8 8

7 Action (eliminate, Eliminate Eliminate Eliminate

control, or accept)
8 description of -Early Communication explaining
action the importance of this committee,
future of cyber security for medical
devices
-Get leaders in their specific industry
to buy into the program and use their
status to attract more companies to
attend
Table A2
-Strong moderator to control and
provide feedback
-Set clear guidelines and expectations
of the outcome of this event
-Strong trainers and facilitators to
provide leaderships
-Strong moderator to control and
provide feedback
-Set clear guidelines and expectations of
the outcome of this event
-Strong trainers and facilitators to
provide leaderships
-Use data to help push decisions
CYBERSECURITY RISKS IN HOME HEALTHCARE 13

1 Process Step New Medical Device Security committee is formed with industry leaders and the federal government

2 Potential -Too many or too basic requirements- -Lack of commitment throughout this -Unable to work collaboratively
Failure each industry wants to put all their process
Mode requirements onto the federal standard

3 Potential -Poor selection process. Lack of -Too many/ not enough committee -Poor facilitator
Cause(s) engagement. meetings. Poor process -poor program set up to nurture collaborative
- poor guidelines and understand of the -unproductive meetings causing a loss environment
selection process. Failure to build a of interest - failure to negotiate, focusing on positions,
culture of collaboration - office politics not interest
Process Step #2

4 Severity 5 5 5
-This can delay the progression of the -This can delay the progression of the -This can delay the progression of the project
project and lead to a waste of time and project and lead to a waste of time and and lead to a waste of time and resources
resources resources

5 Probability Frequent Frequent Frequent

6 Hazard 8 8 8
Score
7 Action Control Eliminate Control
(Eliminate,
Control, or
Accept)
8 Description -Strong moderator to control and -Clear guidelines and nurturing a -Clear guidelines and nurturing a collaborative
of Action provide feedback collaborative process process
-Employ lean, agile, and other - Employ lean, agile, and other - Employ lean, agile, and other collaboration
collaboration processes collaboration processes processes

Table A3
CYBERSECURITY RISKS IN HOME HEALTHCARE 14

1 Process Step A standardized requirement of security for medical devices are agreed up and put into motion

2 Potential -New rules too strict. Making this -Rules are too laxed- loopholes and no -Disconnect from what the federal can do and
Failure industry too regulated real improvement from current what companies wants to implement
Mode regulations

3 Potential -Drifting from the originally agreed on -Facilitators and moderators failed to -Expectations were not properly built during
Cause(s) list from industry meeting in step 1 balance out moderate and fair the regulation building process.
-overzealous and overly ambitious, regulations proposals -private companies’ terminology not being
scope drift translated correct into government speak
Process Step #3

4 Severity 5 5 5
Failure at this point could delay and Failure at this point could delay and Failure at this point could delay and delay the
delay the project by months and delay the project by months and project by months and possibly years
possibly years possibly years
5 Probability Frequent Frequent Frequent

6 Hazard 8 8 6
Score
7 Action Control Control Control
(Eliminate,
Control, or
Accept)
8 Description -Clear guidelines and nurturing a -Clear guidelines and nurturing a -Clear guidelines and nurturing a collaborative
of Action collaborative process collaborative process process
-Trust building among the group -Trust building among the group -Trust building among the group

Table A4
CYBERSECURITY RISKS IN HOME HEALTHCARE 15

1 Process Step New laws are established for all medical devices companies to following and a plan to bring current devices up to this standard

2 Potential -Laws took too long to enact, already -Political gridlock and potential -No new system to enforce these new
Failure Mode outdated by the time it’s put into law partisanship standards

3 Potential Decision making process took too Government not doing enough to clear Project planning process needs to be discussed
Cause(s) long. Not enough meetings or the path for these new standards. to talk about enforcement and education
processes to avoid deadlock
Process Step #4

4 Severity 5 5 5
-This can delay the progression of the -This can delay the progression of the -This can delay the progression of the project
project and lead to a waste of time and project and lead to a waste of time and and lead to a waste of time and resources
resources resources

5 Probability Frequent Frequent Frequent

6 Hazard Score 8 8 6

7 Action Control Control Control

(Eliminate,
Control, or
Accept)
8 Description -Use agile and lean techniques to -Use agile and lean techniques to ensure -Use agile and lean techniques to ensure
of Action ensure proper execution proper execution proper execution
-team trust and collaboration -team trust and collaboration -team trust and collaboration
CYBERSECURITY RISKS IN HOME HEALTHCARE 16

Table A5

1 Process Step Annual Reviews of current requirements and makes necessary updates to address new security threats.

2 Potential Poor auditing. How many companies Unable to keep up with current threats Feedback process is too slow
Failure Mode are registered

3 Potential -Poor planning of enforcement and -Not enough manpower to continue -Lack of state and local support of program
Cause(s) accountability tracking current security threats

4 Severity 5 5 5
-This can delay the progression of the -This can delay the progression of the -This can delay the progression of the project
Process Step #5

project and lead to a waste of time and project and lead to a waste of time and and lead to a waste of time and resources,
resources, risking this project being resources, risking this project being risking this project being canceled
canceled canceled

5 Probability Frequent Frequent Frequent

6 Hazard Score 8 8 4

7 Action Control Control Control

(Eliminate,
Control, or
Accept)
8 Description Strong project management role- Positive working relationship with Strong project management role- secure proper
of Action secure proper funding from industry leaders funding from government
government
CYBERSECURITY RISKS IN HOME HEALTHCARE 17

Appendix C

Failure Mode Effects Analysis

Steps in Failure Modes Failure Causes Failure Likelihood Likelihood Severity Risk Actions to
the Effects of of detection Profile reduce
process occurrence Number Occurrence of
failure

1 Key industry Scheduling, Incomplete 5 3. 5 75 Early

leaders issues, lack of picture of the Communication
missing from interest, current explaining the
conference landscape of importance of
security in this committee,
their specific future of
industry cybersecurity
for medical
devices

1 Unable to Siloing, Incomplete 5 3. 5 75 Strong

come up with a entrenched picture of the moderator to
collective ideas, poor current control and
agreement collaboration, landscape of provide
company politics security in feedback
their specific
industry
1 Too many or Unclear Poor quality 5 5. 3 75 Strong
too basic instructions, requirements moderator to
requirements poor facilitation/ and to be control and
moderators submitted to provide
the committee feedback

2 Too many/ too Poor selection Waste of 5 5. 5 75 Strong

few members process. Lack of time, energy, moderator to
selected for engagement. and money. control and
this committee Poor outcome provide
feedback

2 Lack of Too many/ not Waste of 5 4. 5 100 Clear guidelines

commitment enough time, energy, and nurturing a
throughout this committee and money. collaborative
process meetings. Poor Poor outcome process
process
CYBERSECURITY RISKS IN HOME HEALTHCARE 18

2 Unable to Poor facilitate, Waste of 5 4. 5 100 Clear guidelines

work poor time, energy, and nurturing a
collaboratively expectations, and money. collaborative
poor Poor outcome process
communication
3 New rules too Drifting from the Poor 5 5. 5 125 Clear guidelines
strict. Making originally agreed outcome, and nurturing a
this industry on list from delay collaborative
too regulated industry meeting outcome, process
in step 1
3 Rules are too Facilitators and Poor 5 5. 5 125 Clear guidelines
laxed- moderators outcome, and nurturing a
loopholes and failed to balance delay collaborative
no real out moderate outcome, process
improvement and fair
from current regulations
regulations proposals
3 Disconnect Expectations Delayed 5 4. 5 125 Clear guidelines
from what the were not outcome and and nurturing a
federal can do properly built high cost of collaborative
and what during the process
companies regulation
wants to building process.
implement
4 Laws took too Decision making Lost of public 5 5. 5 125 Strong project
long to enact, process took too trust, loss of management
already long. Not industry role- secure
outdated by enough meetings leader interest proper funding
the time it’s or processes to from
put into law avoid deadlock government
4 Political Government not Lost of public 5 4. 5 120 Strong project
gridlock and doing enough to trust, loss in management
potential clear the path for credibility role- secure
partisanship these new proper funding
standards. from
government
4 No new Project planning Loss of 5 5. 5 125 Strong project
system to process needs to public trust, management
enforce these be discussed to loss in role- secure
new standards talk about credibility proper funding
enforcement and from
education government
5 Poor auditing. Poor planning of Lost of public 5 5. 5 125 Strong project
How many enforcement and trust, loss in management
companies are accountability credibility role- secure
registered proper funding
from
government
CYBERSECURITY RISKS IN HOME HEALTHCARE 19

5 Unable to keep Not enough Lost of public 5 4. 5 120 Positive

up with current manpower to trust, loss in working
threats continue credibility relationship with
tracking current industry leaders
security threats
5 Feedback Lack of state and Lost of public 5 4. 5 120 Strong project
process is too local support of trust, loss in management
slow program credibility role- secure
proper funding
from
government