Cybersecurity in Augusta

even created until passage of the Health Insurance Portability and
Accountability Act of 1996, the law more commonly known as HIPAA.
The retired Army signal officer said there is plenty of room to
innovate in an industry that has historically protected patient medical
records by locking them away in filing cabinets.
Stealing paper-based information would have required subterfuge
or possibly a burglary. Now, skillful criminals can look for weaknesses
in systems from the comfort of their own homes to find a treasure
trove of data.
“The last time I checked, health care data was about five times
more valuable than credit card data,” Nowatkowski said. “If somebody
steals your credit card data, you can easily cut that card in half
and get another one. Your health care records have your address,
phone number and a lot of other information that can’t be easily
In many ways, the devices monitoring patients at their bedside are
not much different than the systems chemical manufacturers use to
regulate ingredients in their production lines, or the controls public
utilities use at water/sewer treatment plants.
Retailer Target Corp.’s now infamous data breach in 2013, for
example, was traced to a third-party HVAC contractor that did work
at numerous Target stores. Using the contractor’s stolen credentials,
thieves were able to access the company’s network and its point-ofsale
machines in checkout lines.
“By looking at medical devices, the hope is whatever we can improve
also can be used in any other embedded system or any other
internet-of-things device,” Nowatkowski said.
He envisions field testing improvements in health care devices at
“virtual” facilities such as AU’s Interdisciplinary Simulation Center,
Your health care records have your
address, phone number and a lot of other
information that can’t be easily changed,
so it’s much more valuable.
Dr. Michael Nowatkowski
Dr. Michael Nowatkowski, an associate professor with Augusta University’s School of
Computer and Cyber Sciences, points out potential security flaws in a medical device in
a classroom at the Georgia Cyber Center. [DAMON CLINE/THE AUGUSTA CHRONICLE]
changed, so it’s much more valuable.”
In the event of specifically trying to harm a high-level individual,
such as a politician or corporate CEO, a criminal could theoretically
blackmail the person based on information in his or her medical history.
Taken a step further, a sophisticated criminal could kill someone
by tampering with their medication or an implanted device.
Though the latter scenario is the far extreme side of the spectrum,
former U.S. Vice President Dick Cheney asked his cardiologist to order
the manufacturer of his pacemaker to disable its wireless capabilities
after a popular TV show in 2012 posited the theory of hacking
an implantable device.
Complicating health care cybersecurity is that many portable
medical devices, such as glucose monitors and CPAP machines, are
designed to operate at a patient’s home, where network security is
likely to be less robust.
where the university’s future doctors, nurses and dentists can train
on manikins outfitted with high-fidelity instruments in a realistic hospital
setting.
But device security is only part of the equation. Future health care
practitioners will need to be better trained to spot social-engineering
schemes, where hackers attempt to gain access to data through
manipulation, such as phishing emails.
Nowatkowski said that just because millennials have grown up in
a digital world full of social media does not make them more vigilant
about privacy and security.
“Being around electronic devices and cell phones doesn’t mean
they’re more ‘cyber aware,’ ” he said. “I think they take a lot of things
for granted and have some unrealistic expectations. They seem not
to be as concerned about their privacy as old people like me.”■
Cybersecurity in Augusta - September 2020
17