Imagine this text message shows up in your e-mail: “Dear Sam, We have complete control of your hospital’s telemetry network. Please remit $15,000 in bitcoin to our offshore bank immediately or we will disable communication on this network.” Perhaps a bit far-fetched one might say. However, many in health care now must consider possibilities along these lines every day. With recent ransomware attacks, such as WannaCry and Petya, and with hospital clinical technology connected to IT systems more and more, the cybersecurity risks associated with medical devices grow each day. Petya reportedly infected numerous organizations, including some hospitals in the United States. So while connected medical devices provide many advantages to better coordinate patient care, which we now benefit from, those connections simultaneously expose us to new risks, which we now must manage.
With this increased exposure, experts now worry a hacker could connect remotely to a hospital network and the medical devices connected to it. We must all now understand better these risks so we may reduce their impact on our patients.
In many ways, this risk has been building over the past 20 years as medical devices of all different categories have incorporated software and software systems into their design. More recently, though, the risks have escalated as more devices connect to hospital networks, outpatient networks and even home networks. More technology means more risk. And more connected technology means more connected risk.
In today’s hospital, according to ECRI Institute’s research, there are approximately 15 to 17 devices per bed, and about one out of four of these bedside devices are networked. With more medical devices like physiologic monitoring systems connecting via hospital networks to electronic health records and other information systems, medical device cybersecurity vulnerabilities extend beyond the patient bedside. These connected devices could serve as entry points into a hospital’s network, placing hospital operations, medical information, patient identity and patient financial information at risk. Older devices can bring more risk. Many medical devices have long lifespans and are likely to be in service after the products have been discontinued. Consequently, these systems may have older operating systems that are more vulnerable.
Hospital leaders may think that medical device cybersecurity testing is done by the Food and Drug Administration as part of its approval process. That is not the case. While the FDA has issued guidelines and recommendations on medical device cybersecurity, it does not test devices for these vulnerabilities. In fact, the FDA describes the perception that it does so as a “myth” in a fact sheet, stating, “The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical product manufacturer.”
We have a robust medical device industry with thousands of medical device manufacturers, and many are relatively small, with limited resources for making their devices secure.
As hospital and health system leaders, what should you do to address this risk? We recommend some basic but important steps — Prioritize, identify, protect.
- Prioritize. As a first step, make sure you consider medical device cybersecurity in the context of other cybersecurity risks within your organization. While no patient harm has occurred because of hacked medical devices to date, several facilities have experienced loss or ransom of financial information and/or patient identity, often through relatively simple email phishing scams. Then, work with management to prioritize which types of connected medical devices need attention first. For example, make sure you are protecting patients by focusing on life-critical devices, such as ventilators and infusion pumps, over less risky devices. And protect your organization’s information by focusing on devices and systems that contain Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act.
- Identify. Now that your management team knows which device types to start with, step two requires that your organization create an inventory of all equipment in the device type that includes key information like exact software version, network configuration settings and which information systems or devices they are routinely connected to. Without knowing exactly what software is running and what connections exist, it is impossible to establish and maintain good cybersecurity practices.
- Protect. Step three is the active practice of maintaining and improving your medical device cybersecurity. Work with device vendors to make sure your organization is getting updated software to patch identified vulnerabilities. Make sure your wired and wireless networks are using appropriate security methods, and that your networked devices can support these methods. Use safeguards like firewalls or private networks around less secure equipment to reduce its risk, or plan for its replacement.
Collaboration and growth
While medical device cybersecurity gives us all reason to worry, two additional key questions for leaders to ask will help mitigate risk: (1) Who exactly are the people responsible for medical device cybersecurity in our facility or system? (2) What type of ongoing medical device cybersecurity educational training are they receiving?
These questions are important because medical device cybersecurity requires a blended knowledge of information technology and medical technology. The team responsible for protecting patient care and information must have expertise in both areas.
Often medical device cybersecurity requires collaboration with IT, clinical engineering, risk management, legal, sourcing, compliance and audit. These departments may be working together for the first time in coordinating your health systems’ preparations for medical device cybersecurity. Like any collaborative endeavor, we suggest making sure that there are clear management processes in place. For example, since many medical device cybersecurity risks arise suddenly, each institution must set policy on both responsibility (who is responsible for what aspects of the system) and escalation/handoff (how to transfer aspects of a multi-department issue to the right responsible party) in advance.
Furthermore, because we are suggesting that the cybersecurity policies and procedures address the specific threat related to medical devices, not simply IT systems, your organization must build the medical device cybersecurity risk assessment program into the basic IT security program or parallel to it. In particular, the program must not only do a risk assessment but also must create a program of proactive application of manufacturer-validated software patches for medical devices.
In addition, training must be ongoing because the medical technology and information technology changes so rapidly and malicious actors become increasingly more sophisticated. While the field of cybersecurity for medical devices grows, hospital leaders should help ensure that appropriate personnel, time and money are available for staff to access and participate in the many different organizations trying to help keep the health care community informed of potential risks. Organizations such as the American Hospital Association, Food and Drug Administration, Association for the Advancement of Medical Instrumentation, ECRI Institute and HIMSS — along with the medical device manufacturers themselves — are all working to inform and ultimately protect the public through various publications, alerts, seminars and tools.
Connected technology has obvious advantages, but as with progress in many areas, it brings new risks. If we understand those new cybersecurity risks and take the steps discussed in this article, we will create a more protected network and a more secure patient experience. The price of connectedness is eternal vigilance, but the value of connectedness is truly better care. So be vigilant.
Anthony J. Montagnolo, M.S. (firstname.lastname@example.org), is executive vice president and chief operating officer of ECRI Institute in Plymouth Meeting, Pa.