Once largely ignored by IT security policies, networked medical devices are a growing area of concern for healthcare organizations and their patients.
As healthcare organizations respond to growing awareness and concern regarding cybersecurity vulnerabilities, many are turning their attention to one item posing vulnerability that can directly impact patient safety: the networked medical device. In a 2013 communication, the U.S. Food and Drug Administration (FDA) notes that these devices constitute one of several cybersecurity weaknesses in the healthcare environment. a
Networked medical devices can help healthcare providers improve patient care and achieve a variety of cost savings by simplifying data treatment data collection, reducing costly human error, and providing for efficient new treatment modalities. Healthcare provider leadership should recognize, however, that these devices also introduce new cybersecurity risks and costs that weren’t present in their nonconnected predecessors.
Until recently, many health systems did not consider medical devices to be part of the IT ecosystem. When networked medical devices were first introduced, efficacy and interoperability were the primary concerns; securing the devices against cyberattacks was not. As a result, many devices were built (and some still are) with fundamental cybersecurity defects, such as lack of encryption, the use of default credentials, and the inclusion of software known to be vulnerable to security breaches.
Since those days, security consciousness has grown in part as a result of large-scale publicized incidents and their high costs. b These incidents prompted the FDA, FBI, and Department of Homeland Security to issue multiple advisories on medical device security risks, and for the past two years, the Office of Inspector General at the Department of Health & Human Services has included medical device security in its audits. c Furthermore, the Office for Civil Rights (OCR) is placing intense scrutiny during HIPAA audits on how healthcare organizations perform risk-analysis processes to assess risks to their electronic protected health information (ePHI)—risks that should include medical devices that hold or have access to that information. These regulatory guidelines and actions are a strong indicator of the current thinking of healthcare regulators on this subject.
In recent years, the healthcare industry has employed its own hackers to assist in efforts to safeguard patients and their ePHI from cyberthreats. These “white-hat” hackers have worked with manufacturers, health systems, and regulators in an environment of trust, coordinating disclosure so that vulnerabilities typically would not be made public until a remedy was available to minimize disruption. But a recent incident has reminded medical device manufacturers and healthcare providers that not everyone plays by those rules, making it all the more incumbent on medical device manufacturers and healthcare providers to be proactive in ensuring the safety of patients.
In August 2016, a Florida-based security firm uncovered weaknesses in a medical device manufacturer’s pacemaker. Instead of working with the manufacturer to resolve the issues and coordinate disclosure, the security firm partnered with an investment firm to publish their research and in the process profit from a decline in the manufacturer’s stock price. d The message for manufacturers: Simply having a potential vulnerability in a medical device—if never experiencing an actual patient safety incident—could put an organization’s financial health in jeopardy. In the example above, healthcare providers were put in the uncomfortable situation of having patients in whom they implanted devices susceptible to a cyberattack for which there was no available fix.
Simply put, due diligence in medical device cybersecurity is critical for healthcare organizations. Leaders should be prepared to respond to the emerging issue of medical device security with the appropriate steps in order to avoid a cyberattack on a medical device that could cause an adverse patient safety event, whether intentionally or as a side effect of a broader attack.
The Healthcare Provider’s Responsibility
Healthcare leaders should plan for and support investments in the cybersecurity of networked medical devices to protect patients and reduce the likelihood of a costly breaches, regulatory action, and/or adverse patient safety events. Scrimping on such funding should not be an option: The funding allocated toward preventive cybersecurity controls for medical devices should be appropriate and sufficient to reasonably safeguard the organization and its patients from cyberattacks. Providing adequate funding is both the responsible thing to do and the most fiscally sound approach toward care delivery.
Responsibility begins with healthcare organizations recognizing that networked medical devices are not only patient care tools but also IT infrastructure. Such designation elevates medical devices to a different level of cybersecurity scrutiny. The action items below are a good starting point to reach that level. Although individual departments will do much of the heavy lifting when it comes to these tasks, healthcare leadership should be involved to ensure the risks and financial responsibilities are understood.
Review FDA recommendations. In its 2013 communication, the FDA recommends specific steps for healthcare organizations, including restricting and monitoring access to networks and devices, staying current on security patches and updates, reporting found device vulnerabilities to manufacturers and requesting assistance, and developing plans to ensure critical functionality is maintained in case of adverse cyberevents.
Instill cross-organizational awareness and policies. Security considerations should be applied to the entire life cycle of a medical device from procurement to maintenance and decommissioning. Biomedical, information security, legal, compliance, and procurement departments should not delay initiating discussions to understand what process improvements are required to limit the organization’s liability from security vulnerabilities in medical devices.
Prepare an incident response plan. The National Institute of Standards and Technology (NIST) has developed a guide for incident response at government agencies that is equally applicable in the private sector. e The guide, available on the NIST website, outlines a four-step process of preparation, detection and analysis, remediation, and follow-up. It also explores, at great length, the critical elements in creating an incident response capability.
Prepare a patient communication plan. As with any other risk associated with a medical procedure, patients have a right to know about cybersecurity risks associated with their medical devices. Medical staff should be educated in how to communicate those risks to patients. Hospital communication plans should include formal procedures for contacting discharged patients whose safety or privacy may be affected by a vulnerable medical device.
Report problems to the FDA. Prompt reporting of adverse events can help the FDA identify and better understand risks associated with medical devices. The agency encourages anyone who suspects that a cybersecurity event may have compromised the performance of a medical device or hospital network to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program.
When reporting an incident, it is helpful to include:
- A point of contact
- Information regarding when and how the incident was discovered
- Specific model numbers and firmware versions of affected devices
- Number of affected devices
- Details regarding the vulnerability exploited and how the device was accessed (local or remote)
- Observed device abnormalities and potential consequences
By anticipating and planning proactively, healthcare providers can manage medical device cybersecurity risk efficiently and cost-effectively.
Adam Brand is a director, Protiviti, Los Angeles.
a. FDA, “ Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication,” June 13, 2013.
b. Liu, V., Musen, M., and Chou, T., “ Data Breaches of Protected Health Information in the United States,” research letter, The JAMA Network, April 14, 2015.
c. Office of Inspector General, Work Plan: Fiscal Year 2016 , U.S. Department of Health and Human Services; Office of Inspector General, OIG Work Plan 2017, U.S. Department of Health and Human Services.
d. Robertson, J., and Riley, M., “ Carson Block’s Attack on St. Jude Reveals a New Front in Hacking for Profit,” Bloomberg, Aug. 25, 2016.
e. Cichonski. P., Milaar, T., Grance, T., and Scarfone, K., Computer Security Incident Handling Guide , National Institute of Standards and Technology, August 2012.