Earlier in 2017, the Wanna Cry ransomware hit medical devices in some hospitals around the globe, affecting several health trusts in England’s National Health System and several hospitals in the United States. There were probably many other incidents that never made the news. According to reports, a contrast injector and a picture archive and communication system (PACS) were some of the earliest US-based devices to be infected.
This sort of attack is not new, though. While healthcare is often seen as lagging behind other industries when it comes to security protocols, that isn’t true across the board.
My organization, ECRI Institute, works with hospitals and health systems to identify and address gaps in their policies and practices to improve their cybersecurity initiatives. We know several mid-sized to large healthcare systems that have found a way to dedicate resources to medical device security.
The practices we’ve seen in these systems range from reassigning a clinical engineer from maintaining device interoperability and capital planning to ensuring medical device cybersecurity, or IT-based application specialists taking on pre-purchase evaluation of medical devices from a vulnerability aspect. However, the 200-bed, three-hospital system still faces big challenges in adjusting to cybersecurity risks.
There is no going back to non-networked medical devices. The benefits of integrated data flows to support patient care are just too great. Plus, software updates for fleets of equipment are more easily done via a wireless network, and remote device performance monitoring can head off equipment failure to keep operations going.
Even with these known benefits and risks, a recent study by the Ponemon Institute, a leading IT security research organization, found that roughly 53 percent of healthcare providers did not test medical devices for security. Only 15 percent reported that they have taken significant steps to prevent attacks on medical devices in their hospitals.
Completely eliminating vulnerabilities is impossible. However, hospitals can take some significant steps to minimize the risks.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
For starters, the clinical engineering department should know which devices are connected to the network, and which generate or store protected health information. While it’s challenging to collect all relevant information, hospitals should at least start collecting it through its preventive maintenance cycle.
Secondly, it’s best to avoid risky devices rather than openly welcome them into clinical use. How are your Sourcing departments evaluating capital medical devices for cybersecurity? You can Google “RFP Questions for Medical Device Security” to see some questions. Or, better yet, work with the clinical engineering and IT departments to establish system-wide requirements. At minimum, suppliers should be required to submit their Manufacturer Disclosure Systems for Medical Device Security (MDS2) statement. The question is, what does the hospital do with this information? Hopefully, it’s instructive in your evaluations of medical devices before any purchase order is issued.
Finally, IT departments should educate everyone involved with medical devices to increase appreciation for and awareness of vulnerability and risk. Since HIPAA has required protected health information (PHI) safeguards for years, many security practices are already in place in hospitals – even though we still see passwords on Post-it notes in the workstation.
The IT department should also work with clinical engineering to ensure that a proper patching policy is in place for medical devices. IT probably already has the following in place: an established policy for suppliers who use the cloud for information storage; an event response team and an associated process for handling attempted hacks, and instructions for dealing with systems that utilize external communications. Medical device cybersecurity does not require starting from scratch, but it does require starting. Use IT’s expertise and apply it to bedside devices.
While it’s a challenge to improve medical device cybersecurity, it’s well worth the investment. No hospital or health system wants its information to be held ransom, and no hospital wants to make headlines for poor privacy and security practices. Now is the time for health systems to implement a cybersecurity plan to keep medical devices – and patients – safe from the next ransomware event.
Photo: mattjeacock, Getty Images
