Health care providers have a long history of protecting sensitive patient information but the fact that more and more health care equipment is now connected to the internet opens up this data to a new range of exposure risks. All hospitals currently do have formal strategies to protect medical device security in order to comply with federal regulations, but according to an ECRI Institute survey, less than half have comprehensive facility-wide cybersecurity management policies in place.
Via Modern Healthcare:
When Dick Cheney learned hackers might be able to alter his pacemaker’s settings, he asked his physicians to sever the device’s wireless Internet connection.
His physician used that connection to monitor the device’s functionality. Cheney feared some terrorist would reprogram the device to kill the former vice president.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
That scenario, one where a rogue hacker gains access to a device, isn’t likely, experts said. But cybersecurity is a growing issue for hospitals.
The Food and Drug Administration has reported a few breaches, mostly malware infecting hospital computer networks. While no patients have been harmed, a 2010 malware attack forced the weeklong closure of a catheterization lab at a Veterans Affairs facility in New Jersey.
With Internet connectivity mounting—61% of medical devices are now online—there’s growing concern medical devices may become the next target for malicious hackers. The U.S. Department of Homeland Security last year urged hospitals to beef up security, using a hypothetical example of a hacker gaining control of smart insulin pump to remotely administer a fatal dose. The FDA this year urged healthcare providers to report problems and said it would soon block approvals for “smart” devices if they didn’t meet security standards.
The alarm bells led Anthony Coronado, biomedical engineering manager at Methodist Hospital of Southern California, to implement a 24/7 monitoring system to keep track of who and what is connected to the Arcadia, Calif.-hospital’s networks. Coronado said he was reacting to emerging concerns about the online vulnerability of medical devices.
“There’s been a rapid change in technology the last 10 years; everything now is information based,” he said. “I needed to develop something different to keep that information safe so we could protect our patients.”
Federal rules, including HIPAA, require hospitals to maintain medical- device security standards. However, many hospitals lack detailed cybersecurity plans. An informal ECRI Institute survey in October found 57% of respondents lacked cybersecurity management plans for their facilities; 35% said they were in the process of establishing measures to protect devices; and 5% said they had security protocols in place.
Suzanne Schwartz, FDA director of emergency preparedness, urged hospitals to be more aggressive in developing risk-management plans. “We have to all be mindful that you can’t eliminate the cybersecurity threat, you manage the threat,” she said. “There’s no such thing as being threat-proof.”
At Methodist Hospital, Coronado organized his seven-member biomedical engineering team to catalog every device that could connect to the hospital’s network. They listed who had access to the devices. All the information was uploaded to a database.
The biomedical engineering team developed a 57-item checklist, which includes verifying network virus protection, ensuring software is up to date, overseeing data backups and adding encryption to vulnerable devices. These steps ensured a more thorough risk assessment and that every potential security risk received the proper attention from staff.
Many hospitals use such checklists, but the trick is maintaining compliance, said Avi Rubin, a professor of computer science at Johns Hopkins University. System administrators need to make sure their plans are tailored for their institutions. “I don’t think a one-size-fits-all solution is possible because every medical system has different needs and resources,” Rubin said.
The government, hospitals and device manufacturers continue to seek bolder solutions to protect against hackers. The FDA even received advice from a benevolent hacker who discovered a way to break through an insulin pump’s security. Agency officials have compiled a list of potentially vulnerable medical devices for use by hospital officials, but they have declined to make it public.
Cataloging devices is a major undertaking and shouldn’t be undervalued, said James Keller, vice president of health technology evaluation and safety for ECRI, which awarded Methodist its Health Devices Achievement Award this year for its plan to protect against hackers. Keeping devices secure is one way to ensure better patient safety.
“The risks are still relatively new, and there aren’t a lot of serious problems reported yet, but that’s something that we expect to hear about more and more,” Keller said.
MH Strategies
Key steps to establishing better medical-device security for hospital networks
Don’t wait for a security breach, be proactive; give IT and other departments the necessary resources.
Establish an inventory of devices connected to the hospital’s network; catalog who has access to those devices.
Identify the effects of a security breach on each networked medical device.
Ensure workers and departments understand their roles and responsibilities when it comes to monitoring equipment.
Follow through on compliance. Don’t just go through the motions.
By Ashok Selvam
“Keeping networks secure requires aggressiveness, compliance,” Modern Healthcare (November 9, 2013)
