Technology now allows doctors to connect remotely to an array of medical devices, from infusion pumps to CT scanners, improving both speed and quality of care. The miraculous Da Vinci surgical system has even opened the possibility of telesurgery, a process by which a surgeon in one country could perform even the most intricate of operations via a surgical robot.
Connectivity, however, also introduces new risks. What happens, for example, when cyberattackers, maliciously or as a byproduct of a separate attack, compromise patient safety and privacy?
It is a potentially catastrophic scenario, and healthcare organizations must take measures to avert such possibility before it happens.
Historically, medical devices have been viewed as standalone instruments rather than connected computers with software, which, essentially, is what they have become. Thus, it is understandable why medical entities haven’t applied the same security standards to medical devices as they have to other technologies.
Furthermore, medical professionals who use these devices – often from remote locations – are rarely provided with enough information or training to properly educate them about potential cyber risks.
The reality has shifted – the boundary between a medical device and a computer hooked up to a network is no longer clear. It is imperative for healthcare organizations to adjust to the new paradigm and take preventive steps now rather than later. Consider this:
- More and more medical devices are connected to networks to deliver additional patient care options, but often without appropriate security controls.
- These devices may have significant vulnerabilities, including hard-coded credentials and insecure communication protocols, which can result in the exposure of protected health information (PHI) and affect patient safety.
- The FDA, FBI and Department of Homeland Security (DHS) have released multiple advisories on medical device security risks, and the FDA has published formal guidance on addressing the cybersecurity of medical devices.
- The Office of Inspector General (OIG) at the Department of Health and Human Services has announced that it is including medical device security in its audits.
For many healthcare organizations, meeting regulatory requirements, such as HIPAA or Meaningful Use, has taken top priority – sometimes at the expense of allocating sufficient time and resources to address the risks posed by connected medical devices. But with cyberattacks and security incidents now regarded as common occurrences rather than exceptions, failure or delay to implement appropriate countermeasures is no longer acceptable. Indeed, leaders of healthcare organizations that haven’t prepared or responded to these emerging threats will find it difficult to explain their negligence should a medical device breach cause patient harm or violate patient privacy.
A small amount of preparation now can have a profound impact on ensuring patient safety and privacy. The first step is for an organization’s information security (IS) and biomedical teams to begin discussions to assess risks. It also is vital for key stakeholders – IS, legal, compliance and procurement – to understand what process improvements need to be made to limit the organization’s liability resulting from a medical device incident. Bridging the knowledge gap between these groups may require expert help.
Ultimately, healthcare organizations need to evaluate medical device security from a holistic, lifecycle perspective – from procurement, to implementation, maintenance and decommissioning. Such a comprehensive and proactive approach will not only help prevent the potential occurrence of cyberattacks, but minimize their damage when they do strike.
Is your organization at risk of a medical device cyberattack? Taking the precautions outlined here will not only protect the organization from negative repercussions, but also enable it to stay true to its commitment to patients and the first rule of medicine: Do no harm.