Medical Devices and Cybercrime: Are Patients at Risk?

Jeff Sanchez By Jeff Sanchez, Managing Director, Information Security and Privacy Practice



Technology now allows doctors to connect remotely to an array of medical devices, from infusion pumps to CT scanners, improving both speed and quality of care. The miraculous Da Vinci surgical system has even opened the possibility of telesurgery, a process by which a surgeon in one country could perform even the most intricate of operations via a surgical robot.

Connectivity, however, also introduces new risks. What happens, for example, when cyberattackers, maliciously or as a byproduct of a separate attack, compromise patient safety and privacy?

It is a potentially catastrophic scenario, and healthcare organizations must take measures to avert such possibility before it happens.

Historically, medical devices have been viewed as standalone instruments rather than connected computers with software, which, essentially, is what they have become. Thus, it is understandable why medical entities haven’t applied the same security standards to medical devices as they have to other technologies.

Furthermore, medical professionals who use these devices – often from remote locations – are rarely provided with enough information or training to properly educate them about potential cyber risks.

The reality has shifted – the boundary between a medical device and a computer hooked up to a network is no longer clear. It is imperative for healthcare organizations to adjust to the new paradigm and take preventive steps now rather than later. Consider this:

  • More and more medical devices are connected to networks to deliver additional patient care options, but often without appropriate security controls.
  • These devices may have significant vulnerabilities, including hard-coded credentials and insecure communication protocols, which can result in the exposure of protected health information (PHI) and affect patient safety.
  • The FDA, FBI and Department of Homeland Security (DHS) have released multiple advisories on medical device security risks, and the FDA has published formal guidance on addressing the cybersecurity of medical devices.
  • The Office of Inspector General (OIG) at the Department of Health and Human Services has announced that it is including medical device security in its audits.

For many healthcare organizations, meeting regulatory requirements, such as HIPAA or Meaningful Use, has taken top priority – sometimes at the expense of allocating sufficient time and resources to address the risks posed by connected medical devices. But with cyberattacks and security incidents now regarded as common occurrences rather than exceptions, failure or delay to implement appropriate countermeasures is no longer acceptable. Indeed, leaders of healthcare organizations that haven’t prepared or responded to these emerging threats will find it difficult to explain their negligence should a medical device breach cause patient harm or violate patient privacy.

A small amount of preparation now can have a profound impact on ensuring patient safety and privacy. The first step is for an organization’s information security (IS) and biomedical teams to begin discussions to assess risks. It also is vital for key stakeholders – IS, legal, compliance and procurement – to understand what process improvements need to be made to limit the organization’s liability resulting from a medical device incident. Bridging the knowledge gap between these groups may require expert help.

Ultimately, healthcare organizations need to evaluate medical device security from a holistic, lifecycle perspective – from procurement, to implementation, maintenance and decommissioning. Such a comprehensive and proactive approach will not only help prevent the potential occurrence of cyberattacks, but minimize their damage when they do strike.

Is your organization at risk of a medical device cyberattack? Taking the precautions outlined here will not only protect the organization from negative repercussions, but also enable it to stay true to its commitment to patients and the first rule of medicine: Do no harm.

Inside Job: Internal Investigation for Non-investigators

Life would be a lot easier if people always behaved honestly and ethically. Nevertheless, anyone who has spent any significant amount of time in the corporate crucible can tell you that employee behavior often falls short of the ideal. Such is life.

Internal investigations — whether for financial fraud or some other type of legal, moral or ethical breach — are a workplace reality. Too often, however, those called upon to conduct these investigations are ill-prepared, having come into their positions based on technical knowledge and functional experience, with little or no background or experience in managing a crisis and/or conducting internal investigations.

The need to perform an internal investigation typically comes without warning. It’s not surprising then that most organizations are not able to produce on the spot experts who have the skill sets, tools and experience necessary to perform an internal investigation.

Rather, the staffing of an internal investigation unit is much more likely to consist of “battlefield promotions” — typically, some combination of internal audit, legal, IT and HR leadership.

Considering the risks, both financial and reputational, a little advance planning could mean the difference between an effective outcome and a disaster. Protiviti Managing Director Scott Moritz teamed with Director Peter Grupe to address this important issue in a free webinar last year, Internal Investigations for Non-Investigators.

The webinar streamed live on November 13, 2014 and is archived by date on the Webinars page of the Protiviti website. Scott is a former FBI special agent and global leader of our Investigations & Fraud Risk Management practice. Peter is a director in the Investigations & Fraud Risk Management practice and served 24 years in various executive management roles in the FBI’s largest white-collar crime branch, where, among other things, he managed the Bernard Madoff investigation. Clearly, these guys have been there, done that.

The live broadcast of their webinar drew a large audience and remains one of the most popular on our site. Here are some takeaways from this conversation — actions every organization should take now, before a crisis arises.

  1. Develop an investigation plan. A good plan provides guidance for defining the scope of an investigation, the chain of command, communication protocols, timelines, documentation, deliverables and investigative procedures.
  2. Lay the groundwork in advance. Data preservation is critical — from books and records to email and other electronic data, and includes the ability to recover deleted hard drive contents. Verify the integrity of archived data to ensure that retained records can be retrieved.
  3. Identify external resources. When things go wrong, they can go wrong in a hurry. If your investigation plan calls for retaining outside counsel, public relations consultants or investigative help, make sure those assets have been identified and that those resources can be “on the ground” quickly.
  4. Implement a case management system. When your reputation is on the line, you want to be sure you have your investigative infrastructure in place before you need it. You never want to find yourself building the bridge as you cross it.
  5. Learn from your mistakes. Leveraging the positive and negative results of prior investigations helps organizations compress the learning curve over time, improving investigative efficiency and effectiveness.

Do you have an investigation plan? The heat of battle is no place to be formulating policy. For more information, I highly recommend watching the full webinar. As I said, these guys are good!

Jim DeLoach

Setting the 2015 Audit Committee Agenda

What is top of mind for senior executives and directors this year? Regulatory changes and heightened regulatory scrutiny, succession challenges, economic conditions and cyber threats – this according to the latest Protiviti and North Carolina State University ERM Initiative’s survey, Executive Perspectives on Top Risks in 2015.

You can get a preview of the insights from the survey and more in the latest issue of The Bulletin, our electronic newsletter on corporate governance and risk management. The issue is chockfull of collective wisdom culled from the interactions of Protiviti’s professionals with client audit committees, roundtables we’ve conducted, and discussions with directors at conferences and other forums.

As part of an ongoing effort to help you find the signal amid the noise of a busy and information-rich world, we’ve distilled this information into 10 actionable steps we call The 2015 Mandate for Audit Committees. The first five items relate to enterprise, process and technology issues. The remaining items pertain to financial reporting.

Here, then, are our recommendations for setting the 2015 audit committee agenda:

Enterprise, Process and Technology Issues

  • Update the company’s risk profile to reflect changing conditions – Consider emerging risks and changes in existing risks and address the adequacy of risk management capabilities.
  • Oversee the capabilities of the finance organization and internal audit to ensure they can deliver to expectations – Capabilities should be continuously aligned with the company’s changing needs and expectations.
  • Pay attention to risk culture to address the risk of dysfunctional behavior undermining risk management and internal control – The tone at the top and in the middle affects risk management and internal control performance.
  • Understand how new technological developments and trends impact the company – Be mindful of the implications of technological innovations to security and privacy, financial reporting processes, and the viability of the company’s business model.
  • Assess committee efficacy – The committee’s composition, expertise and engagement should keep pace with the company’s changing business environment and risk profile.

Financial Reporting Issues

  • Pay attention to revenue recognition – The Financial Accounting Standards Board’s (FASB’s) new standard may affect financial reporting systems.
  • Determine the Public Company Accounting Oversight Board (PCAOB) impact on the audit approach – PCAOB inspections, standards and guidance have raised concerns regarding the adequacy of public company auditing processes and have led to changes.
  • Understand the impact of COSO’s updated Internal Control – Integrated Framework – The new framework has the potential to affect internal control reporting, internal audit activities and other areas.
  • Understand and evaluate management’s significant accounting estimates – Ensure an adequate focus on the financial reporting processes requiring the most judgment.
  • Stay current on audit reforms – An expanded report, auditor rotation and other measures are being considered in various countries.

I hope you find time to read the latest Bulletin in its entirety. These are interesting times. The new year is already off to an exciting start, and I can’t wait to see what challenges and triumphs await us all in the months ahead. I’m sure it will be interesting.


Executive Perspectives on Top Risks for 2015

Today, North Carolina State University’s ERM Initiative and Protiviti released the results of our third annual global survey of board members and C-level executives. Our survey assesses the extent to which a broad collection of risks are likely to affect organizations in 2015. We’ll be discussing the results here in greater detail over the coming weeks. For now, I want to share with you our short video along with our key results:

Among our key findings this year:

  • The global business environment in 2015 is perceived to be somewhat less risky for organizations than it was in the last two years.
  • Most organizations are more likely to invest additional resources towards risk management in 2015 compared to the past two years.
  • Regulatory change and heightened regulatory scrutiny is the top overall risk for the third consecutive year.
  • There are concerns about cyberthreats disrupting core operations.
  • Economic conditions are again a key risk area for organizations.
  • There is greater focus on succession challenges and the ability to attract and retain talent.

Infographic - 2015 Top Risks SurveyOur report, Executive Perspectives on Top Risks for 2015, as well as a podcast and video, are available at We also have published an informative infographic. In addition, on Thursday, February 12 (at 1:00 p.m. ET/10:00 a.m. PT), Protiviti and North Carolina State University will host a webinar to discuss the survey results and provide analysis as to how organizations can address these risk areas.

I again want to acknowledge our outstanding partners at North Carolina State University’s ERM Initiative: Dr. Mark Beasley, Dr. Bruce Branson and Professor Donald Pagach. It is a tremendous pleasure to work with them on this well-received project. I also want to thank the many individuals in Protiviti, including our Industry Leadership team, for their valuable contributions to this project.