Protect Medical Devices From a Cybersecurity Threat
By Christophe Dore
A March 2015 poll commissioned by the West Health Institute found that 69% of 526 nurse respondents believed documentation took time away from the delivery of direct patient care. One noted that “[transcribing data] takes too much time for the nurses to adequately care for the patient,” with 46% believing errors were likely to arise in such circumstances. Additionally, 83% of respondents agreed that 10% or more of the errors and adverse events might be prevented if the medical devices were connected.
Utilizing automated technology that monitors patient vital signs and sends validated vital signs to electronic medical records right from the bedside can give nurses more time for direct caregiving. Integrating data from bedside devices can also help build a comprehensive patient record and even feed patient surveillance systems where algorithms can trigger intelligent alarms. As hospitals see the value in having point-of-care monitoring and therapy devices communicate through the “internet of things,” new opportunities arise for medical technology vendors to link the legacy, stand-alone systems. However, many of these legacy systems were produced before cybersecurity required consideration, and without proper security in place, the widespread movement toward connectivity of electronic devices such as MRI machines, anesthesia machines, ventilators, and infusion pumps can open the door to more nefarious and indiscriminate cybersecurity attacks.
Cybersecurity threats can plague hospitals
Many provider organizations understand the threat that unsecured medical devices pose to patient safety, as well as financial health and reputation—but fewer have a plan in place to identify and mitigate this peril.
A recent survey of approximately 60 C-level healthcare executives from CynergisTek brings the issue into sharper focus. Though about one-third of executives considered medical device security one of the top five risks facing healthcare, most reported they lack an effective strategy to assess the risks posed by medical devices. Notably, more than a quarter said they don’t have any risk assessment process in place at all.
This CynergisTek survey showed, with 54% of respondents, that the biggest barrier to meeting privacy and security challenges was a lack of adequate resources such as tools, money, or people. This is a significant roadblock to overcoming the data-security threats that many hospitals face. Preparation requires time, money, and expertise—all of which are in short supply for cash-strapped hospitals coping with thin margins, fluctuating regulations, and financial risk under value-based care agreements. Responding to breaches also uses a lot of resources, which most hospitals are not totally prepared for. This increases the cost of response and allows the breaches to last longer and do more damage. Preventive system shutdowns, in turn, also last longer, giving hospitals even more disruption to recover from.
The danger of healthcare security breaches is ever-present and costly. In 2018, there were 365 reported healthcare data breaches involving 500 or more records, an increase of 83% from 2010, according to HIPAA Journal. Healthcare is the industry most impacted by data breaches, with an average cost per breach of $6.45 million, according to a 2019 report from IBM. The average cost of a healthcare data breach, as reported by IBM, exceeds the average cost of a breach across all industries by 65%.
Yet it’s clear that data security, in general, and medical device security, in particular, is not just a hospital information technology problem. It is an organizational problem.
Why hospitals struggle to respond to security threats
For decades in healthcare, data security was an afterthought—if it was thought about at all—and to some extent, that made sense. Cyberattackers were not as organized and equipped as they are today, and healthcare was not a target of choice.
It is only somewhat recently that hospitals have begun to connect nearly all of their information systems to a network. While this facilitates information sharing, it also creates exploitation opportunities with devices and systems that were not necessarily designed with network connectivity in mind. But because these systems store, process, and communicate crucial patient care information, they would be extremely expensive to replace, essentially forcing hospitals to reactively mitigate cyber-risks from these devices as best they can with limited budgets, staff, and experience.
Further, hackers continue to grow in number, sophistication, and organization; they have evolved from “players” hacking into systems for fun or bragging rights to criminal organizations looking for profit, to say nothing of foreign nations engaged in cyberwarfare. This challenges healthcare providers to keep pace with the latest security measures and countermeasures. By its nature, the security industry mostly responds to threats reactively: A new virus or form of malware causes some damage and generates news coverage, and security professionals rush to analyze the threat and develop a response. As a result, the “good guys” are always effectively several moves behind the “bad guys.”
The average amount of time a hacker is in a system before detection is an astounding 197 days. A breach can compromise patient data or software, as well as the performance of life-critical devices, such as infusion pumps and ventilators. Without adequate investment in human and technological resources, hospitals remain acutely vulnerable to internal and external cybersecurity attacks.
How hospitals can protect themselves
Hospitals will have to focus and invest more in cybersecurity. Healthcare has been behind many other industries on this issue while having much more at stake (i.e., patient lives). They need to be able to protect their connected systems and devices, detect issues early, respond to threats efficiently, and recover from attacks as inexpensively as possible. When integrating medical devices into clinical systems, hospitals must proactively search for integration solutions and deployment architecture designed with security in mind, instead of considering cybersecurity after the fact. The path toward better patient care will rely on data insights for early detection, as well as improved strategy to avoid health issue escalation. Ensuring availability and integrity of data insights will largely depend upon a cybersecurity strategy that enables better protection and monitoring of these data assets.
While the threat to device security is growing and hackers are continuing to develop novel ways to disrupt hospitals’ business and patient care operations, provider organizations can take steps today to mitigate potential future issues. Following are three of the most important.
Appoint a chief information security officer: Provider organizations are increasingly hiring chief information security officers (CISO) to oversee not only cybersecurity efforts, but also the business management function of cybersecurity. While a CISO’s technical background is very important, it is also critical for this person to limit the business impact of cyberthreats on the environment.
This executive should take stock of all the data in the organization’s possession and analyze how a breach of each type of data could represent a threat to the hospital, as well as its patients and business partners. The CISO should also develop and implement global security policies, standards, guidelines, and procedures. Ideally, a CISO will have experience at the executive and board levels and possess top-notch communication and relationship-building skills. Other desirable attributes include knowledge and experience in risk management and regulatory compliance; strong experience in information security management, including policy development and training; and solid business acumen.
Train and monitor staff: While hackers attract most of the attention related to cyberthreats, hospitals have a much greater source of vulnerability—their own staff members. As Northwell Health CISO Kathy Hughes stated, “People are the weakest link in the security chain.” Hospitals should teach best security practices to staff, but also monitor the activity of insiders, such as hospital visitors, employees, consultants, and business associates, to detect anomalies. Hospitals should establish a team dedicated to studying the organization’s cybersecurity, establishing improvement procedures, and reducing vulnerabilities. In case of an attack, the team should be prepared to investigate the incident and take corrective and preventive actions with employees who fail to follow preestablished best practices.
Utilize advanced tools: A major challenge for hospitals is that medical devices are often essentially “closed boxes” that offer no control over security, yet hospitals need to deploy these devices on their networks. In addition, legacy devices often offer little or no ability to protect themselves. Security administrators must mitigate these security challenges by adding some protection around the devices, which is less effective and more effort-consuming than simply using a device that was designed with security in mind—yet it is better to address cybersecurity this way than not at all.
Several advanced solutions are available to help hospitals understand their security exposure, then organize and optimize the mitigations. These tools can deliver an inventory of all the medical devices in use, match these devices with known vulnerabilities, alert users to the potential risks that each device brings, and provide advice on actions to take. Additionally, some tools include security features that guarantee only organization-approved software can run on their networks.
Address the increasing risk of cyberattacks by planning and deploying intelligent medical devices
Increasingly, hospital leadership is beginning to understand that medical devices and information systems are like people: None are perfect, and all have flaws. By recognizing this organizational vulnerability, they can take steps toward mitigating security issues when those issues arise. It starts by prioritizing device security and developing a strategy to overcome potential threats.
Without the requisite resources, organizations will find it harder to protect their data and devices. Over the next few years, hospitals will need to leverage technology to understand and monitor their exposure to security risks, as well as detect any system misbehaviors. Hospitals should be able to perform a benefit-risk analysis for any new devices and systems under consideration for implementation.
The healthcare industry has a justified shared concern for data security. Hospitals unable to ensure the genuineness of data used for critical clinical decisions, as well as the integrity of their medical devices, will not be able to use the most advanced clinical solutions safely. Medical device manufacturers and clinical system vendors not embracing cybersecurity in their processes and product design will lose their customers’ confidence and will not be able to deliver what this industry needs and wants. It is encouraging to see the healthcare industry embrace and begin to respond to the concern, with the help of many organizations like the FDA and the National Institute of Standards and Technology (NIST).
Healthcare is an industry with a lot at stake and a very complex environment, but also a great deal of innovation. There is no reason why the current situation cannot be overcome—through continual investment in cybersecurity organization, processes, and new ideas.
Christophe Dore is a senior product manager overseeing hardware products and cybersecurity at Capsule Technologies. He has helped organizations in several industries understand and position themselves to address cybersecurity challenges since 1995.