Providers must rise to challenge of medical device cybersecurity
Medical devices are no longer standalone boxes, but parts of larger systems that are connected to other systems, speakers said during a ECRI Institute's Oct. 23 webinar examining cybersecurity risks.
“This creates a complex environment where the responsibility for system security and patient safety becomes blurred,” explained Suzanne Schwartz, MD, MBA, director of emergency preparedness/operations and medical countermeasures, Center for Devices and Radiological Health (CDRH), FDA, at the virtual event.
She advised that all players, including medical device manufacturers, hospitals, medical device user facilities, administrators, healthcare IT staff, clinicians and biomedical engineers, take some ownership in the responsibility of protecting devices against cybersecurity risks. Without planning, a provider is at greater risk of a security breach, which would harm its reputation and could lead to multimillion dollar fines and temporary shutdowns.
Healthcare organizations are attractive targets for phishing attacks, and Internet malfunctions due to malware and viruses pose a threat of disrupting patient care, said Timothy L. Wong, project officer, health devices, ECRI Institute
As such, healthcare facilities need to treat cybersecurity as a "top priority," said Wong. This means that organizations need to proactively develop and implement cybersecurity plans to protect against an expanding number of vulnerabilities affecting devices.
A successful cybersecurity plan must be implemented to stay ahead of breaches, and Wong said it should include:
- Protection from outside threats, including the implementation of anti-malware applications for threat detection and use of a virtual local area network, firewalls and data encryption;
- Protection from inside threats, which involves strict user authentication and risk assessments.
The convergence of medical devices and IT systems requires heightened collaboration between clinical engineering and IT staff, said Anthony J. Coronado, biomedical engineering manager, Methodist Hospital of Southern California (MHSC).
“Everyone in the healthcare field has responsibility for patient safety. It’s our job to develop a program to protect them through cybersecurity,” Coronado said.
Noting that 61 percent of medical devices are networked in some way, he recommended the development of an integrated management system in which clinical engineering and IT staff shift from managing individual components to jointly supporting a system. At MHSC, he said a project manager from both IT and clinical engineering meet weekly to engage in systems management, risk management, asset management and project management activities.
Now, anytime a new medical device is procured, a 57-question document assesses the cybersecurity risks involved. Mitigation then is undertaken, which may require contacting the manufacturer with requested product updates.
Medical device manufacturers must build security into their device designs while developing risk mitigations, said Schwartz. She said the CDRH, along with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), recently identified hard-coded password vulnerability affecting about 300 devices among 40 vendors that could be exploited to potentially change critical settings and/or modify device firmware.
A cybersecurity working group is working with these manufacturers to address these vulnerabilities; further CDRH has formally recognized international cybersecurity standards for medical devices and issued final guidance on wireless technology in medical devices, Schwartz said.
"CDRH would like to become better informed as to what the pain points are for hospital network security," she added, inviting engagement with the FDA on cybersecurity matters.
(Note: ECRI Institute offers this web conference and recording as a part of the Health Devices and SELECTplus membership program and is also available to the public for a fee. To learn more about the web conference, please visit the conference site.)