Protecting medical devices to build cyber resilience
The digitization of healthcare has allowed healthcare organizations to utilize robust technology such as medical devices to help improve both patient care and provider experiences across the entire care continuum. Today, medical devices can track and monitor patient stats, provide diagnostic information, help ensure lifesaving care delivery, and even make recommendations on treatment and clinical decision support, all while communicating directly with healthcare IT systems to ensure more complete and accurate patient medical records.
Unfortunately, with this advanced technology comes the risk of exploitation and patient safety risks from both internal and external threats. Whether it’s an uninformed patient making changes to an unlocked infusion pump, someone looking to steal valuable protected health information (PHI) stored on an unattended device, or a cybercriminal looking to use a network-connected medical device to gain backdoor access to a hospital’s entire network, medical devices can be a source of risk for both healthcare organizations and patient safety. Compounding this issue is the fact that medical devices frequently run on outdated legacy systems which are difficult or even impossible to patch or to protect with other standard security measures.
With the rising fear of cyberattacks in healthcare and the resulting interest in ensuring cybersecurity, governing bodies and industry institutions such as the HHS, ECRI, and FDA have offered up recommendations and guidance on how to better protect medical devices and the systems with which they communicate to ensure resilience in healthcare IT.
Below is a roundup of some of the most comprehensive guidance for both healthcare organizations and medical device manufacturers to help combat internal and external threats.
HHS – Health Care Industry Cybersecurity Task Force
In June 2017, the HHS Healthcare Industry Cyber Security Task Force released a report aimed at building cyber resiliency and resilient infrastructures in healthcare organizations. While the comprehensive report shares recommendations across the entire healthcare environment, special attention should be paid to recommendations 1.2, 2.1, and 2.4, which provide guidance that is particularly relevant for medical devices. Recommendations here include requiring strong authentication and access management for these devices as well as securing legacy systems (such as those that many medical devices often run on), which may have inherent security weaknesses.
The ECRI recently published a list of best practices for protecting medical devices against ransomware. The article discusses a comprehensive list of “Dos” and “Don’ts” as they relate to both the prevention of future ransomware attacks as well as the proper remediation of threats in the event of a breach. Additional resources are also provided to help organizations put these recommendations into action within their own environments.
The FDA provides a helpful fact sheet that summarizes key information as outlined in their more comprehensive premarket and post-market guidance for medical devices. Many of the topics here are targeted specifically to medical device manufacturers, but are also vital to understand from the provider perspective as well.
Understand recommendations for medical device cybersecurity
Imprivata will host a live webinar on Thursday, September 21st at 2pm to discuss the recommendations for medical device cybersecurity as well as some quick steps that hospitals and health systems can take to better combat medical device targeted threats. Register for the webinar here.