By Doug Folsom
Ensuring that the medical devices connected to a network are cybersecure is an integral part of clinical asset management. But what happens when what’s linked to the network falls into a gray area of responsibility among a health system’s clinical engineering team, IT team, or even a third-party enterprise-software provider?
Consider an older device not originally designed to be connected to a network, such as an aging medical imaging system? What about a newer device only now being considered medical equipment, such as a refrigerator that stores vaccines? Are these devices receiving timely software patches? Whose responsibility is it to manage their security needs? Are there even devices connected to a network that are unaccounted for?
The COVID-19 Connection
The past two years have underscored what’s at stake with such device integration gaps in how clinical assets are managed. Patient data and other sensitive records are at risk, as well as the functionality of medical devices, which cybercriminals can disable at least for a time until a ransom is paid. Cyberattacks against U.S. healthcare systems rose more than 55%, year-over-year, in 2020, according to a July Fitch Ratings report that characterized the spike as a “historic.”
What’s adding to the challenges ahead for clinical engineering teams is the expanding number of medical devices in use, generally, and the surge of devices being connected to a hospital network, specifically. Market research and management consulting firm Lucintel expects up to a 5% compound annual growth rate in the medical device market from 2020 to 2025, due, in part, to technological development. Moreover, a Deloitte report projects that nearly 70% of medical devices will be connected to networks by 2025.
The pandemic likely has accelerated this trend. “If there’s anything we’ve learned this year, it’s that the role of and demand for technologies enabling remote patient monitoring and remote patient care will only increase,” Russ Johannesson, CEO of diabetes management platform Glooko told Medical Design Briefs in a 2021 article about the future of medical devices. Glucose meters, monitoring systems, insulin pumps, and even insulin pens are becoming connected.
The rise in connectivity heightens the potential of having medical device outliers that present risks in several ways unless steps are taken to fully integrate them into a comprehensive medical device cybersecurity solution.
The Challenges with Medical Device Cybersecurity
Several hurdles can present themselves in ensuring that medical devices have the latest security updates or are at least reconfigured to mitigate risks.
For starters, unlike with most desktop and laptop computers, software patches are not automatically pushed out. In fact, an original equipment manufacturer (OEM) sometimes is unaware of a vulnerability until a medical device service provider flags the issue. Even then a patch may not be forthcoming. The OEM may no longer support the device. Although the FDA is seeking a requirement that devices have the ability to be updated and patched in a timely manner, such a requirement is not now required.
Another medical device-specific challenge? By law, OEMs must validate patches, although they have other considerations as well. For instance, whenever they make a change to a medical device, they must perform a risk assessment. So, they may delay incorporating a patch or other update until it can coincide with the regulator-required revalidation of other equipment and software upgrades. OEMs may also refrain from updating older equipment that is now network-connected, although it wasn’t designed to be.
Other software updates can get more complicated as OEMs and enterprise-software providers make their own decisions. The enterprise-software provider may provide a patch, but the OEM may decide not to validate the patch for their device. This means that although a patch exists, a clinical engineering or cyber team needs to institute another compensating control.
Even in the best-case scenario, a complex patch to a widespread problem can take days to develop and implement—time that still leaves a health system with a medical device vulnerability to remediate, even though they may not have the knowledge or expertise. That, in a nutshell, is how to integrate any outlier medical device into your clinical asset management (CAM) process— recognize what devices present risks and remediate them. As with any CAM solution, you must start with an accurate inventory.
Steps Toward Integrating Medical Device Outliers into Your Cybersecurity Efforts
To ensure medical device cybersecurity, an accurate, up-to-date inventory is essential. A comprehensive CAM solution with a robust cybersecurity program cannot only track a device’s location—is the device at the facility or remote?—it can monitor equipment vulnerabilities and flag the clinical engineering or cyber team when issues arise.
Is an OEM-validated patch available for this medical device but uninstalled? Is a vulnerability identified yet a patch unavailable? Has the OEM been notified? Does the OEM plan a patch? When? If not, is there some other type of compensating control—say blocking an IP port if it’s unneeded, yet a gateway for a particular exploit?
A comprehensive CAM solution that continuously monitors device behavior provides early threat detection. A clinical engineering team doesn’t have to solely rely on an OEM, the FDA, or another hospital system recently victimized by a cybercriminal to recognize the risk of a particular medical device. Real-time monitoring is critical.
Where device integration also slips through the cracks is in the uncertainty over who is responsible for managing the device. Who’s supporting, say, pharmaceutical dispensers? Who is supporting refrigerators? Is the vendor? Is the hospital CE team? The hospital IT team? A third-party provider? What’s within the scope of the service contract?
A device-by-device accounting of who is providing support is necessary so that when a vulnerability is identified, the appropriate party can be notified.
An Increasingly Interconnected Future
The possibilities of what’s ahead in medical device technology are profound. And the pandemic is accelerating those changes. Device advancements, expanded Wi-Fi connectivity, cloud-based services, and the growth of telemedicine promise a new era of interconnected care. But as is the case with much of our online world, those opportunities can be exploited by those seeking financial gain. No hospital system can afford to overlook any connectable device.
Integrating all your devices into a comprehensive CAM solution can seem like a daunting undertaking when you consider the challenges “gray zone” devices present. OEMs may zig while enterprise-solution providers may zag. Patches may or may not be available. Patches may or may not be validated. Common IT approaches to device management can fail to cover all the bases. Yet perseverance and technology can help a clinical engineering or cybersecurity team overcome those challenges to help protect hospital systems and their patients.
Doug Folsom is president of cybersecurity and chief technology officer for TRIMEDX.