When it comes to medical device cybersecurity, healthcare technology management (HTM) departments are often a hospital’s first line of defense. That’s why the Association for the Advancement of Medical Instrumentation (AAMI) will be offering a new training course: “Medical Cybersecurity 101 for HTM Professionals.” The first of three three-hour training sessions begins on September 21.
During three sessions spread out over three days, the course will provide healthcare technology management and clinical engineering professionals with the knowledge and skills to effectively plan for, implement, and manage a medical device security program for their organization’s needs.
“We will consider this course a success when those who attend develop a heightened awareness of the cyber vulnerabilities that exist in medical device environment,” says Stephen Grimes, AAMIF, managing partner and principal consultant at Strategic Healthcare Technology Associates, as well as a member of 24×7’s editorial board.
Grimes, who penned a first-of-its-kind guide for healthcare cybersecurity in 2019, unites with coauthor Axel Wirth once again to lead this “crucial course. HTM pros will learn what can happen “to operations, patient care, and safety if those vulnerabilities are exploited, and the basic steps they can take to help eliminate or reduce those vulnerabilities,” says Grimes.
Wirth, an AAMI Fellow and chief security strategist at MedCrypt, notes that some HTM professionals might question whether cybersecurity is really their responsibility. After all, in this digital age, healthcare systems are also staffed by proficient information technology (IT) departments.
However, this mentality is exactly the kind of thinking that can put healthcare providers at risk. Wirth points to the 2017 WannaCry ransomware attacks, which affected computerized devices in more than 150 countries. One of the attack’s most notable victims was the National Health Service of England and Scotland. According to an audit of NHS England, the ransomware affected devices from at least 80 of the region’s hospital trusts. An additional 603 primary care and other NHS organizations were infected, crippling the healthcare system’s ability to help patients.
“This wasn’t a surprise attack for which we were not prepared,” Wirth says. “The postmortem report revealed that the main cause for this was the general lack of preparedness as well as the lack of defined responsibility and security accountability.”
“Today, we’ve been forced to recognize that cybersecurity and the practice of effective cyber hygiene has become the businesses of anyone who operates or services computer-based equipment, including the operation or service of most of the medical equipment in current use,” says Grimes.
“Clinical engineering, IT, and IT security, as well as clinical and administrative stakeholders all need to understand cybersecurity and speak the same language so they can understand each other,” adds Wirth. “Cyber-risks of medical devices are not just another cybersecurity problem; they are more complex.”
But they are also not like other medical device risks, he concludes. “Cybersecurity is a very different animal. We hope that this course helps to bridge the gap between stakeholders.”