By Scott Trevino

Cybersecurity is not exclusively an IT problem—cyberattacks compromise patient health and privacy. A Ponemon Institute survey revealed nearly a quarter of healthcare system cyberattack victims experienced an increased mortality rate after a breach, and more than half of respondents reported worse patient outcomes.

The value of patient data makes healthcare organizations a lucrative target for hackers. Indeed, protected health information can sell for up to $1,000 on the dark web, according to Experian. Additionally, the often urgent and critical nature of healthcare means organizations can’t waste time in their response—Sophos reports this is an industry where organizations most often pay a ransom. According to IBM, the average healthcare breach cost is the highest of any sector at more than $10 million.

With so much on the line, healthcare system leaders must prioritize cybersecurity with a strategy that includes medical devices.

Inventory Assessments to Gauge Medical Device Vulnerability

An unmitigated medical device vulnerability provides an opening for hackers. A Cynerio report found more than half of a health system’s network-connected devices have a known vulnerability. Ponemon Institute determined organizations have an average of 26,000 connected devices, so the risk is significant. While many recognize the threat, barely 50% of healthcare organizations surveyed by Ponemon Institute incorporated clinical assets in their cybersecurity plan.

The first step to addressing this weakness is to conduct an inventory assessment to acquire a complete and accurate list of all medical devices. With device rosters being up to 40% inaccurate, organizations cannot create a comprehensive risk profile. A detailed inventory, including individual device attributes like use, location, and known vulnerabilities, enables cybersecurity teams to view risk on a device, network, or organizational level.

Create Remediation Priorities 

Some cyber risks pose a greater threat than others, and remediation priorities may vary by healthcare system depending on risk tolerance, lifecycle management process, and budget. When evaluating risk, organizations should consider device vulnerability, risk, context of use, and impact on patient safety.

When determining cyber vulnerability, organizations should consider important questions, such as, “How easily can the vulnerability be exploited?” “What will be compromised in a breach?” “What remediation is available from the original equipment manufacturer (OEM)?”

Should the nature of the risk posed by a vulnerability rise to the level of an FDA recall, an OEM would be compelled to remediate the risk (e.g., provide a patch). However, most vulnerabilities currently do not meet the criteria to be recognized as FDA recalls, and therefore, an OEM may choose not to act. This reality is evidenced by the fact that in more than 60% of cases, no patch is available. In this instance, healthcare systems need to consider compensating controls to mitigate the risk. Examples might include segmenting a network, disconnecting a device, or replacing the equipment.

Considerations for device risk include the potential harm a device breach could cause and the probability the vulnerability will be exploited. 

A device’s use and threat to patient safety are key factors. It is possible that in some cases, addressing vulnerabilities could reduce a device’s safety and effectiveness and negatively impact patient care. Healthcare organizations must evaluate location, use context, and device failure consequences because, for example, a clinical asset used in the emergency department presents different risks and potential consequences than one deployed in other care environments. 

Technology can significantly contribute to effective cyber risk management by managing device inventory, automating processes, calculating risks, monitoring network activity, profiling device behaviors, and delivering actionable data. With a growing number of devices connecting and disconnecting on the network, monitoring and notification of anomalies and unusual behaviors are increasingly necessary. A comprehensive clinical asset management program can centralize, streamline, and strengthen cybersecurity efforts.

Constant Risk Monitoring

Risk assessment and remediation is not a one-time initiative. Threats, technology, vulnerabilities, and business needs constantly evolve. With patient health and data at stake, healthcare organizations must conduct continuous and real-time monitoring. A data breach’s impact on patients and expenses significantly outweigh the costs of investing in a robust and reliable cybersecurity program. Cyber threats are not merely the responsibility of the IT and clinical technician teams. A deliberate and effective organization-wide approach is required to appropriately address risks and protect patients.

Scott Trevino is senior vice president of cybersecurity at TRIMEDX. Questions and comments can be directed to [email protected].