By Doug Folsom

Health and hospital systems, already a favorite target of hackers, face an exponentially rising risk of cyberattacks amid the soaring number of medical devices going online. As the WannaCry ransomware attack showed, hackers who expose cybersecurity vulnerabilities can essentially hold medical devices hostage.

In England, for instance, so many hundreds of devices were affected that hospitals had to shut down other devices to mitigate the attack, which prompted health officials to reroute patients in need of emergency care to other facilities, according to an investigative report by the UK National Audit Office.

And that was in 2017. Less than a handful of years later, the risk has only grown. A recent Deloitte report indicates that nearly seven out of 10 medical devices will be connected to networks by 2025.

For an industry already incurring the highest average cost of a security breach at over $7 million, according to IBM Security’s 2020 “Cost of a Data Breach Report,” the potential damage to both one’s reputation and bottom line can’t be overstated. Yet hospitals and health systems remain at risk because of undefined roles and lack of preparation.

The Gray Area of Responsibility

Who has responsibility for medical device security can be a murky area. For years, clinical engineering (CE) managed medical equipment and IT managed the hospital’s network. But the lines blurred once we connected medical equipment to the network.

Adding to the uncertainty regarding oversight is just what constitutes a medical device. Take, for example, a refrigerator that stores COVID-19 vaccines. Is it, too, now a medical device? Amid that gray area is such an explosion of connected medical devices that a new Internet of Things (IoT) subcategory was created: IoMT, or the Internet of Medical Things.

The devices aren’t the most likely entry point for a cyberattack, but they are a prime vulnerability.  So, who ensures the work with the manufacturers is done so devices are patched, updated, and up to the latest manufacturer specifications? Hospitals need clarity and consistency in how they assign responsibility to device management. Fortunately, Sharpening your cybersafeguards is easily within reach with a well-structured and executed plan. Here are three steps to get you there.

Step 1: Understand Your Baseline

The five basic functions of the NIST Cybersecurity Framework Core can help establish a clear and complete understanding among internal and external stakeholders of your cybersecurity foundation.

  1. Identify. Do you have an accurate inventory of all your medical devices and software? Are cybersecurity policies and procedures aligned across IT and CE teams?
  2. Protect. How is access to clinical assets protected, both physical and remote? How well are users trained? Are access authorizations kept up to date?
  3. Detect. Are devices monitored to flag cybersecurity events? Is personnel activity monitored, as well?
  4. Respond. Do response plans exist? Are they communicated? Are they used and maintained?
  5. Recover. Do CE and IT teams undergo recovery training? Is there a plan to repair the reputation of the hospital, too?

Your cybersecurity foundation needs to bridge the gap in ownership between your CE and IT teams so that they have a shared sense of responsibility.

Step 2: Tailor Your Game Plan

With a firm understanding of your cybersecurity foundation in place, develop a game plan on how to move forward. First, ensure your core CE team is adequately staffed. And ensure that inventory is reliable. Your CE team needs that comprehensive assessment to better identify risks, cross-reference vulnerabilities, and manage assets holistically.

Next, move on to other essential functions, such as OEM management and relationships, vulnerability tracking and research, and patch management. Continue by targeting incident response, clinical asset integration support. and expanded device data collection.

The key is to reduce, detect, and counter threats before they can hurt your organization. Each of the steps in the game plan works in unison toward that effort. And going forward, remember: As hackers adjust their offense, you’ll need to adjust your defense, too. 

Step 3: Execute!

Now is no time to be so swept up in strategy that you fail to keep a close eye on the details. Medical devices are not like typical IT endpoints, such as laptops. Patches and other remediations should be validated by the OEM prior to implementing. Sometimes written instructions or manuals can be helpful, so don’t shy away from asking for them.

Ferreting out vulnerabilities amid an ever-growing inventory of devices can seem daunting, so start by identifying devices with current OEM-approved patches to install. As you go, record your efforts in your CMMS inventory.

A big payoff lies in integrating your network-based medical device monitoring solution with your computerized maintenance management system and inventory. Automating and expanding the capabilities of your inventory improves data accuracy by avoiding entry by hand but also further enables collaboration between your CE and IT teams. 

Hospitals and health systems are too tempting of a target to not continually draw attention from hackers in newer and more insidious ways. A vulnerability lies with an ever-growing number of connected medical devices amid unclear responsibility between CE and IT teams. Take the steps now to protect your hospital and ensure patient care—no matter what next ransomware strikes.

Doug Folsom is president of cybersecurity and chief technology officer at TRIMEDX. Questions and comments can be directed to [email protected].