Summary: Healthcare facilities are increasingly targeted by cyberattacks, leading to stricter FDA standards for medical device security. Biomeds now play a critical role in cybersecurity, requiring ongoing education and training. Effective asset management, including the use of Software Bill of Materials (SBOMs), is vital for identifying vulnerabilities. Despite best efforts, perfect security is unattainable, so prioritizing essential equipment and having a comprehensive response plan are crucial to minimize the impact of cyberattacks.
Key Takeaways:
- Expanded Roles: Biomeds must actively engage in cybersecurity, extending beyond IT’s responsibility.
- Asset Management: Effective asset management, including Software Bill of Materials (SBOMs), is crucial for identifying vulnerabilities and managing updates.
- Preparedness: Prioritizing essential equipment and having a robust response plan is essential for minimizing the impact of cyberattacks.
By Steven Martinez
It seems like every other week, another healthcare facility cyberattack hits the news with stories about million-dollar ransoms, breaches to patient data, and, most importantly, delays to vital care.
Hackers have figured out that hospitals are money-making targets, which is why the FDA has implemented more medical device standards and requirements to hopefully tamp down what has historically been a gaping hole in cybersecurity. But while these new rules are just now going into effect, on the ground level, healthcare facilities need to do everything they can to shore up the security of the devices they house.
Gone are the days when HTM shops could consider cybersecurity solely IT’s responsibility. Now, biomeds play a key role in cybersecurity defense and managing the aftermath of attacks. Instead of isolating responsibility within a single department, fostering a top-down, organization-wide effort is likely the best approach, experts say.
“Cybersecurity, especially in the medical device space, is a team sport,” says Phil Englert, vice president of medical device security at Health-ISAC, a forum for sharing physical and cyber threat intelligence. “A cybersecurity event is simply a failure mode. It’s a way for devices to not work how you expect them to. Biomeds are very good at this. This is what they do, day in and day out, is respond to devices that fail or are not working right.”
Learn the Basics of Medical Equipment Cybersecurity
“Know your enemy,” Sun Tzu tells us in the Art of War. It’s a platitude that has lasted for millennia because preparation will always be a soldier’s greatest ally, even in a digital war. Biomeds are generalists, and they need to know how to fix a variety of devices in a multitude of ways. And that’s why, if we think of a cyberattack as a mode of failure for a medical device, learning the basics of cybersecurity is a vital tool to have in your bag, experts say.
Priyanka Upendra, MS, CHTM, AAMIF, senior director of services at Asimily, emphasizes that while cybersecurity is already part of biomed training, HTM professionals should not only know how to fix issues but also fully understand the problems.
“Go beyond just the HIPAA training,” says Upendra. “Every healthcare organization has their [learning management system] modules that one has to complete as part of the annual training, and often it is focused on HIPAA from a privacy standpoint—and there’s very little about medical device security.”
Upendra recommends giving biomeds a “Cyber 101” that includes information about vulnerabilities, abnormal behaviors, networking basics, and documentation of cybersecurity events. Groups like AAMI and CompTIA offer courses to members on cybersecurity topics, but Upendra says the training doesn’t have to be formal.
HTM shops can include one or more of these topics in their weekly meetings and even invite members of the IT department to present on a subject. The idea is to familiarize biomeds with concepts and terms that will come in handy when a cybersecurity event occurs.
Asset Management and SBOMs
One primary reason healthcare facilities make good targets for hackers is that they provide many entry points for an attack. A single institution might host hundreds of different medical devices from different vendors, running different software and connecting to the network in different ways. Keeping everything up to date is like playing whack-a-mole with too many holes and only one hammer.
Proper and accurate asset management for healthcare facilities is vital in addressing this threat, experts say. It goes beyond knowing what devices you have in your facility and where they are, but also understanding which devices connect to the network and how they do it.
“The FDA has statutory authority over cybersecurity, and part of their requirement was to have software bill of materials, or SBOMs,” says Englert. “Cybersecurity is, first and foremost, an asset management problem, and I think SBOMs are one of the keys to doing this.”
In short, SBOMs list the components of your medical device or systems. With that knowledge,
it’s easier to scan your technology to identify any newly discovered cybersecurity vulnerabilities in applications, devices, or device systems, according to Englert.
Now, instead of needing to check every device connected to the network—potentially hundreds of devices—the SBOM allows healthcare facilities to quickly figure out which devices are being affected, saving valuable time and effort.
“When we bring in new technology, we should ask for the SBOM and the MDS2,” says Englert. “We should think about all the controls available on this device and how we are going to integrate it in the most secure manner possible.”
The Problem with Patching
Unfortunately, even with proper asset management, SBOMs, and MDS2s, no medical device is ever 100% secure. New cybersecurity vulnerabilities are constantly being discovered, and vendors are constantly releasing patches to address them.
Patching your home computer or smartphone is usually a pain-free experience. Microsoft, Google, or Apple releases an update, and the device downloads and installs it, often automatically, while charging.
But while some medical devices can update themselves in the same manner, enabling automatic updates is almost always discouraged. The last thing you’d want to happen is for a vital device being used in patient care to reboot itself after an update, experts caution.
That means that HTM shops are tasked with both finding the device that needs an update and installing it, as well as finding out where the patch is located and figuring out how to install it. Again, with hundreds of devices and vendors, the process is far from standardized.
“There’s no procedure for [patching], and there’s no PM for the cybersecurity work. Even if there’s patches on a particular schedule, you don’t know what patches, and you don’t know what’s been approved,” says Ryan Gonzalez, director of HTM cybersecurity with Sodexo North America. “So, there’s a lot of communication with the vendor or manufacturer potentially.”
Patches are often found on poorly set-up websites that list every patch for every device from the vendor, leaving it to the biomed to sort it out. Gonzalez says that one way to improve the process is to designate a single person to patch devices. They don’t need to do it alone, but they can coordinate and streamline the process.
Finding out about a patch can be frustrating; vendors might call, email, or, as Gonzalez notes, even send a physical letter. These communications are often sent to a facility contact, which Gonzales says is rarely the HTM department.
“It’s all very device-specific, ” says Gonzalez. “So that’s why I always try to communicate to people in the industry; medical device cybersecurity is a lot of being on the phone with the manufacturer.”
Prioritize Your Equipment
With so many medical devices needing updates and more vulnerabilities sprouting up,
achieving perfect cybersecurity and sealing every gap is impossible, maintains Englert.
.
“That’s kind of like swatting flies,” he says. “You kill one, and 10 more show up to his funeral.”
Despite best practices, HTM departments must prioritize essential equipment for patient care and hospital operations. Experts stress that HTM shops must keep critical medical devices accessible and updated, protecting them from cyberattacks and ensuring regular maintenance.
Consider, for instance, a CT scanner. That device is far more valuable to patient care and a healthcare facility’s bottom line than a single infusion pump, Englert asserts. So, it’s important to think about these things ahead of time and make a response plan for getting these devices back up and running before a cyberattack, he says.
“Think about how you can keep these running even while you’re under attack, understand what’s important to deliver patient care, and then have a response plan,” says Englert. “You can’t ask where the water bucket is after the fire started. You have to know where you’ll get it so that your response is fast.”
He says it’s important to remember that many medical devices are designed to function without connectivity. If a server fails or connectivity issues arise, the connection to the central monitoring station might be lost, affecting data tracking and storage. However, even in a worst-case scenario, the system can still function for patient care.
“Most medical devices will operate independently of connectivity except for their electrical needs,” says Englert. “The challenge is you then have to think about, ‘If I lose that server or that capacity, what do I have to do to make up for that technology I’ve relied on?’ And that’s very much a human intervention.”
If a member of staff is available to physically check the device and manually track its functionality, the impact on patient care can be minimized. But again, this needs to be considered and planned in advance.
The Long Tail Impact of a Cyberattack
No, healthcare cyberattacks aren’t disappearing soon and, yes, hackers will continue to exploit vulnerabilities. Still, vigilance is crucial, the experts consulted here agree.
In the wake of the Change Healthcare cyberattack, the U.S. Department of Health and Human Services told healthcare organizations that they should plan on cyber events lasting anywhere from four to eight weeks. Englert says that if you look at the timeline for a total rebuild and replacement, it can take as long as four to eight months to get hospitals fully operational after they’ve been infected.
So, the idea that a cyberattack is a one-off catastrophe that can be recovered from quickly is just not realistic, he adds. But with a team effort, a response plan, and a well-prepared staff, HTM departments can play a vital role in maintaining good medical device cybersecurity and righting the ship after the storm passes.
“It’s best to avoid it,” says Englert. “But if you can’t avoid it, then having a recovery plan that can get you back in business quicker, put your clinicians back into doing patient care, and compensate for the missing technology is very much in favor of having better patient outcomes.”