Integrating the Healthcare Enterprise (IHE), an organization attempting to improve interoperability in healthcare by promoting the use of shared standards, is seeking public comment for two white papers authored by the IHE Patient Care Device Technical Committee. The pair of documents, addressing medical device cybersecurity and software patching for devices, are posted on the IHE website and will be available for feedback through July 31.
The first paper, Medical Equipment Management (MEM): Medical Device Cybersecurity—Best Practice Guide, is written to assist both medical device manufacturers and healthcare technology management and IT departments in healthcare facilities, according to the authors. The document details how medical devices are integrated into IT environments, discusses the various types of cyber threats, and addresses best practices related to vulnerability management, secure coding, application deployment, administrative rights management, and workflow and process vulnerabilities, as well as other cybersecurity issues. The paper also covers the ANSI/AAMI/IEC 80001 series of standards, which deal with the application of risk management for IT networks incorporating medical devices.
“We must transition our thinking away from single-solution notions within the medical device ecosystem for protection against cybersecurity issues to a ‘defense in depth’ philosophy that requires the contributions of multiple stakeholders for success,” the authors said in a statement on the AAMI website.
The second white paper, Medical Device Software Patching, addresses the dangers to networked medical devices built on commercial off-the-shelf software (COTS) posed by hackers and malware. These risks include corrupt software, loss of functionality, compromised data integrity, downtime, and a loss of revenue. According to the authors, facilities can help mitigate these dangers by regularly deploying timely COTS patches. However, a variety of factors such as weak communication, confusion and misunderstanding surrounding regulations, and practical constraints often interfere with timely and effective patch deployments. To address these challenges, the document details a number of steps device manufacturers and healthcare facilities can take to improve the patching process.