A few experts in the field offer their thoughts on what HTM professionals can do to keep their devices—and patients— safe

By Chris Hayhurst

Benjamin Esslinger, CBET, manager of medical engineering with Eskenazi Health at Sidney and Lois Eskenazi Hospital in Indianapolis, has had no formal training in medical device security.

Sure, he notes, he was president of the Indiana Biomedical Society (IBS) in 2016—and currently serves as a trustee—and through the IBS did attend a one-day cybersecurity symposium that was held in advance of their annual conference. And he went to a similar cybersecurity workshop in Utah, an event jointly sponsored by the Medical Device Innovation, Safety and Security (MDISS) Consortium and the National Health Information Sharing and Analysis Center (NH-ISAC).

But really, Esslinger says, “The workshops were a chance to start building relationships with leaders in the field and gather the foundational skills needed to approach cybersecurity assessment and mitigation of medical devices.”

Esslinger, who oversees 13 biomeds and two imaging techs, and is responsible for the care of roughly 20,000 medical devices, says he has taken that advice and knowledge to heart. Over the last eight months, he says, he’s “engulfed” himself in the ins and outs of cybersecurity, using, for instance, the MDISS tool “MDRAP,” or the Medical Device Risk Assessment Platform.

“It’s a national approach toward cybersecurity risk assessment,” Esslinger explains. Any healthcare delivery organization that uses the platform can share their findings surroundng risk, vulnerabilities, and threats.

“[Thanks to] relationships created through the community of practice through MDRAP, we can share best practices related to mitigation, with all of the other groups in the MDRAP community,” Esslinger says. “It’s a way to look at medical device security as a whole, instead of siloed out in individual facilities.” Even so, he says, health delivery organizations must still consider their own environmental risks.

A Growing Problem

That HTM professionals like Esslinger are taking it upon themselves to get up to speed on cybersecurity is music to the ears of Stephen Grimes, FACCE, FHIMSS, FAIMBE, managing partner and principal consultant with Strategic Healthcare Technology Associates in Swampscott, Mass.

Grimes, a nationally recognized expert on medical device security who helped to coordinate AAMI’s first symposium on the subject in 2001, describes the healthcare industry’s approach to cybersecurity overall as “slow-going.”

Manufacturers, he says, are making devices more secure, in part because of “market forces” and partly because the FDA is pushing them to do so—but many healthcare organizations seem stuck in first gear. The issue, he admits, has a lot to do with money, as many organizations can’t afford to spend what they’d need to replace their most-vulnerable legacy devices.

But it’s also because many of those in healthcare technology management have come to the field like Esslinger did—with little to no training in cybersecurity. “It’s not something that they were brought up in, so it really seems a little bit foreign,” Grimes says. “I think it tends to intimidate a lot of people.” Which is a problem, he adds, because “we’re seeing more and more breaches all the time.”

Indeed, according to the U.S. Department of Health and Human Services, there were 329 reported healthcare data breaches in 2016, more than any other year on record. And a new report by the global information services company Experian predicts that this year the situation will only escalate.

Healthcare organizations, the company notes, will likely be the top target for cyber criminals in 2017 because “medical identity theft remains lucrative and easy” for hackers to exploit. Personal medical information is “one of the most valuable types of data for attackers to steal,” and hackers “will continue to find a market for reselling” such information. Ransomware attacks will be particularly troublesome, the company predicts, and could wreak havoc on many institutions.

Experian’s recommendation: “Healthcare organizations of all sizes and types” should provide security training to their employees and “ensure they have proper, up-to-date security measures in place, including contingency planning for how to respond” in the event of an attack.

Grimes agrees with that advice, and also points out that cybersecurity involves more than just data protection. “To the best of our knowledge, no patient has yet been hurt as a result of a cyber breach, but that doesn’t mean that it hasn’t happened—it could just be that we haven’t recognized” an injury or death was caused by an attack. “The writing is on the wall,” he adds. “If you’re smart, you don’t wait around for that day to come when we finally identify that somebody has been hurt.”

Instead, Grimes recommends, HTM professionals should take it upon themselves to be proactive. First, he suggests, “take a look at your inventory,” and identify those devices containing protected health information (PHI), as well as anything that is microprocessor-based. “People often forget that even if a device doesn’t have PHI in it, it can still be a cyber-related risk,” Grimes says. “Any compromise to data availability or data integrity could have an effect on patient care.”

Grimes also recommends using MDRAP, as well as asking manufacturers to supply MDS2 (Manufacturer Disclosure Statement for Medical Device Security) forms with their products so it’s clear what security features they have in place.

Whatever you do, Grimes says, “you have to start somewhere, even if it’s with the really simple stuff,” and there’s no point in getting “overwhelmed” by the threat of a cyber breach. “If you get bogged down in the complexities, you’ll never get the process off the ground.”

Ken Olbrish, MSBE, senior product manager at Arthrex California Technology in Santa Barbara, Calif., also thinks that device security is something that facilities just have to dive into. Cybersecurity, notes Olbrish, who worked in the hospital HTM space before he joined Arthrex, “has become an ever-growing challenge, and every day that you put it off just puts you another day further behind.”

Still, he says, companies like his are increasingly recognizing the vulnerabilities associated with their devices and are taking measures to improve security accordingly.

“I think the good thing is that for a number of reasons, whether they see it as a marketing opportunity, or they’re getting pressure from facilities, or they have a device that has been exposed” as having risks, “vendors are becoming more proactive” in this regard.

Olbrish, who is responsible for ensuring security protocols are met in Arthrex’s imaging products, says his company recognizes that “every single customer of ours is concerned about the issues associated with a possible data breach.” When he visits a facility that is interested in purchasing one of their products, “security is almost always part of that initial discussion,” he says. “And they don’t just want to know what we’re doing right now—they also want to know what our plan is going forward.”

As a vendor in the healthcare space, he adds, “I think we would be negligent if we just ignored our role in this issue and left it to our customers to address these challenges.” With that in mind, security is a “core part of every product” Arthrex designs, “and an ongoing effort every day.”

An Uncertain Future

So is it possible that one day in the future all medical devices will be 100% secure? According to John Zaleski, PhD, CAP, CPHIMS, executive vice president and chief analytics officer of middleware-developer Bernoulli, that’s highly unlikely.

“I think that if I were to say ‘yes,’ that we’d eventually find a way to make that happen, that would presume that we can imagine every type of attack imaginable, and I’m not sure that we can do that,” he says. “We will continue to improve security in meaningful ways, but nefarious individuals will continue to seek and find ways around the barriers. Therefore, the need for continuous vigilance is necessary.”

To illustrate the magnitude of the problem, Zaleski points out that patients are now “effectively turning their smartphones and tablets into medical devices” when they use them to connect to analog machines like glucometers or pulse oximeters. “Are we absolutely certain that there are no viruses or bugs that will hit these phones or hit these tablets” to expose the data that they’ve collected?

“Based upon what we’ve seen so far”—just go to Apple’s or Microsoft’s website to read the latest on the various attacks—“I think the answer to that is ‘no.’”

Like Grimes, Zaleski recommends HTM professionals ask medical device manufacturers how they’ve tackled security for their products, “and whether their roadmaps involve security improvements as they evolve over time.”

And he offers two simple rules of thumb: “If you have a wired medical device, make sure you establish a separate [virtual memory address] in a virtual [local area network] (LAN) for the hardware” on that device. “And for wireless devices, make sure you establish separate wireless LANs, and [virtual] LANs as well, which can only be accessed by the medical hardware.”

Olbrish, for his part, agrees with Zaleski that the nature of the beast that is medical device security means that the threat of a breach will always be real. “It’s a problem without a foreseeable solution,” he says. “At this point, the door has been opened, and it’s not something that is going to go away.”

HTM departments, Olbrish adds, can do their “absolute best today,” but they’ll still have “to go back in and do it all over again tomorrow—to implement new technologies, or new policies, or to conduct more detailed audits or assessments.”

He doesn’t want to sound pessimistic, but Olbrish says he foresees a future where there are “so many threats—and so many new threats all the time—that trying to manage them will become too difficult” for many organizations to handle. “Especially for smaller hospitals, it’s going to become very resource-intensive,” he says.

Back in Indianapolis, Benjamin Esslinger is diligently working to mitigate any risks, vulnerabilities, or threats to medical devices. For all those devices that are entering his organization, he and his colleagues are assessing them for vulnerabilities by looking at them “not only from our own perspective, but through the perspective of all the organizational groups involved in device procurement”—from IT/information systems (IS) to supply chain management.

In addition, he says, they’re also assessing the medical devices that are already connected to their network, “to identify their risks and vulnerabilities, and then to remediate any identified risk at the highest level.” This often involves working with manufacturers to resolve any necessary device changes—and may require conversations with the C-suite about the associated costs, particularly when legacy devices are involved.

“The question is: What do we do with a device that is 15 years old and the manufacturer does not plan to change or support functions of the device any longer? The only real solution,” from a device-security standpoint, “is to replace it,” he says. But that costs money, Esslinger notes, which means doing so requires organizational support from a financial perspective.

Cybersecurity, Esslinger says, “is not a new concept—it’s been around for a long time.” But when it comes to the security of medical devices, the healthcare industry “just isn’t there yet.” There are so many challenges, he says, and “each device has its own issues and limitations when it comes to what you can do to make it secure.”

The bottom line, Esslinger says, is that cybersecurity is about mitigating risk, and that’s what organizations like his are trying to do. But such a process takes time and money, he acknowledges. Fortunately, he maintains, “Cybersecurity on medical devices will continue to emerge at a national level and will become a regular piece of HTM, IT/IS, and security professionals’ lives.”

Chris Hayhurst is a contributing writer for 24×7. For more information, contact chief editor Keri Forsythe-Stephens at [email protected].