Below, Eric Calleja, director of product management at TRIMEDX, sits down with 24×7 Magazine to discuss how the COVID-19 pandemic has impacted medical device cybersecurity—and why the time to act is now.

24×7 Magazine: With the recent cybersecurity attacks on healthcare systems, what is the best way to ensure your connected medical devices are secure?

Eric Calleja

Eric Calleja: Significant recent trends highlight the need for healthcare organizations to pay close attention to medical device security. It is estimated that by 2025, 68% of medical devices are expected to be connected. With recent financial pressure imposed on the industry, there is also a desire to extend the useful life of medical equipment for as long as possible. 

In addition, current projections indicate that the number of cybersecurity attacks grew by 273% in the first three months of 2020. Recent events have had serious consequences on patient safety—some even resulting in loss of life. There is little question that a comprehensive medical device cybersecurity program is essential. This should include:

  • The accurate, complete, and timely collection of device inventory
  • The ability to detect a variety of cybersecurity vulnerabilities and potential threats,
  • Alerting those who need to be informed and who can carry out the work in a prioritized manner to address known vulnerabilities
  • The ability to prioritize and carry out the remediation work and proving that the work yielded the desired outcome, namely a reduction in risk exposure

24×7: What financial and reputational consequences does a cyberattack pose for health systems?

Calleja: A cyberattack can have devastating consequences for health systems. Other than the immediate concrete financial implications such as potential fines and revenue loss from downtime, brand erosion, patient safety, provider satisfaction, and data confidentiality are other real impacts of an attack. Obviously, patient safety is the “costliest” implication, especially considering that it is diametrically opposed to the mission of healthcare organizations.

24×7: What implications has the COVID-19 pandemic had on medical device cybersecurity?

Calleja: It is extremely disappointing to see that the number of healthcare-related cybersecurity attacks exponentially increased with the onset of the pandemic. As stated earlier, the increase in cybersecurity attacks has grown dramatically since the onset of COVID. At TRIMEDX, specifically, we have seen an average increase from 19 to 80 threats per month. The mission of hackers is devoid of a concern for human life and safety. As such, the industry needs to arm itself with the best tools and services available to defend itself.

24×7: Why is visibility into your full medical device inventory so important?

Calleja: Reliable data serves as the foundation for any good cybersecurity program. The medical device inventory must be complete, accurate, and available in real-time so that it can be analyzed and used to draw the correct conclusions in terms of taking the right actions, at the right time, to mitigate risk. In addition to the device attributes, other sources must be consulted for, such as vulnerabilities, FDA recalls, alerts, and regulatory compliance. 

In summary, these include:

  • Monitor: Technology that automatically identifies assets, key device attributes, and network activity enables powerful and accurate visibility.
  • Detect: Examine the data to determine the extent of the risk exposure based on identified vulnerabilities, alerts, and recalls.
  • Respond: Understanding which actions should be taken and in what order of priority to remediate impacted devices and reduce the organization’s overall risk posture

24×7: What data is needed to identify at-risk medical devices? Once those devices are identified, how should health systems prioritize their response?

Calleja: Multiple attributes must be considered when assessing the risk level of a medical device. Often, the focus is in vulnerabilities, especially those with higher CVSS scores, but it is important to note that even if a device is deemed to not be impacted by a vulnerability, it may still have a high critical cybersecurity risk score.

Consider a device which has communicated with a network in another country or other suspicious behavior. Perhaps it transmitted ePHI information in the clear or has an operating system which is no longer supported by the manufacturer and, as such, can’t be patched should one be required to address a vulnerability at a later date. All of these and many other use cases must be identifiable. It should always be born in mind that medical devices are connected to networks and used by people.

In terms of prioritization, it is an accepted security practice that the welfare of human beings always comes first. The device’s potential impact on patient safety must be considered in the overall risk evaluation. Obviously, by nature, some devices will, if maliciously taken offline or allowed to dispense the wrong amount of medication, have much more serious consequences than other devices.

After patient safety, probably the next most important aspect to be prioritized is on devices where ePHI data confidentiality is potentially compromised. In their place may be data integrity, all depending on the purpose and make-up of the specific medical device category.

Attackers are aware that medical devices are a potential weak link. They can capitalize on any vulnerable device, make their way into a network, and gain access to other sensitive information, such as financial data. Though there are no guarantees, when faced with a lot of remediation activity, prioritizing the needed corrective actions in accordance with a sound prioritization policy will help ensure the mission of the health system is not compromised.

24×7: What considerations should health systems make before implementing a medical device cybersecurity program?

Calleja: There are three fundamental questions that can guide the selection or design of an effective medical device cybersecurity program:

  1. Do you know what your medical device cybersecurity exposure is?
  2. Do you have the expertise, or resources, to improve your security posture?
  3. Can you prove, through objective measurement, that your cybersecurity program is effective?

The last question is arguably the most important as it encapsulates the first two. In addition, given the multiple tools and services that are currently offered today, it is extremely helpful, perhaps even mandatory, that a well-orchestrated solution be selected which allows for a smooth and logical workflow throughout the process lifecycle.

If your program plan can successfully answer these questions, then you should be set up for success.

24×7: What is the biggest takeaway you want 24×7 Magazine readers to know about medical device cybersecurity post-COVID-19?

Calleja: Be proactive. We are seeing too many health systems suffering from attacks that have gotten in the way of providing optimal patient care during what was already a difficult time for them. A comprehensive and reliable cybersecurity program that can prove to be effective is not optional. It should be treated as a critical component of your organization’s overall strategy.

Click here to learn how TRIMEDX can help protect your medical devices from a cybersecurity attack.