By Melanie Hamilton-Basich
The impact of failing to safeguard medical devices and system-wide networks before a hacker unleashes an attack on a healthcare facility cannot be overstated. A security breach that leads to stolen patient records is bad. But a ransomware attack that suspends the use of a healthcare facility’s systems, including essential equipment and electronic records containing vital information, immediately puts patients’ lives at risk. Once that’s happened, you’re limited in what you can do, essentially at the mercy of the cybercriminals who launched the attack.
“The greatest cybersecurity risk today is unavailability, because a medical device unavailable to deliver patient care is not safe and effective,” says Kevin Fu, acting director, medical device cybersecurity, at the U.S. FDA’s Center for Devices and Radiological Health. Which is why the “FDA views cybersecurity as a key part of medical device safety,” says Fu. “A medical device is not safe if cybersecurity risks remain uncontrolled with clinical implications.”
Consequently, healthcare technology management (HTM) professionals must do everything in their power to keep the equipment they maintain as secure as possible. Below, experts share tangible ways to accomplish this.
Define Your Role
While it certainly wasn’t always the case, cybersecurity is increasingly coming under the purview of HTM. Any weakness is a tacit invitation for an attack and healthcare, in general, and medical equipment, in particular, are becoming popular targets.
“Perimeter-based security thinking died in the 1990s,” says Fu. “Today, comprehensive cybersecurity designs and implementations are necessary to ensure that a cybersecurity incident causes no more than a degradation of service, rather than an ungraceful facility-wide outage of timely patient care.”
Some hackers launch ransomware attacks that happen to strike healthcare systems because of their cyber vulnerabilities. Other criminals are specifically in search of patient data so they can sell it, and they’re using vulnerable medical devices as an entry point. Yet despite more and more high-profile ransomware attacks affecting healthcare providers, “hospitals and health systems remain at risk because of undefined roles and lack of preparation,” cautions Doug Folsom, president of cybersecurity and chief technology officer at Indianapolis-based TRIMEDX.
“Who has responsibility for medical device security can be a murky area,” Folsom explains. “For years, clinical engineering (CE) managed medical equipment and IT managed the hospital’s network. But the lines blurred once we connected medical equipment to the network.”
Because of these changes being relatively new, as well as the rapidly evolving nature of technology, there can be a tendency for different departments to argue over turf and about who knows best regarding medical device and equipment cybersecurity. But to keep a healthcare facility as secure as possible, it’s essential to work together, not against each other.
“I strongly recommend that HTM professionals take the lead to create a good working environment with the IT team,” says Scott Nudelman, chief security officer/vice president at Alachua, Fla.-based The InterMed Group. “Reach out to your IT team and understand their plan and where HTM fits in it. Put a plan together of responsibilities and take ownership of the medical devices. Having a clearly defined accountability map for your devices limits the chances of something slipping through the cracks.”
This is a great starting point for developing or improving a strategic cybersecurity plan, his colleagues maintain. For instance, Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, a medical device cybersecurity expert and chief security strategist at San Diego-based MedCrypt, advises extending this philosophy of working together and assigning definitive roles beyond the walls of a healthcare facility or system to truly create an effective approach to cyber defense for vital equipment.
“Medical device cybersecurity is very multidisciplinary,” Wirth says, “and one role can’t solve this alone. It requires cooperation between HTM and IT, but also, more so than traditional cybersecurity, relationships with vendors, security experts, peers in other organizations, and the larger industry.” After all, he says, “The bad guys are ganging up on us, so we need to gang up as well.”
Getting to Work
Once a strong, defined relationship exists, HTM and IT departments can get down to work. “The first step is to know what you have,” says Nudelman. “Make sure that your CMMS has all the data fields required by the CE and IT and security teams (IP, MAC, OS, Patch Levels…).” Along those same lines, he believes it’s important to mitigate known risks first. This provides a better understanding of the current state of the overall “cyber hygiene” of a facility and its devices, and it can help determine if outside help is needed.
At the outset, Wirth recommends also focusing on covering the security fundamentals that, if ignored, make it too easy for an attacker to exploit a weakness. “Protect high-privilege accounts, remediate known high-risk vulnerabilities, and security-manage your supply chain,” he says.
For his part, the FDA’s Kevin Fu prescribes a different approach depending on the facility’s evolutional stage of cybersecurity preparedness, which ranges from a reactive to a proactive posture. “For nascent cybersecurity programs, I recommend beginning with awareness of cybersecurity resources and requirements and applying medical device software security updates in a timely manner as part of basic hygiene,” he says.
“For mature cybersecurity programs, I recommend while continuing tabletop exercises, also staying up to date and participating in public-private partnership efforts aimed at developing consensus standards for medical device security and healthcare cybersecurity best-practice guidelines,” Fu adds.
Regardless of a facility’s cybersecurity maturity level, ongoing risk identification and mitigation is essential, experts say, and there are many solutions to choose from. “Your network needs to be monitored for threats and vulnerabilities, using a passive visualization software,” advises Nudelman. Fortunately, he says, software products that cater to the Internet of Medical Things and standalone medical devices exist.
Seek Tailored Solutions
Put simply, one size does not fit all, the experts interviewed here say. MedCrypt’s Wirth, for instance, warns that traditional security approaches used in IT are often “inadequate” for medical devices. That’s why healthcare facilities should rely on cybersecurity practices and products that are tailored to the medical device space, he says.
Just look at InterMed, the company’s Nudelman says. InterMed has found that a key piece to the cybersecurity puzzle is involving HTM teams in the security process. “Our offering bridges the gap between IT and traditional HTM solutions,” Nudelman says. “We are expanding beyond the standard physical maintenance, corrective repairs, and preventative maintenance, focusing on the current and future state of our clients’ logical maintenance, which allows us to proactively protect medical devices beyond the abilities of standard visibility software alone.”
TRIMEDX also has a hand in the game, the company’s Folsom maintains. Specifically, the company’s cybersecurity ecosystem delivers inventory tracking of connected medical devices for real-time monitoring, management, and remediation of threats and vulnerabilities. And the proprietary TRIMEDX CYBER Risk Score helps decision-makers address patient safety as well as medical device failure consequences, cyber vulnerabilities, FDA alerts, and equipment recalls, Folsom says.
Wirth says MedCrypt’s technologies will contribute to strengthen a hospital’s cybersecurity posture. For instance, each MedCrypt product addresses a specific set of security fundamentals, enabling medical device manufacturers to protect critical information at rest and in transit, monitor devices for security events, and identify and manage device vulnerabilities. In other words, “we help manufacturers design and maintain more secure products.”
Embrace Lifelong Learning
To prevent cyberattacks from wreaking havoc on a facility’s systems, “Encourage and support members of your organization to learn more about medical device security,” urges Nudelman. “There are some incredible resources out there for all knowledge levels—and if you want to take it a step further, explore your options for HCISPP cybersecurity certification.”
Wirth echoes this advice, warning that new threats emerge quickly, so “we need to do our best to stay ahead and stay nimble.” To achieve this, he encourages HTM professionals to embrace education.
This fall, biomeds will have the opportunity to do just that, thanks to the upcoming “Medical Device Cybersecurity 101 for HTM Professionals” online training course provided by the Association for the Advancement of Medical Instrumentation (AAMI). Held from September 21-23, the course will cover the skills necessary to effectively plan for, implement, and manage a medical device security program for an organization’s needs. Attendees who take and pass the accompanying “Cybersecurity 101” exam will receive a certificate of success. All course attendees will also receive proof of course completion.
Another valuable resource? AAMI’s book, co-authored by Wirth, titled Medical Device Cybersecurity: A Guide for HTM Professionals.
Keep Abreast of Threats
While ransomware gets most of the headlines these days, there are many more seemingly mundane cybersecurity threats to keep in mind. For example, many newer cyberattacks involve “moving up the supply chain,” Wirth warns. “Instead of directly attacking an organization, they compromise a trusted supplier or a software tool and leapfrog from there.” To combat such effective, damaging attacks, he says the best tactic is to implement security as early as possible in the lifecycle of a device or system.
Another type of risk that may fly under the radar is a system or device that needs to be patched to remove a vulnerability. Just recently, the U.S. Department of Health and Human Services warned healthcare facilities that the picture archiving and communication systems, or PACS, they use to share patient data and medical images are vulnerable to hackers. The agency is advising facilities to “patch their systems immediately.”
It’s also important to keep clinicians and other staff members in the loop. Specifically, you can help educate them about the importance of following protocols to keep everyone safe.
“The biggest issue that continues to grow is that medical devices are becoming a bigger target regardless of hospital size or location,” says Nudelman. “Most devices are not up to date with patches, ports are left open, and users forget to log out, leaving devices susceptible to threats. End users often have access to the internet from workstations, creating unnecessary risk for the entire enterprise systems. All it takes is opening the wrong email and you can become the next victim of ransomware.”
Such vigilance is also very important when purchasing new equipment. Updated cybersecurity requirements should always be incorporated into the replacement planning and purchasing processes to prevent any devices with vulnerabilities from entering the facility and exposing systems to undue risks.
And don’t forget about the very real threats of legacy equipment that was never built with cybersecurity in mind. Keep evaluating the security of all the components of a facility’s Internet of Medical Things. After all, one weak link can take down an entire healthcare system’s network—a fact highlighted by the numerous cyberattacks that have taken place lately.
Consider Device Design
While knowledge is powerful, manufacturers need to step up, says the FDA’s Kevin Fu, because there is only so much that HTM professionals and IT can do to make medical devices secure if they haven’t been created with security protocols already in place.
This is especially true in the case of home care, where many more variables come into play. Unlike in a clinical environment, it’s very difficult to control what threats medical devices used in a patient’s home may encounter. For instance, such a set-up relies heavily on the cloud, which requires the use of a patient’s internet broadband provider.
“It’s key to design devices to remain secure despite insecure networks, a topic that has been well known for almost 50 years of security engineering,” Fu says. These issues, of course, apply to anywhere medical devices will be used as part of a connected ecosystem, which currently means pretty much everywhere.
“It’s important for manufacturers to create threat models that are innovative enough to predict unknown risks,” Fu says, adding that he knows it can be done, because he has done it himself during his career. “In the meantime, HTM professionals have the challenge of maintaining legacy devices that pre-date FDA premarket expectations for cybersecurity.”
Fu is not alone in his sentiments. His colleagues in cybersecurity all cite the critical role HTM professionals play in securing a hospital’s devices—a responsibility that necessitates attending cybersecurity programs, undergoing specialized training, and spreading awareness. “But in the end, we need to realize that there is no silver bullet,” says Axel Wirth. “This will be hard work, and there will be more pain before we see improvement.”
Melanie Hamilton-Basich is an editor at 24×7 Magazine’s parent company, MEDQOR. Questions and comments can be directed to [email protected].