Derek Hills, manager, CYBER product management
Cybersecurity threats in health care have become a highly publicized issue. The number of cyberattacks, new types of breaches, and emerging criminal groups are constantly grabbing the attention of the public, the media, and healthcare professionals. There is a good reason for this high profile, as these attacks can inflict massive financial losses and potential harm to patients.
Medical devices have played a major role in the growth of cybersecurity risk in health care. Advances in technology, including network connectivity, create opportunities to improve patient care, but many innovations also create new opportunities for attackers to exploit and breach organizations. The FBI has called attention to software vulnerabilities in devices across clinical specialties and care environments. At the same time, the size of health systems’ device inventories continues to grow. Together, these two trends greatly amplify the cybersecurity risk that medical devices represent.
The gold standard for addressing software vulnerabilities continues to be patches specifically developed to remediate the potential problem. However, the growth of vulnerabilities, device inventories, and cyberattacks, combined with broader trends in the healthcare industry, has created a pressing need for new approaches.
Systemic gaps in addressing vulnerabilities
While efforts are increasing to combat cyberattacks, technology and regulatory guidelines have struggled to keep pace with the challenges facing health systems. Congress has introduced a bill titled the Protecting and Transforming Cyber Health Care (PATCH) Act that would increase cybersecurity requirements for introducing new medical devices to the market. As of 2022, the bill has yet to be ratified by either chamber, let alone signed into law.
When vulnerabilities are discovered for existing devices, software patches are typically considered the gold standard for reducing risk. The FDA requires manufacturers to follow a tiered process when addressing vulnerabilities according to the severity of the potential impact. The most critical vulnerabilities, defined by the FDA as uncontrolled risks, require notifications to be sent to customers within 30 days and a patch to be available within 60 days.
However, patching is not always promptly available in all situations. Data from medical device inventories managed with TRIMEDX’s CYBER solution reveals that 68% of tracked vulnerabilities do not have a validated software patch. The gap between medical device software vulnerabilities and available patches has several contributing factors. The sheer volume of vulnerabilities, especially those that do not meet the FDA criteria for uncontrolled risks, demands that manufacturers prioritize patch development.
The age of medical devices is yet another contributor to why vulnerabilities persist. Beyond cybersecurity, health systems are facing mounting financial pressures. Rising costs combined with shrinking reimbursements have led many organizations to defer capital expenses, including replacing medical equipment. Consequently, more devices than ever are being kept past their end-of-service dates set by manufacturers. In these cases, the original vendor will no longer offer a variety of support functions for a device, including software patching.
Other devices may be supported by their manufacturers, yet technology requirements can still present hurdles. Devices that run on outdated operating systems will often require additional software upgrades before a patch can be applied. While these software upgrades are not typically quite as prohibitive as replacing a device, they can still present a logistical challenge to cash-strapped health systems and the care pathways that depend on devices every day.
How can health systems take more control over their medical equipment vulnerabilities?
Cyberattacks threaten health systems on virtually a daily basis. While manufacturers, industry groups, and government entities are seeking solutions, the magnitude of the threat requires health systems to take an increasingly active role. The clear and present danger to hospitals and their patients sends a clear mandate to adopt new strategies for managing these risks.
1. Identify and understand risk
Health systems must proactively seek to understand the software vulnerabilities in their medical device inventories to minimize the potential for harm. That understanding requires identifying vulnerabilities and finding ways to assess the potential impact of attackers exploiting a particular medical equipment vulnerability. Health systems must seek to answer questions like:
- How many of our devices could be potentially impacted by this vulnerability?
- Does a device store electronic protected health information (ePHI) that attackers could access in the event of a breach?
- What is the role of potentially impacted devices in patient care, and would a device failure threaten patient safety?
- Are there known cases of attackers exploiting this medical equipment vulnerability? If so, how did the attack impact the organization and patients?
- Is any information available from the manufacturer or the FDA on forthcoming remediations for the vulnerability?
Just as manufacturers need to address critical vulnerabilities with high urgency, health systems should also seek to prioritize the potential risks in their inventories. Consistent standards and strong documentation will increase confidence in decisions taken to mitigate risk.
2. Assess cybersecurity maturity
Before acting to remediate vulnerabilities, health systems should know their organizations’ strengths and areas for improvement within their cybersecurity strategy. That includes fundamental aspects, such as whether networks used within the organizations are password protected and encrypted.
Additional aspects of technology infrastructure that are important to understand include capabilities to segment networks or isolate specific devices in the event of a potential breach.
While medical devices are increasingly integrated into the IoT, thanks to network connectivity, they still feature many unique technical aspects and clinical uses. These distinctive technologies require a combination of biomedical and IT knowledge to manage effectively. Leaders should examine the quality of communication and collaboration between IT/cybersecurity teams and the clinical engineering technicians who regularly maintain medical device inventories.
3. Adopt creative solutions
Understanding the risk posture and the capabilities to manage IT infrastructures within a health system can unlock new strategies to remediate vulnerabilities. These compensating controls can mitigate risk where manufacturer-validated software patches are not available or feasible. At the same time, they create opportunities to protect capital investments and realize more value from devices despite software vulnerabilities.
One surprisingly simple example of a compensating control would be the case of a network-connected device that stores ePHI. Some vulnerabilities may make a health system decide that the device is no longer safe to use while connected to a network. Yet with a strong understanding of risk, the health system may be able to find a clinical environment within their organization where the device could still provide value, just no longer connected to a network. Health systems could potentially consider this approach for any device where network connectivity is a determining factor in the risk posed by a vulnerability.
Suppose a medical equipment vulnerability is found not to pose a critical risk to patients. In that case, an organization may consider keeping a medical device in use but set up controls to isolate the device from the rest of the network quickly. This measure could prevent attackers from accessing other network-connected technologies if a breach does occur. However, compensating controls like these emphasize the need for high confidence in risk assessment.
•••
Every health system has unique experiences dealing with cybersecurity vulnerabilities. With a strong understanding of risk, organizations can deploy informed compensating controls tailored to their specific needs. While compensating controls do not replace software patching, they can expand options for health systems looking to both prioritize security and make sound financial decisions. Cybersecurity challenges in health care are far from one-size-fits-all. The solutions should be, too.