February 12, 2020
As 2020 gets into full swing, cybersecurity around medical devices remains a prominent issue, and many individuals are getting stuck with where to begin.
Hospitals and health systems are seeing the dangers and vulnerabilities of their networks as seen with the all-too-familiar WannaCry ransomware attack, as well as the dangers of having outdated operating systems that are no longer supported by Original Equipment Manufacturers (OEM) partners. An example of the latter scenario is seen in Microsoft ending their support for the Windows 7 OS in January 2020, which means a lack of security patches going forward.
It’s no secret there are numerous medical devices in use across U.S. health systems that contain old PC and networking hardware, operating systems and application software. Given the fact that today most cybersecurity vulnerabilities are not required to be remediated by the FDA, OEMs are free to voluntarily choose to address these risks and vulnerabilities however they choose. Some proactively create solutions for their customers and roll them out to their affected products. Others take the opportunity to drive new sales of equipment and costly extended support contracts linking cyber upgrades to the service contract sale. And others stop support for the device or even choose not to address the risk altogether.
However, as we have seen more commonly in recent months, there is a growing threat to health system networks with vulnerability of connected medical devices. In January 2020, the U.S. Food and Drug Administration and U.S. Department of Homeland Security’s Industrial Control Systems/Cyber Emergency Response Team both issued warnings related to medical monitoring devices manufactured by GE Healthcare Systems.
This is not the first time the healthcare industry has seen consequences of vulnerable medical devices from an OEM. This new cyber threat is especially dangerous because of the direct affect it can have on patient safety. When a connected monitoring and administration device is not secure on a network, or has vulnerabilities from OEM design, the risks rapidly increase for patients. Risks such as false alarms on monitoring devices that could result in the clinical administration of unneeded medication, suppressed alarms that would prevent the clinical administration of needed medication, and tampered data on an administration device that could withhold or over-administer the automatic dispense of the connected device to the patient.
With these growing threats to patient data security, hospital network hijacking and connected medical device tampering, is your health system ready and equipped to keep your network and patients safe?
The landscape of responsibility within health systems is also changing as to who manages the OEM and manufacturers of these clinical assets. Given how these assets are becoming more network–connected for the sake of faster dispersion of patient records and data, the responsibility for these devices is largely being shared with health system IT departments. Here, it may not have traditionally been in their domain, or they may not be equipped nor trained to understand the nuances of these devices.
So, what can health systems do to be more prepared when it comes to what is within their direct control?
Scott Trevino, senior vice president of product management and solutions at TRIMEDX, offered his insight on how to protect the hospital network.
“The top risks I see in a hospital’s network ecosystem are ransomware, data breaches, employee negligence and bring your own device (BYOD) policies,” says Trevino. “Ransomware is ever evolving in its approach, but users of devices connected to a hospital network should be mindful of phishing scams and also be mindful before clicking on any links, ensuring they are from a trusted source.”
“Data breaches are widespread in the health sector, as we’ve seen in recent news, and to help mitigate these occurrences, hospital staff and IT should make sure their credentials are safe and secure. Any device connected to the network not in use should also be locked and stored away if necessary. Finally, BYOD is becoming more and more prevalent in a growing number of fields, but especially in healthcare, there must be security protocols in place to make sure that user–owned devices are still protected with the necessary encryption to keep the overall network protected.”
But what about the connected devices supplied by OEMs, how is responsibility and accountability handled in those cases for cybersecurity?
“OEMs/manufacturers of medical devices are responsible for vigilantly identifying all risks and hazards associated with their medical devices and this includes risks related to cybersecurity. OEMs/manufacturers are also responsible for putting appropriate mitigations in place to address patient safety risks and respond to address when new risks are discovered, including disclosure to affected customers in order to ensure safe and proper device performance for their equipment,” says Trevino. “A hospital is a complex ecosystem. When it comes to managing medical devices within this ecosystem, an increasingly important, and sometimes overlooked, investment is around securing those devices. One place to start is with a comprehensive Clinical Asset Management strategy for their medical devices. This strategy should be inclusive of cybersecurity for those devices that incorporates technologies like Medical Device Security Platforms (MDSP), active monitoring and risk profiling.”
Now more than ever, the supply chain, regulatory & compliance and IT departments within health systems need to work together to tackle the growing cybersecurity threat. TRIMEDX is positioned to help health systems stay compliant with patches to connected devices and work alongside IT departments to provide insight and consultation to keeping their connected devices secure.
For more information on what TRIMEDX is doing on the device safety and security front, click here.
If you would like to speak to a representative about how TRIMEDX can help support your cybersecurity efforts, click here to contact us today.