Medical device safety and security: Understanding what’s at risk 

Part 2 of a 3-part series

October 1, 2021

Today, medical devices are increasingly connected to the internet and to a hospital’s network. By 2023, more than 68% of medical devices are predicted to be connected,(1) increasing the pressure on health systems to protect the safety and security of these devices—and ultimately the safety and security of their patients. It only takes one vulnerable device to put all other devices at risk.   

Having real-time visibility into the inventory of your clinical assets—medical devices, operating systems and software—is the first line of defense to medical device cybersecurity and for understanding your cyber risk posture. When you have a clear understanding of your organization’s potential threats—the ability to identify and respond to them before they occur—it puts your organization ahead of the curve.  The 2020 HIMSS Cybersecurity Survey revealed that 70% of hospitals surveyed had experienced a “significant security incident” within the past twelve months resulting in business disruptions, security breaches and financial loss.(2)  

Remediation time impacts cost and patient safety

Cyber-attacks on healthcare technology are on the rise, increasing the risk and costs associated with medical devices, the data they contain and the impact on patient safety. The potential for harm is alarming—whether intentional or accidental, cyber threats to medical devices not only expose or disrupt electronic protected health information (ePHI) but also harm patients through equipment malfunction, availability, or both.  

Health systems average 329 days from the time a cyber breach is identified to remediation, with the average cost of one breach resulting in $7M.  On average, it takes health systems 236 days to identify a cyber breach and 93 days to contain it. This financial impact of a cyberattack could be reduced by $1.2M if health systems simply reduced the time associated with breach identification and remediation by 36 days (236 to 200 days).(3) Remediation is costly to any organization due to remediation time, equipment repairs and the actual cost in time and labor to apply patches to affected devices.  

Cyber expertise reduces remediation time and cost

Having the right cyber expertise to quickly identify and remediate medical device vulnerabilities is critical to minimizing the financial impact of a cybersecurity breach.  For years, clinical engineering managed medical equipment and IT managed the hospital’s network, but the lines blurred once medical equipment started connecting to the network. The blending of CE and IT roles, combined with an increase in cyberattacks on health systems has led to a significant shortfall of almost 314,000 cybersecurity professionals in the U.S.(4) 

In an effort to close the gap in healthcare cyber professionals, TRIMEDX developed the TRIMEDX CYBER Academy, a clinical engineering and cybersecurity training certification program for medical devices in the United States. CYBER specialists align with IT and Security teams to identify vulnerabilities and threats in your network and provide full remediation support for medical devices. They collaborate directly with medical device manufacturers to acquire critical OEM-validated patches and application of compensating controls to ensure protection of vulnerable assets. 

Clients rely on the TRIMEDX CYBER Risk Score to assess risk posture at the connected device level and the recommended remediation priorities including steps to address patient safety, consequence of failure, cyber vulnerabilities, FDA recalls and alerts. This critical information helps health systems prepare and respond to potential cyber threats.   

Closing the loop on medical device cybersecurity 

Having a comprehensive medical device cybersecurity solution in place plays a significant role in your organization. TRIMEDX’s comprehensive cybersecurity solution combines cyber expertise, real-time monitoring, and remediation for medical devices.  By integrating with an industry leading IoMT security platform, the TRIMEDX solution delivers unmatched, real-time insight into device risks, threats and anomalies of connected medical devices. Real-time, network visibility enables you to respond and remediate cyber threats to ensure critical devices are safe and available for patient care.   

Part 3 of this three-part series discusses the importance of leveraging medical device cybersecurity data and insights to inform capital asset planning decisions

 

  1. Medtech and the Internet of Medical Things How Connected Medical Devices Are Transforming Healthcare, Deloitte, 2018. 
  2. 2020 HIMSS Cybersecurity Survey, Healthcare Information and Management Systems Society, 2020. 
  3. Cost of Data Breach Report, IBM Security, 2020. 
  4. Cyber-shortage Can Put Healthcare Organizations at Risk, Healthcare IT News, February 2020.