For decades, healthcare medical devices functioned as freestanding tools. Glucometers, lasers, infusion pumps, pressure monitors, neonatal incubators, heart monitors – each serving its unique function independently of the others. With the widespread implementation of electronic health records (EHRs), however, and the push for increased digitization of health information, these devices have increasingly been networked into the patient information ecosystem. They now transmit PHI between a myriad of systems including the EHR system, bed management, supply chain management, and billing systems.
The variety and use of these devices have proliferated. The HIMSS Medical Device Security Workgroup reports that hospitals and similar healthcare delivery organizations typically have “300% to 400% more medical equipment than IT devices.” In a study of US hospitals cited in Wired Magazine (3/02/17), ZingBox reported an average of 10-15 connected devices per bed. That translates into approximately 4500 connected medical devices for the average 300-bed community hospital – and up to 75,000 devices for a large metro medical center with 5,000 beds!
Are devices vulnerable to hacking?
To date, the number of medical device breaches and the number of patient records exposed by those breaches has been seemingly negligible when compared to the large-scale data losses due to hacks of healthcare organizations’ primary IT systems or losses of unencrypted mobile devices. But there have been hacks, and there are several reasons to expect medical devices to be increasingly exploited:
- As more medical device developers rely on off-the-shelf operating systems to speed development and/or facilitate integration with other systems, the vulnerabilities of the parent code are transferred to the devices, increasing their vulnerability.
- The increased networking of devices makes them a more attractive target for hackers because they provide additional points of entry to other systems.
- A Trend Micro study found a large number of devices to be discoverable on Shodan, a search engine routine for connected devices.
In fact, a study by Ponemon Institute found that 67% of medical device makers expect an attack on their devices in the next 12 months!
Didn’t the FDA pass regulations to fix this?
Yes – and no, depending on who you ask. The FDA is quoted in many news articles saying that medical device manufacturers are responsible for complying with “quality system regulations” (QSRs), which include requirements for addressing cybersecurity risks, but both law firms and industry executives say the compliance environment remains murky:
- Some devices have been downgraded from “Class III” – high risk and mandatory compliance – to “Class I” – low risk and “unregulated,” though they still could pose a cybersecurity risk.
- Once a device is in use, it’s not clear whether the device manufacturer or the healthcare delivery organization is responsible for continued patching as cyber threats evolve.
- The FDA doesn’t actually test medical devices for their compliance with the QSRs.
- Reporting of device malfunctions, including cybersecurity breaches, to the FDA is voluntary.
Know-how and budget are also factors.
Because cybersecurity of devices is still a relatively new concern in the medical device and healthcare delivery industries, lack of knowledge regarding both the threat and the appropriate risk management responses remains a problem. The ZingBox study also found that 70% of healthcare IT decision-makers believe that the same security solutions used for laptops and servers are sufficient for all their connected medical devices, a misconception that the report goes on to explain.
Despite two-thirds of medical device manufacturers anticipating an attack on their devices, only 15% of study respondents anticipate taking measures to mitigate the risk! Senior executives in the field say it usually comes down to budget and production deadlines. Because cybersecurity protections don’t improve device performance in terms of clinical care, it is often looked upon as a cost. Similarly, when cybersecurity flaws are discovered too far into the development process, decision makers often determine that the rework required to build in the cybersecurity protections is too costly. So devices go to market with known cybersecurity flaws.
So what to do?
As a healthcare delivery organization, you are the gatekeeper between the medical device vendors and patients. Regardless of who is technically at fault for a medical device breach, if a breach were to occur, it would be your patients’ information lost and your reputation damaged! Thus it is up to you and your organization to set the standard for medical devices coming into your organization and to include medical devices in your annual security risk assessment.
Start by requesting information from your device vendors about each of the device types on your network using the Manufacturer Disclosure Statement for Medical Device Security ((MDS)2) which was collaboratively developed by the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS).
Finally, if you have questions about assessing the risk of an Internet-connected device or need help completing a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com or 512.310.0020.