Medical Device Security: Don’t Wait for the Next Cyberattack
Despite the time and attention placed on cybersecurity in the last few years, many healthcare organizations have not done anything about medical device security. If nothing bad is happening at the moment, then there are other priorities. At the time, the WannaCry attack got attention by affecting more than 300,000 systems across 150 countries.1
MDISS (Medical Device Innovation, Safety & Security Consortium) considers cybersecurity risks a major public health concern, especially since it is estimated that patients in the U.S. healthcare system will be exposed to over 500 billion interactions with connected medical devices in the next 10 years.2 The cost of cybersecurity is also a concern. Annual global spend on cybersecurity is approaching $100 billion and global losses to businesses are nearing $1 trillion.3
October is National Cybersecurity Awareness Month, an annual initiative to raise awareness about the importance of cybersecurity. Ensuring safety and security requires more than awareness; it requires action. Healthcare is “the second-largest industry in the U.S. and one in which hacker meddling of operations not only costs lots of time, money and operational downtime, but threatens lives. The healthcare industry itself is partly responsible. In a seemingly admirable quest to maximize the quality of patient care, tunnel vision gives short shrift to other priorities, specifically cybersecurity.”4
Even with these significant concerns, Healthcare Technology Management (HTM) departments are tasked to collect information about devices and are conducting remediation work without any additional resources to do the work. Typically, HTM departments do not have enough resources or even the right resources to handle data collection and remediation. The staff in place may have some IT knowledge, but it is not the right level of knowledge to fight cybersecurity risks.
Previously, this type of work was performed by the IT group, and like most healthcare organizations, budgets are cut to the bone. Metaphorically, you can dump additional bricks on the load, but backs will start to break. Other important work does not get done or a lot of overtime is used to try to keep pace with the work. In fact, HTM groups are just starting to collect the productivity data about the amount of time that is spent performing this work. This lack of resources has become a significant challenge in the healthcare industry.
In the past six months, new jobs have been created specifically to tackle the cybersecurity issue. Healthcare organizations that have already collected productivity data are also the organizations that are gaining approval for these additional jobs.
Most organizations use device information from manufacturers and CMMS vendors to build fields for collecting this data. That is great first step, but then what comes next?
There are steps you need to take to protect your medical devices from a cyberattack: identify your risks, develop your plan and automate your processes. All these steps are made easier with Accruent’s HTM solution.
Our solution includes MDS2 (Manufacturer Disclosure Statement for Medical Device Security) forms for each manufacturer’s device that outlines the software used, potential vulnerabilities, etc., so you know what you might need to do in the case of a cyberattack. In fact, if you have collected the device information, you can generate a report that lists all the devices that are targeted by a specific cybersecurity attack. That is only a first step.
Accruent is partnering with providers of discovery and monitoring tools. These tools monitor the network traffic and the information going to and from devices. If there is activity that falls outside the normal traffic patterns, an alert is sent to the appropriate staff. This proactive approach ensures you are not just waiting for the next cyberattack to spread throughout your organization.
1M. Busdicker, P. Upendra (2017) The Role of Healthcare Technology Management in Facilitating Medical Device Cybersecurity. Biomedical Instrumentation & Technology. Sep 2017, (Cyber Vigilance: Keeping Healthcare Technology Safe and Secure in a Connected World) Vol. 51, No. s6 , pp. 19-25
2Medical Device Cybersecurity: A Guide for HTM Professionals, 2018, edited by Stephen L. Grimes, FACCE, FAIMBE, FHIMSS and Axel Wirth, CPHIMS, CISSP, HCISPP.
3Axel Wirth (2017) The Economics of Cybersecurity. Biomedical Instrumentation & Technology: Cyber Vigilance: Keeping Healthcare Technology Safe and Secure in a Connected World, Vol. 51, No. s6, pp. 52-59.
4Ackerman, Bob. “The Healthcare Industry is in a World of Cybersecurity Hurt.” TechCrunch, 9 August 2018