Mitigating Medical Equipment Cybersecurity Risks with a Modern Healthcare CMMS
Cybersecurity initiatives and strategies are a top priority for healthcare systems. U.S. hospitals are facing a new wave of ransomware attacks as they also struggle to confront a nationwide surge in COVID-19 cases. With the growing reliance on smart, connected medical devices and equipment in hospitals, hackers are setting their sights on healthcare just as the pandemic has placed a significant strain on staff and revenue streams. These cyber threats can be internal, external or with devices.
Hackers stepped up their efforts to attack healthcare systems in 2020 to go beyond phishing attacks and stealing information. Ransomware attacks, especially during the second half of the year, shut down IT systems and slowed operations at hospitals and healthcare facilities across the U.S.
As regulatory pressure continues to grow, and with exponential growth in cyber threats, effective management of cybersecurity strategies will require integrated expertise from Clinical Engineering, IT, Quality, Regulatory and Security.
To keep up with the times, healthcare systems need to modernize their Computerized Maintenance Management System (CMMS). A modern healthcare CMMS will integrate its database with IoT security and monitoring tools that legacy systems do not provide.
The Cost of Healthcare Cybersecurity
Annual global spend on cybersecurity is approaching $100 billion and global losses to businesses are nearing $1 trillion, according to “The Economics of Cybersecurity. Biomedical Instrumentation & Technology: Cyber Vigilance: Keeping Healthcare Technology Safe and Secure in a Connected World.”
Healthcare organizations face special security challenges because patient care and lives are often at stake. According to IBM’s 2020 Cost of a Data Breach Report, healthcare companies incur the highest average breach cost of any industry: $7.13 million per incidence, a 10% increase over the 2019 study.
With the healthcare industry expected to spend $125 billion on cybersecurity from 2020 to 2025, according to Cybersecurity Ventures, dollars must be spent for maximum efficiency. The question is how to allocate those funds most effectively at a time when cybercriminals have placed a huge target on hospitals.
Recent Healthcare Cyber Threats
Recent cyberattacks in October 2020 on hospitals in California, New York and Oregon are believed to be part of the massive Ryuk ransomware attack, which comes just weeks after the same malware attack hit a U.S. system with 250 care sites. That attack forced computer systems offline and encrypted hospital services, causing ambulances and surgical patients to be redirected in the aftermath. During the earlier cyberattack, it was reported that one patient may have died in a German hospital due to the breaches.
Healthcare cyberattacks are only expected to get worse. U.S. government agencies recently warned hospitals to brace for an increased and imminent wave of ransomware cyberattacks that could compromise patient care and expose personal information, and urged providers to step up their defenses.
Common Cybersecurity Risks Hospitals Face
Today, almost all biomedical devices, hospital equipment and building control systems used in hospitals have embedded, network-connected technologies. Medical devices such as monitors, infusion pumps, ventilators, CT and MRI scanners all have critical patient information that could be accessed or tampered with. Single points of failure could open the door for hackers to take out significant portions of a hospital's medical network and compromise patient safety.
Hospital equipment and building control systems are also connected to the network, including regular and emergency power supplies, HVAC, lighting, water and sewer control, elevators, communications, access control, security systems and security cameras. Hackers may exploit equipment with older operating software as a pathway into the organization’s networks to steal sensitive patient information and research data. For instance, in a worst-case scenario, a mission-critical or life support system, such as power, HVAC or elevator controls, could be disrupted, causing an interference with care delivery and affecting patient safety.
Often, internal cyber threats can be bigger than external threats. According to Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR), over 55% of ALL security breaches in the medical industry come from the inside, with USBs ranking towards the top of the list for internal threats.
Even with these significant concerns, most Healthcare Technology Management (HTM) and Healthcare Facilities Management (HFM) departments are tasked to collect information about devices and are conducting remediation work without any additional resources. Typically, these departments do not have enough resources, or even the right resources, to handle data collection and remediation. Staffs in place may have some IT knowledge, but it is not the right level of knowledge to fight cybersecurity risks.
How Are Regulators Clamping Down on Cybersecurity Threats
The Food and Drug Administration (FDA) acknowledged medical device vulnerability when it issued an alert and drafted guidance recommending that medical device manufacturers and health care facilities take measures to protect against cybersecurity intrusions that could compromise device performance and patient safety. This could take the form of a direct attack or could be used to multiply the impact of more conventional types of terrorism that result in mass casualties.
HTM and HFM departments use their CMMS as the primary tool to document regulatory compliance. However, what the healthcare industry has discovered is that CMS, the Joint Commission, and other regulatory bodies change their standards often and legacy CMMS are not able to keep up with the changes. When medical devices, equipment and facilities are not complying with maintenance schedules, patient safety and lives are put at risk.
Implementing an Effective Cybersecurity Strategy
Connected medical devices, equipment and building control systems are becoming a key part of healthcare infrastructure, with the average hospital room containing nearly 15-20 of them. Some of these devices are still running on obsolete operating systems, while others were manufactured with significant vulnerabilities, such as embedded passwords in the software code. The number of connected devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones. The challenge in securing these devices is becoming increasingly clear to health systems.
As mentioned earlier, HFM and HTM departments often lack the resources to secure connected medical devices, equipment and building control systems. Previously, this type of work was performed by IT groups, and in most healthcare organizations, budgets have been slashed. Other important work gets missed or extended overtime is used to try to keep pace with the work. Clinical Engineering and Facilities departments are just now starting to collect the productivity data about the amount of time that is spent performing this work. This lack of resources has become a significant challenge in the healthcare industry.
Accruent’s Healthcare CMMS is partnered with discovery and monitoring tools that are not provided in a legacy CMMS solution. These tools monitor the network traffic and the information going to and from devices. If there is an activity that falls outside the normal traffic patterns, an alert is sent to the appropriate staff. This proactive approach ensures you are not just waiting for the next cyberattack to spread throughout your organization.
Accruent’s Medical Device Security Analyzer (MDSA) creates one trusted data source and uses automated workflows on a modern platform to improve cybersecurity risk mitigation and remediation, as well as create stronger collaboration, improved incident response and faster remediation at scale.
Implementing an effective cybersecurity program involves a two-pronged approach to the management and mitigation of cybersecurity risk.
- Identify significant risks or gaps and track the remediation or mitigation.
- Create or update standard operating procedures (SOPs) for technicians onboarding, maintaining and retiring equipment.
- Automate the calculation of cybersecurity risk per device considering attributes, such as the type of information handled by the device and connectivity.
- Leverage types, unique role- based user accounts, the capability to be updated, etc.
- Monitor the network traffic and the information going to and from devices.
- Send alerts to the appropriate staff if there is an activity that falls outside the normal traffic pattern.
- Give the ability to manage and understand utilization data to right-size equipment fleet.
How Does a Modern Healthcare CMMS Help with Medical Device Security?
Hospitals have hundreds of medical devices that are connected to the internet and vulnerable to attack, and properly identifying medical device and equipment security risks is critical to IT. A modern healthcare CMMS can quickly identify significant risks or gaps, and then automate and track the remediation or mitigation.
To mitigate cybersecurity risks, a modern CMMS will:
- Analyze and report against all medical devices, network data and software.
- Reconcile MDS2 data and other security attributes against inventory.
- Automate workflows unique to your organization when potential security risks or gaps are found.
- Integrate with network monitoring tools.
How Does a Modern Healthcare CMMS Help with HFM Security?
Knowing what is going on within the Environment of Care (EoC) is critical to successfully maintaining safe and reliable spaces. Building automation, fire monitoring, emergency power, water management and air management all rely on technology resources and are critically important to ensure a safe, controlled and comfortable EOC. Your healthcare system can mitigate security risks by properly scheduling and maintaining environmental systems.
A modern Healthcare CMMS can automate compliance tasks by setting notifications, scheduling routine maintenance, tracking a repair history log and organizing important documents (e.g., equipment manuals, spec sheets, ID tags) for each of your assets. This not only saves healthcare facility managers time and can boost compliance rates; it will also make inspections and audits a breeze since everything is documented and easily accessible.
Since Healthcare Facilities Maintenance (HFM) departments must comply with hundreds of regulations—including those involving equipment, grounds, structures, staff and spaces—it is critical to have a CMMS/EAM that can identify, document, record and report on these items to maintain security safety and compliant operations.
Why You Should Implement a Modern Healthcare CMMS
Growing competition and slashed budgets require that hospitals work at maximum efficiency to mitigate cybersecurity risks and to stay competitive and compliant. Investing in a modern CMMS is the easiest way for healthcare organizations to streamline operational efficiency and increase profits while staying complaint with constantly changing policies, laws and regulations, and avoiding cybersecurity threats.
For clinical engineers who value precise data to track asset health and to automate services and equipment distribution requests, and IT departments who need detailed information and predictive analytics to ward off medical device cyberattacks, a suite of connected tools, sensors and databases in a modern healthcare CMMS can be as essential as traditional tools and test equipment.
What to Look for in the Best Modern Healthcare CMMS Solutions
The best healthcare CMMS software solutions are mobile-enabled and web-based CMMS solutions that manage all aspects of asset management (medical devices, facility equipment and biomedical equipment), help implement cybersecurity strategies, work order management, financials and expenses, preventive maintenance, compliance reporting, equipment distribution and more.
A modern healthcare CMMS software solution not only helps mitigate cybersecurity risks, it will also:
- Consolidate HFM, HTM, supply chain and IT onto one platform.
- Provide full asset lifecycle management from pre-assessment, acquisition, support to final disposition and data insights.
- Automate workflows.
- Offer the ability to build flexible workflows with a configurable rules engine – without code or SQL.
- Automate preventive maintenance and alternative equipment maintenance.
- Provide predictive analytics to allow for AEM implementation.
- Ensure robust and updated capital planning data.
- Deliver big data for better analytics.
- Automate parts procurement process with industry-leading vendors.
- Connect systems and automated process with out-of-the-box integrations with RTLS providers, parts vendors, product recalls and alerts, network monitoring tools, RRPs and Time and Attendance.
- Proactively secure medical devices and protect against cyber threats.
How Accruent Can Help
Healthcare organizations that leverage advanced CMMS and Asset Management technology can mitigate cybersecurity risks and breakdown operational silos. In addition, systems that employ these solutions lower associated costs and offer patients, visitors and staff a better experience and greater peace of mind.
Beyond technology, Accruent experts are available to evaluate your current processes, key performance indicators and highlight step-by-step improvement recommendations to make your Healthcare Facilities and Biomedical Departments a Strategic Asset.
Contact us today to start a conversation about how Connectiv can help you with your asset and facilities management needs.