by David Nickelson, Sapient Health

MAY 15, 2017

Originally reported in Harvard Business Review

 

Unfortunately, attacking hospital IT systems is just the tip of the iceberg when it comes to cyber vulnerabilities in the health care sector. Hacks of implanted or wearable medical devices are an even more sobering threat.

Researchers in Belgium and the UK have demonstrated that it’s possible to transmit life-threatening (if not fatal) signals to implanted medical devices such as pacemakers, defibrillators, and insulin pumps. A catheter lab in a Virginia facility was temporarily closed when malware was discovered on the computers supporting cardiac surgery. In three other similar cases, malware capable of opening up “backdoor” access to a hospital’s IT network was found in software residing on X-ray, blood gas analyzer, and communications devices. More recently, researchers investigating cybersecurity of medical devices provided the Center for Devices and Radiological Health at the Food and Drug Administration (FDA) with a list of specific medical device vulnerabilities identified through their ongoing work, and just last year two commercial vendors revealed vulnerabilities in insulin pumps and a nursing inventory supply system that could compromise care and provide covert network access.

Such devices are becoming more and more common in health care. Spurred by an aging population, increases in chronic disease, and technological breakthroughs, the electronic medical device market is poised to reach an estimated $398 billion in 2017. But while the market expands at an expected rate of 3% per year until at least 2022, hospital IT networks remain slow to address longstanding cybersecurity challenges that raise both privacy and potentially fatal health concerns. Surveys of health IT leaders reveal that much of their cybersecurity budgets will remain focused on securing enterprise networks through infrastructure, datacenter, and cloud security, while emerging government and industry regulatory frameworks provide only guidance without meaningful penalties, making it easy for health system IT leaders to deprioritize the risks presented by medical devices. Moreover, a major challenge is the continued presence in the marketplace of devices manufactured before 2014, when the FDA’s guidance was issued. (For example, in 2013, the average age of an MRI scanner in the U.S. was 11.4 years.)

There are, however, some basic steps that hospital CIOs can take to reduce their risk and protect patients, devices, networks, and data:

Assess device cybersecurity during procurement. Assess these risks on par with clinical efficacy. Talk openly with vendors about concerns and expectations if vulnerabilities are identified in the future. In 2014 the International Organization for Standardization developed guidelines for the disclosure of potential vulnerabilities in products. It’s important to get familiar and incorporate appropriate aspects into your policies and procedures, and keep your eye out for a revised standard in 2019.

Require basic cyber hygiene. End user workarounds and shadow IT groups undermine even the best security architecture and policies. Proactively engage end users to avoid nonadherence to security policies. Ensure that bring-your-own-device policies, procedures, and systems have the same level of protection as networked devices. The aforementioned HIMSS survey found that only 56.3% acute and 35.5% nonacute were actively deploying significant mobile device management protocols. Finally, require the use of antivirus and antimalware software. A 2016 HIMSS survey found that only 84% acute and 90% nonacute providers are using these first-line defenses. IT managers should think like care providers: Preventing an infection is better than treating one.

Proactively access risks and patch vulnerabilities. Focus in particular on legacy devices and work directly with manufacturers and suppliers to bring every device up to date ASAP. In late 2016 the FDA provided helpful but nonbinding guidance for devices already approved and in the field. It provides a reasonable framework for assessing cybersecurity risk across the product life cycle. They also give specific direction about how to address an identified cybersecurity risk across the entire health IT ecosystem without alarming patients and providers or tipping off would-be hackers and others interested in exploiting a known vulnerability. The most significant guideline is the FDA’s statement that manufacturers can reach back and fix security issues without having to resubmit a device for recertification. Prior to this explicit guidance, many manufacturers were reluctant to make changes that could be seen as fundamental alteration, which triggers the need for recertification.

Stay alert and informed. In 2013, Executive Order 13961 established a series of Information Sharing and Analysis Organizations and Centers to encourage the formation of voluntary communities that can securely share information across a region or industry in response to emerging threats. Membership includes secure notifications of emerging threats and access to leaders at many major device manufacturing firms and trusted vendors whose products, manufacturing, and post-market response processes meet certain criteria. The cost of participating is minimal when compared to the financial and public relations cost of mopping up an avoidable breach.

Hospital CIOs clearly recognize that networked medical and wearable devices present security soft spots. However, with limited resources and a host of new regulatory and business challenges to prioritize, reducing the threats presented by medical devices is very likely remain low on their lists. Cybersecurity remains secondary to medical purpose, even if cybersecurity could result in severe injury or death. Without actual penalties for noncompliance, it’s unclear whether device risks will rise above other competing health IT priorities. Patients deserve better.


David Nickelson, PsyD, JD, is Director, Health Strategy and Behavior Change at Sapient Health.