Cybersecurity and the Contracting Executive

Contracting executives: Make sure upfront that manufacturer will support for software updates

Computer users have been concerned about viruses since the dawn of the Internet. Today, given the ubiquity of Wi-Fi and smartphones, those concerns have multiplied.

Malware is a threat to banking, utilities, defense, national security…and healthcare. Anti-virus programs aren’t enough to stop data theft, tampering and destruction, particularly given the sophistication of today’s networked medical devices and electronic medical records systems. And the sophistication of those who are determined to hack into those systems has never been greater.

Hence cybersecurity, which the U.S. Food and Drug Administration defines as “the process of preventing unauthorized modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed or transferred from a medical device to an external recipient.”

As hospitals and IDNs face this issue, chances are contracting executives will get involved.

“Any medical device or IT system that is connected to a network is vulnerable,” says Timothy Wong, project engineer, Health Devices Group, ECRI Institute. “Devices and systems that connect to the Internet are of most concern. Also, devices with external USB ports are at risk of being infected by malware.” He defines malware as malicious software (e.g., viruses, worms, Trojan horses) that can jeopardize the delivery of care to patients when using affected health information systems or medical devices.

To date, ECRI isn’t aware of any malicious cybersecurity attacks that have led to patient harm, but the concern exists. That’s why the Food and Drug Administration is introducing requirements for future premarket submissions for medical devices, which would require manufacturers to disclose information about the security risk of a given device, as well as mitigation strategies, says Wong.

Manufacturers have a huge role to play. Already, they test and validate anti-malware software and operating-system patches for compatibility with their medical devices before healthcare facilities introduce them onto their equipment, says Wong. Manufacturers are also starting to consider cybersecurity issues early in their equipment design process.

Supply chain’s role
But providers can’t assume a passive role. “There are various measures that healthcare facilities should undertake to address their cybersecurity vulnerabilities,” says Wong. Some examples:

  • Limit network access to medical devices by using firewalls or virtual local area networks, or VLAN.
  • Have appropriate access policies to medical devices in place and ensure that they are being actively followed.
  • Keep up with the latest updates and patches for OS and anti-malware software.
  • Establish tight controls for medical device password access.

Contracting executives can and should play a direct role, Wong continues. “An important consideration during purchase and service contract negotiations for any medical device that is software-based and/or networked is that the manufacturer is asked to provide support for software updates.

“Manufacturers play an important role in validating the compatibility of OS software patches or antivirus software with their devices, and healthcare facilities should ensure that they are covered for the entire duration of the expected equipment life cycle to protect themselves against future cybersecurity issues.”