Providers should be vigilant about the networked devices and equipment coming through their doors
Patient monitors, infusion pumps, ventilators, imaging modalities, insulin pumps and pacemakers save lives. But increasingly, they present a threat, too.
“Networked medical devices and other mobile health technologies are a double-edged sword,” according to the authors of a recent report on cybersecurity by the Deloitte Center for Health Solutions. “They have the potential to play a transformational role in healthcare, but also may be a vehicle that exposes patients and healthcare organizations to safety and security risks. Among the unintended consequences of healthcare’s digitization and increased networked connectivity are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access.”
Providers need to anticipate and address medical device security risks to safeguard patient safety and protected health information.
Potential risks
The risks are real and plentiful, regardless of whether they rise from deliberate and malicious activities, or simply from poor management or oversight, says Deloitte. Examples:
- Electromagnetic interference.
- Untested or defective software and firmware.
- Theft or loss of networked medical devices.
- Security and privacy vulnerabilities, including 1) misconfigured networks or poor security practices; 2) failure to install timely manufacturer security software updates and patches; 3) improper disposal of patient data or information, 4) uncontrolled distribution of passwords; 5) manipulation, theft, destruction, unauthorized disclosure, or lack of patient data availability to providers.
- Unauthorized device setting changes, reprogramming, or infection via malware.
- Denial-of-service attacks.
- Targeting mobile health devices using wireless technology to access patient data, monitoring systems, and implanted medical devices.
What can providers do?
Before acquiring networked equipment or devices, providers should demand that manufacturers meet specific privacy and security requirements, advises Deloitte. Some suggestions:
- Adopt a risk management framework, such as ISO/IEC 80001, and tailor it to the organization’s risk culture and environment.
- Integrate networked medical-device-specific security and privacy evaluations and requirements into the procurement process.
- Conduct “white box” reviews of networked medical devices being considered for purchase, either internally or via a third party.
- Incorporate ongoing security support and maintenance into vendor agreements.
- Arrange that spare components be available on demand for networked medical devices to maintain operations in case of a failure.
- Institute environmental safeguards (e.g., generator backup, uninterruptible power supplies, redundant HVAC) to protect facilities that house critical-care and life-support medical devices.
- Gain support from networked medical device manufacturers to continuously identify vulnerabilities and risks, create safety measures to mitigate damage, and provide ongoing firmware, patch, and antivirus updates.
To view the report, “Networked medical device cybersecurity and patient safety: Perspectives of health care information cybersecurity executives,” go to http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Center%20for%20health%20solutions/us_chs_networkedmedicaldevice_091913.pdf