By Don Baham, CISSP, CISA, MCSE, Kraft Technology Group
Last year, medical device vendor Zoll was conducting what the organization saw as a routine migration of its servers. After what they referred to as a “data security incident” that occurred in either November or December 2018, they notified their 277,319 patients that their data had been compromised. The data included names, Social Security numbers, dates of birth, medical history, and other personally identifiable information.
All patient data was eventually secured, and no identity theft was reported as a result of the incident. But the very threat of more repercussions after the initial breach underlined the vulnerability of medical devices as cybersecurity threats continue to grow on a national level.
Cybersecurity is an emerging concern across all sectors. The healthcare sector may be one of the most vulnerable because so many of its components rely on cyber systems, such as the transfer of electronic personal health information as well as the maintenance, management, and operation of medical devices. That’s why it should be at the forefront of every healthcare facility’s list of threats to address.
Why you should care about medical device cybersecurity
There are a variety of cyber vulnerabilities that can impact medical devices, especially as these devices within a hospital or health system become more and more connected. A few types of vulnerabilities include, but are certainly not limited to:
Data breaches. Many medical devices contain sensitive patient data such as electronic health records. If exposed during a data breach, patient personal health information (PHI) can be used for nefarious purposes by a malicious actor.
Ransomware or malware attacks. With the onset of email phishing scams, medical devices have never been more vulnerable to a ransomware or malware attack. Ransomware attacks are when a medical device’s IT systems are corrupted by a malicious actor in return for a payment.
Interference with the medical care provided by devices. As more and more medical devices come online, the potential for the disruption of medical devices exists. This can lead to direct (and negative) consequences for patient care.
Outdated software. Some medical device manufacturers use old software without the latest security patches, in some cases prohibiting patching so as not to interfere with the device. This can leave devices vulnerable to cyberattacks or other unanticipated performance issues.
Methods for prevention
There are mechanisms for securing medical devices, and while they aren’t necessarily simple, there are basic, high-level best practices to improve the cyber hygiene of your facility’s devices.
Patch, patch, patch. Ensuring that your systems are up-to-date with the latest patches will give you the best chance of avoiding infection from ransomware or malware.
Incorporate cyber practices into your continuity of operations (COOP) procedures. Your facility has emergency response plans, checklists, and other types of guidance on how to best respond to disruptions or disasters. Ensure that medical device security incidents are incorporated into these plans. For example, if there is a data breach of one of your medical devices occurs, you should have documentation on the proper procedures for managing the breach.
Educate your staff. Having a response plan documented is only valuable if you have staff trained on the ability to execute the instructions. Emphasize the importance of good cybersecurity practices with your staff, the importance of maintaining them, and hold training on how to do so.
The key to prevention is raising awareness of the proper procedures to managing and mitigating a cyber incident.
Resources to improve your medical device cybersecurity
Maintaining proper cyber health for your facility’s devices is a critical yet daunting task. Luckily, there are resources available to help hospitals and other healthcare facilities do just that.
The U.S. Food and Drug Administration is the lead within the federal government for medical device cybersecurity. They offer multiple information resources to assist healthcare facilities, including:
FDA Website on Cybersecurity. This website provides a high-level overview of medical device cybersecurity from the FDA perspective.
The FDA’s Role in Medical Device Cybersecurity. This fact sheet outlines FDA’s role in assisting with the national security of medical devices. It dispels several myths as well.
Interference with Pacemakers and Other Devices. This web page discusses how radiofrequency energy can interact with and potentially disrupt medical devices.
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Released in October 2018, this document provides recommendations to the private sector regarding cybersecurity considerations to be included in premarket submissions for devices that are susceptible to cyberattacks.
Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. This document outlines software maintenance to manage cyber vulnerabilities within medical devices.
Healthcare and Public Health Sector Partnership resources
The Healthcare and Public Health Sector partnership consists of federal, state, local, and private sector healthcare representatives who collaborate with the U.S. Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) to help secure healthcare and public health critical infrastructure. DHS includes cybersecurity within its definition of critical infrastructure. This group has a variety of resources dedicated to increasing awareness of medical device cybersecurity.
Medical Device and Health IT Joint Security Plan. This document developed by the Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Working Group is “a consensus-based total product lifecycle reference guide to developing, deploying, and supporting cyber secure technology solutions in the healthcare environment.”
Healthcare Industry Cybersecurity Practices. Also developed by the Joint Cybersecurity Working Group, this product is a four-volume document that outlines common cybersecurity threats and best practices. It offers a more holistic approach to addressing cybersecurity at a healthcare facility, of which medical device security is an important component.
The Healthcare and Public Health Sector Highlights – Cybersecurity Edition. This email newsletter, sent every Friday morning by the HHS Office of the Assistant Secretary for Preparedness and Response, includes links to reports, products, and webinars related to medical device cybersecurity. These emails include weekly reports and cyber threat briefings from the Healthcare Cybersecurity Coordination Center (HC3), HHS’s cybersecurity information sharing and analysis center. Many of these briefings include information on medical device cyber vulnerabilities.
Every hospital or healthcare facility needs to consider the cybersecurity of their medical devices as a major risk to its operation, but you can take steps to mitigate these risks through education and implementation of best practices. Using the resources outlined above is a good start to help make you and your staff more aware of this security issue.
Don Baham, CISSP, CISA, MCSE, is president of Kraft Technology Group, an affiliate of KraftCPAs in Nashville. For details about KTG’s full line of services, or for information on how KTG can help your business take steps against cyber threats, visit. www.kraftgrp.com.