Medical Device Cybersecurity Hinges on Far More Than Identifying Risks

Cybersecurity threats to health systems are growing, posing potential risks to patient safety. However, most hospital cybersecurity strategies are focused on traditional information security, leaving medical devices exposed to vulnerabilities.

Effective cybersecurity hinges on a robust understanding of the importance of device inventory along with powerful analytics to guide clinical asset decision-making. The best way to maintain, optimize, and secure medical devices is through comprehensive clinical asset management, which integrates inventory visibility, resource allocation and planning and cybersecurity.

A June 2021 FDA report characterized the threat in stark terms saying it has “the potential to result in patient harm such as illness, injury, or death as a result of delayed treatment or other impacts to medical device availability and functionality.”

While the FDA continues to raise awareness of the risks and suggests new steps for manufacturers and others to help thwart hackers, the burden lies with health systems. Remote use of critical-function infrastructure is rising as devices are increasingly connected to the internet.

Also escalating is ransomware, which in 2021 alone disabled a health system, disrupted a hospital for weeks, and interfered with actual treatment versus simply holding electronic health records ransom. “Cybersecurity,” the report said, “is crucial for medical device safety and effectiveness.”

INSTITUTING AN EFFECTIVE CYBERSECURITY PROGRAM

Consider leveraging the NIST Cybersecurity Framework Core as a basis for your cybersecurity program. The framework outlines five basic functions to organize medical device cybersecurity efforts and serves as a solid foundation in which to begin.

• Identify: The most critical aspect is an accurate inventory of all software, devices, and systems.
• Protect: Access to clinical assets must be protected, whether online through proper authorizations and training or physically in person.
• Detect: Clinical assets must be monitored in real-time to identify cybersecurity events.
• Respond: Response plans need to be in place, communicated, and maintained. Vulnerabilities need to be mitigated or remediated.
• Recover: Planning, training, and testing of a recovery plan needs to be in place, not just for clinical engineering and information technology needs but for the health system’s reputation, as well.

The Cybersecurity Framework Core is strengthened when supported by comprehensive clinical asset management because:

• Medical device patch updates are not always readily available by the OEM.
  Full inventory visibility is critical. A health system needs inventory updated in real-time to identify which devices have a known vulnerability or cyber risk and whether an OEM-validated patch is available.
• Sometimes the original equipment manufacturer is unaware of vulnerabilities impacting its equipment.
  “Servicing entities are well-positioned to help identify cybersecurity vulnerabilities and exploits early,” the June FDA report noted, “sometimes even before the OEM becomes aware.”
• The OEM may no longer be supporting the device.
  Although the FDA is seeking a requirement that devices can be updated and patched in a timely manner, such a requirement is not now the case.

A comprehensive asset management process can complete an effective cybersecurity program by providing answers to three critical questions:  

1. If there is no OEM-validated patch available, can a compensating control be applied?
2. Are the impacted devices nearing the end of their lifecycle, and can they be replaced?
3. Is the degree of risk outweighed by the capital expenditure required to replace the devices?

Cybersecurity protocols alone cannot help guide decision making. Full inventory visibility must flag devices that present cybersecurity risks. Data and informatics on device optimization can help guide purchasing decisions by noting which devices should be replaced, upgraded or disposed of.

Click here for more information and research on why cybersecurity hinges on far more than identifying risks.