Practical steps for hospital CIOs to reduce cyber risk
The recent WannaCry cyber-attack affecting hospital systems around the world, including the NHS and Bayer medical devices in the US, could be the tip of the iceberg. Unfortunately, when it comes to cyber vulnerabilities in the health care sector, hacks of implanted or wearable medical devices are an even more sobering threat.
Researchers in Belgium and the UK have demonstrated that it’s possible to transmit life-threatening (if not fatal) signals to implanted medical devices such as pacemakers, defibrillators, and insulin pumps. Just last year two commercial vendors revealed vulnerabilities in insulin pumps and a nursing inventory supply system that could compromise care and provide covert network access.
Such devices are becoming more and more common in health care. Spurred by an aging population, increases in chronic disease, and technological breakthroughs, the electronic medical device market is expanding rapidly. But while the market expands at an expected rate of 3% per year until at least 2022, hospital IT networks remain slow to address longstanding cyber security challenges that raise both privacy and potentially fatal health concerns.
Surveys of health IT leaders reveal that much of their cyber security budgets will remain focused on securing enterprise networks through infrastructure, datacenter, and cloud security. There are, however, some basic steps that hospital CIOs can take to reduce their risk and protect patients, devices, networks, and data.
Assess device cyber security during procurement
Assess these risks on par with clinical efficacy. Talk openly with vendors about concerns and expectations if vulnerabilities are identified in the future. In 2014 the International Organization for Standardization developed guidelines for the disclosure of potential vulnerabilities in products. It’s important to get familiar and incorporate appropriate aspects into your policies and procedures, and keep your eye out for a revised standard in 2019.
Require basic cyber hygiene
End user workarounds and shadow IT groups undermine even the best security architecture and policies. Proactively engage end users to avoid non-adherence to security policies. Ensure that bring-your-own-device policies, procedures, and systems have the same level of protection as networked devices. A 2016 HIMSS survey found that only 84% acute and 90% non-acute providers are using these first-line defenses. IT managers should think like care providers: Preventing an infection is better than treating one.
Proactively access risks and patch vulnerabilities
Focus in particular on legacy devices and work directly with manufacturers and suppliers to bring every device up to date ASAP. In late 2016 the FDA provided helpful but nonbinding guidance for devices already approved and in the field. It provides a reasonable framework for assessing cyber security risk across the product life cycle. They also give specific direction about how to address an identified cyber security risk across the entire health IT ecosystem without alarming patients and providers or tipping off would-be hackers and others interested in exploiting a known vulnerability. The most significant guideline is the FDA’s statement that manufacturers can reach back and fix security issues without having to resubmit a device for re-certification. Prior to this explicit guidance, many manufacturers were reluctant to make changes that could be seen as fundamental alteration, which triggers the need for re-certification.
Hospital CIOs clearly recognize that networked medical and wearable devices present security vulnerabilities. However, with limited resources, reducing the threats presented by medical devices will likely remain low on their priority lists. Cyber security remains secondary to medical purpose, even if cyber security could result in severe injury or death. Without actual penalties for noncompliance, it’s unclear whether device risks will rise above other competing health IT priorities. Patients deserve better.This is a guest article by David Nickelson, PsyD, JD, Director, Health Strategy and Behavior Change at Sapient Health