Medical devices are ubiquitous. Many practices store devices in plain sight, but they often remain unnoticed and unsecured, which could result in a security or privacy breach if someone accesses patients’ data.
Even more alarming, newer products are more likely to include wireless connections so patient data can be automatically ingested into the electronic health record (EHR). Others connect directly to apps on tablets, smartphones and general-purpose laptop computers. Having electronic Protected Health Information (ePHI) on various portable devices increases the risk of a data breach through unintended physical access or remotely via wireless networks.
The cause of medical device risk
The primary reason for medical device risk is due to a general lack of awareness. Left unmitigated, this unawareness fosters an environment where accountability gaps lead to weak security controls.
If no one is accountable for monitoring device manufacturers’ alerts, then critical software updates may not be installed to address newly discovered technical vulnerabilities. These technical vulnerabilities provide a path for hackers to access patients’ data and/or give them an entry point into the larger network. And if no one is explicitly assigned responsibility of these devices, they could also be stolen, resulting in a reportable breach.
Device manufacturers and the Food and Drug Administration (FDA) have taken notice. In 2016, the FDA released its cybersecurity guidance, which recommended a shared responsibility model between manufacturers and users (e.g., physician practices). Sixty-seven percent of medical device makers believe their devices are likely to be attacked over the next 12 months, according to a study conducted by the Ponemon Institute. However, only 17 percent of device manufacturers are taking significant steps to prevent an attack, according to the study.
The burden now shifts to physician practices to start monitoring vendor alerts and take measures to protect their devices, such as applying security patches.
However, it’s important to note that not all devices can be patched. The ever-decreasing cost of laptop computers has made them commodities, so healthcare providers generally replace office computers with the latest version of Windows about every four years.
With more expensive medical devices, it is not uncommon to keep these devices in service for 10-15 years, perhaps even longer. Many of these devices also use the Windows operating system as a core, including those based on Windows 2000, Windows 98 or even Windows XP. Microsoft has long since quit issuing security patches for these legacy operating systems, including Windows 7, so it is reasonable to assume security patches or software updates will not be available to address known threats.
Device manufacturers are also not incentivized to use the latest version of software in their new devices. Historically, healthcare organizations have never asked for the software bill of materials (BOM) as part of the request for proposal process. Many vendors have been reluctant to provide it even if asked.
Unlike cars, which change model years every fall, advances in medical equipment models takes several years, so it is possible to purchase a brand-new device that is delivered with an obsolete, even end-of-life operating system. For example, physician practices that purchase a new ultrasound machine that has been on the market for many years may discover the system is built on an unsupportable operating system. Until organizations unify their demands and start qualifying vendors based on their transparency, the problem will persist.
In the meantime, here are five proactive ways practices can protect themselves against data breaches and cybersecurity attacks.
5 ways to treat medical device risk
- Finding a model to address these vulnerabilities and risks requires management commitment and resources. In order to address the problem, practices must first identify all the medical devices in the inventory and keep that inventory current. Medical devices are difficult to track because they are rarely assigned to one person but rather are used among an office or group.
- Once the inventory is maintained, practices must establish a rigorous schedule to check with each vendor or support contractor to identify and apply software updates. Practices should ask the hard questions of vendors, especially when purchasing new equipment, about the underlying software that the systems are built on, e.g., the BOM. Ask vendors for a written commitment to test for and remediate security vulnerabilities.
- Practices must ensure that vendors do not perform maintenance without their knowledge — and be sure to specifically address remote access maintenance. Otherwise, practices will have little visibility into what maintenance is being done and if the vendor is accessing or removing sensitive data. Furthermore, do not allow vendors to leave default user credentials, such as usernames and passwords, in the systems.
- Be sure to include all medical devices in a cybersecurity management plan. Practically speaking, this means that when practices have internal IT staff or external IT vendors conduct annual technical security checks, include both the medical devices and facility controls systems into their scope of work.
- Lastly, practices should review the Joint Security Plan issued by the Joint Cybersecurity Task Group and the Department of Health and Human Services. This plan provides guidance on the importance of conducting periodic risk assessments and maintaining a risk register of all systems and risks. It also recognizes that since healthcare is the most frequent target of hackers, practices should also have an incident management, response and communication plan.
All of these steps won’t work unless staff members are trained about the importance of protecting patients’ data and systems.
If you need a way to convince your senior leadership about the need for device management, consider this short test.
- Obtain a copy of your Could Not Locate list showing all the medical equipment that cannot be found.
- From this list, see if you can determine which devices can connect to the network and if staff know which items on the list may contain identifiable patient information.
- For every missing device that could contain patient data, ask your compliance team if they have ascertained that there is a HIPAA breach, notified the patients impacted and notified the Office for Civil Rights as required by the HIPAA Breach Notification Rule.
If you or senior leadership isn’t uncomfortable with the results of this litmus test, then your practice may not be providing the appropriate level of resources and attention to known medical device risks.
Clyde Hewitt, MS, CISSP, CHS, ISO 27001 Lead Auditor, Level III Program Manager is an executive adviser at CynergisTek where he specializes on healthcare cybersecurity. He is also the past president and current board member of NCHICA, a not-for-profit healthcare alliance dedicated to the advancement of healthcare technology. He has served as chief security officer for five organizations in the past 20 years since his retirement from the Air Force.