Your practice is at risk from the devices right at your very fingertips. Learn how to secure the technology you use to keep your patients healthy.
Medical devices are ubiquitous. Many practices store devices in plain sight, but they often remain unnoticed and unsecured, which could result in a security or privacy breach if someone accesses patients’ data.
Even more alarming, newer products are more likely to include wireless connections so patient data can be automatically ingested into the electronic health record (EHR). Others connect directly to apps on tablets, smartphones and general-purpose laptop computers. Having electronic Protected Health Information (ePHI) on various portable devices increases the risk of a data breach through unintended physical access or remotely via wireless networks.
The primary reason for medical device risk is due to a general lack of awareness. Left unmitigated, this unawareness fosters an environment where accountability gaps lead to weak security controls.
If no one is accountable for monitoring device manufacturers’ alerts, then critical software updates may not be installed to address newly discovered technical vulnerabilities. These technical vulnerabilities provide a path for hackers to access patients’ data and/or give them an entry point into the larger network. And if no one is explicitly assigned responsibility of these devices, they could also be stolen, resulting in a reportable breach.
Device manufacturers and the Food and Drug Administration (FDA) have taken notice. In 2016, the FDA released its cybersecurity guidance, which recommended a shared responsibility model between manufacturers and users (e.g., physician practices). Sixty-seven percent of medical device makers believe their devices are likely to be attacked over the next 12 months, according to a study conducted by the Ponemon Institute. However, only 17 percent of device manufacturers are taking significant steps to prevent an attack, according to the study.
The burden now shifts to physician practices to start monitoring vendor alerts and take measures to protect their devices, such as applying security patches.
However, it’s important to note that not all devices can be patched. The ever-decreasing cost of laptop computers has made them commodities, so healthcare providers generally replace office computers with the latest version of Windows about every four years.
With more expensive medical devices, it is not uncommon to keep these devices in service for 10-15 years, perhaps even longer. Many of these devices also use the Windows operating system as a core, including those based on Windows 2000, Windows 98 or even Windows XP. Microsoft has long since quit issuing security patches for these legacy operating systems, including Windows 7, so it is reasonable to assume security patches or software updates will not be available to address known threats.
Device manufacturers are also not incentivized to use the latest version of software in their new devices. Historically, healthcare organizations have never asked for the software bill of materials (BOM) as part of the request for proposal process. Many vendors have been reluctant to provide it even if asked.
Unlike cars, which change model years every fall, advances in medical equipment models takes several years, so it is possible to purchase a brand-new device that is delivered with an obsolete, even end-of-life operating system. For example, physician practices that purchase a new ultrasound machine that has been on the market for many years may discover the system is built on an unsupportable operating system. Until organizations unify their demands and start qualifying vendors based on their transparency, the problem will persist.
In the meantime, here are five proactive ways practices can protect themselves against data breaches and cybersecurity attacks.
All of these steps won’t work unless staff members are trained about the importance of protecting patients’ data and systems.
If you need a way to convince your senior leadership about the need for device management, consider this short test.
If you or senior leadership isn’t uncomfortable with the results of this litmus test, then your practice may not be providing the appropriate level of resources and attention to known medical device risks.
Clyde Hewitt, MS, CISSP, CHS, ISO 27001 Lead Auditor, Level III Program Manager is an executive adviser at CynergisTek where he specializes on healthcare cybersecurity. He is also the past president and current board member of NCHICA, a not-for-profit healthcare alliance dedicated to the advancement of healthcare technology. He has served as chief security officer for five organizations in the past 20 years since his retirement from the Air Force.