A record number of data breaches occurred in 2021, and for the 11th consecutive year, the healthcare industry experienced the highest average cost at $9.23 million. Insurers are raising premiums and limiting coverage.
At least 68 healthcare providers operating a total of 1,203 sites were affected by ransomware, according to Emsisoft’s annual “The State of Ransomware in the US” report. Scripps Health, which operates 24 locations including five hospitals, puts the cost of an attack it sustained at $112.7 million.
And while some health systems heightened their defenses, cyber actors increasingly targeted independent outpatient and specialty clinics because they lacked as many resources as their larger peers.
Unpatched vulnerabilities, such as the Log4j, continue to present risk and draw the concern of federal regulators. Cybersecurity incidents in recent years have forced hospitals to relocate surgical patients, divert ambulances to other hospitals, and otherwise delay care.
Amid this environment, connected medical devices merit particular attention. As both the pandemic and industry trends push the delivery of healthcare increasingly toward alternate sites of care, medical device cybersecurity becomes increasingly important and may require additional considerations. This year, healthcare providers will embrace a more holistic and rigorous approach to their medical device cybersecurity.
The What, Where and How of Medical Device Cybersecurity
Medical devices can be challenging to keep tabs on and up to date with the latest patches. Healthcare systems often lack 100% visibility into their inventory. This includes knowing how many devices they have, the exact make and model, and where the devices are as well as whether each individual device is up to date.
When a vulnerability is identified, healthcare regulations require any medical device patch that is developed to be validated by the original equipment manufacturer before distribution. Sometimes those validated patches are delayed. Manufacturers may wait to incorporate a patch for many reasons, such as until they can revalidate other equipment and software upgrades at the same time. Manufacturers also may not provide a solution for equipment because it is nearing the end of its lifecycle, opting instead to “end of life” the product and no longer support it. Older equipment that originally wasn’t connected to a network but now is connected may no longer be supported or technologically costly or infeasible to remediate, too.
In cases when a patch is unavailable, some type of compensating control must be deployed, such as disabling or isolating a service or pursuing other available options.
The risk each device presents can also be unique to its environment of care. A compensating control such as disabling a service might be okay for a device in a patient room but not for the same type of device in an operating room.
One can imagine how challenging managing medical devices can be in a hospital setting. Now imagine the challenge when medical devices are off-site.
As Alternate Sites of Care Increase, So Does the Risk
Industry trends and the pandemic are increasingly pushing the delivery of healthcare to alternate sites of care.
Most immediately, COVID-19 surges have pushed hospitals to their capacity limits. Hospitals have converting parking garages, parking lots and other spaces into care facilities to deal with COVID-19 patients. Whether further such accommodations will be needed is as uncertain as when, or if, the next surge will occur.
Short-term pandemic needs aside, healthcare has already been shifting to more alternate sites of care. Hospital-at-home care, in which patients receive acute-level care at home rather than in the hospital, has been shown to reduce costs and improve outcomes while providing a better patient experience.
Both situations compound the difficulty for a health system to maintain 100% visibility into its medical device inventory. Devices can be moved off-site and to different sites. Physical access to the devices is more difficult to control.
A third type of alternate site of care also presents challenges. Independent outpatient and specialty clinics can lack the cybersecurity, IT and other resources that large health systems have to help deter and respond to attacks, threats and vulnerabilities. A Florida dermatology practice last year was the victim of a cyberattack that affected more than 57,000 individuals, HealthITSecurity reported.
The delivery of healthcare is shifting. A healthcare provider’s cybersecurity approach needs to shift with it.
Medical Device Cybersecurity Really Is a Team Effort
Whether medical devices are in a hospital or at an alternate site of care, vulnerabilities exist. This year, healthcare providers will take a more comprehensive approach to medical device security to ensure those vulnerabilities are mitigated.
Medical device cybersecurity hinges on coordinated efforts among clinical engineering, information technology and cybersecurity teams, whether those teams are in-house, third-party or some combination of both.
Clinical engineering teams leveraging a clinical asset management solution maintain full inventory visibility no matter the location of the devices. Visibility encompasses the location of each medical device but also a host of factors related to each device’s individual profile: Do any vulnerabilities exist? Have patches been installed or other compensating controls instituted? Are there any FDA recalls unaddressed?
Cybersecurity teams monitor a health provider’s network for suspicious behavior and respond in real-time to identified threats. With the tight labor pool for qualified cybersecurity professionals, many health systems are turning to third-party security operations centers to meet their needs.
But whether a cybersecurity team is in-house or an external provider, they need to work in partnership with the clinical engineering and information technology teams. Whereas the cybersecurity team may identify a threat, the unique nature of medical device maintenance requires the clinical engineering and information technology teams to address the threat. They may install a validated patch or deploy some other compensating control.
Clinical engineering teams also recognize that, with medical devices, vulnerabilities vary in scope and risk. Teams can prioritize work based on how critical a device is to patient care and the severity of the potential risk. They also help determine when a device should be replaced for various reasons including if there is no available patch or other compensating control available to address known vulnerabilities.
Medical device cybersecurity hinges on leveraging what each expert brings to the table.
2022: The Year Healthcare Will Push Back
Cybersecurity in the healthcare sector is too critical to leave to anything less than a robust approach. The industry is too great a target for cyberattacks from opportunistic criminals.
In hindsight, 2021 may prove to be a watershed moment as the escalating attacks drew heightened interest from the federal government. The FDA named a medical device cybersecurity czar, Kevin Fu, as part of its enhanced effort to combat the problem. More broadly, malicious cyber activity drew the attention of Congress.
The trouble is cyber criminals aren’t sitting still.
“Ransomware has become a big business for cyber criminals, who are refining their tactics, lowering the barriers to entry for as little as a $40 subscription and little technological knowledge,” Scott Sayce, head of cyber at global insurer AGCS, told Help Net Security. “The commercialization of cybercrime makes it easier to exploit vulnerabilities on a massive scale.”
While government help is welcome, healthcare industry providers, of course, bear the ultimate responsibility. Patient welfare is literally in their hands. Recognizing the potential risks with medical devices, they will leverage a holistic approach made up of clinical engineering, information technology and cybersecurity experts to meet the challenge.