The lack of medical device security—accidents waiting to happen

July 16, 2018

Cyber attacks are particularly common among healthcare providers with a reported 62% experiencing an adverse event in just the past year. And when you dig-in for the details, yet another cyber-axiom is quickly revealed: while outside attacks continue to be of primary concern, more than half of the reported incidents are the result of employee maliciousness and/or negligence.

Although patient medical records, billing information, and clinical research may still represent the hacker’s most popular targets, the paths to new forms of expensive, if not frightening disruption are exploding. Case in point; every single medical device that is connected to a network is a breach opportunity. Put another way, every single medical device that can be operated remotely presents unthinkable possibilities.

Can you imagine the look on former Secretary of Defense Dick Cheney’s face when he was told the Wi-Fi broadcast feature on his pacemaker needed to be disabled? What about the IT professional who notifies his/her leadership that the system’s million dollar per day MRI network must be shut down pending a security upgrade? Of course, the point is, why should any of us be surprised?

The industry’s digital transformation is in high gear, as reform has made it a matter of economic necessity.  Technology continues to expand the care continuum. Supply chains are playing catch up. While digital monitoring has long been a fact of life inside the walls of a hospital, the care networks that now rely on devices capable of remotely packaging and transmitting data are everywhere. We even wear them.

While investments in analytic tools designed to make sense of it all are booming, and while securing the data that fuels them may be covered under existing security schemes, what about the devices themselves? And if they’re not secured (literally millions of devices are not) whose responsibility is it to make sure that they are?

According to surveys conducted by the Ponemon Institute, 67% of surveyed hospital network security specialists answered “no” or “unsure,” when asked if medical device security was on their short list of concerns.  More shockingly, about a third of respondents made it clear that they hadn’t even contemplated the issue in their budgeting processes.

So is our government stepping-up? Surprisingly, HHS has been all over the problem dating back to 2014. But not surprisingly, legislation has gone nowhere. The device suppliers are not required to provide detailed bills of material that would help hospital supply chain professionals (and their IT counterparts) assess device-based network security risks. Of course, it’s one thing to not know the device’s operating system. It’s quite another if you didn’t feel the need to ask.

Fortunately, the medical device manufacturers have taken the hint (perhaps assessed their potential liabilities) and in many cases, are making their devices more network secure. But their measures are often designed to check the box, as the best they can do is provide a solution that exists in a device-centric vacuum, which is clearly not ideal. Regardless, they can’t do anything about the legacy medical devices that are already in use.

Given how hot is the current market for software solutions that monitor other forms of risk, one might think, at a minimum, that millions of unsecured medical devices should warrant more attention than, for example, monitoring unflattering social media.

While risk avoidance has always been a tough sell, this is a case where the chances of an adverse event are roughly the equivalent of correctly calling a coin toss. Bottom line, working to secure networks containing private patient data and then not securing the devices that intersect with those same networks is simply not good practice. The accidents are waiting to happen.

Forbes has the full story

Sponsored Recommendations

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...

From Chaos to Clarity: How AI Is Making Sense of Clinical Documentation

From Chaos to Clarity dives deep into how AI Is making sense of disorganized patient data and turning it into evidence-based diagnosis suggestions that physicians can trust, leading...

Bridging the Health Plan/Provider Gap: Data-Driven Collaboration for a Value-Based Future

Download the findings report to understand the current perspective of provider and health plan leaders’ shift to value-based care—with a focus on the gaps holding them back and...

Exploring the future of healthcare with Advanced Practice Providers

Discover how Advanced Practice Providers are transforming healthcare: boosting efficiency, cutting wait times and enhancing patient care through strategic integration and digital...