On Jan. 26, ECRI hosted a webinar entitled, “Top 10 Technology Hazards 2022 Lab Webcast: Cybersecurity Incidents – A Threat to Patient Safety and Healthcare Delivery.” Jason Launders, director of operations, device evaluation for ECRI, kicked off the webinar. “Earlier this month we published our annual Top 10 List of Health Technology Technical Hazards, and this followed a capital selection process that involves both equity experts and input from our members,” he said. “Security, more specifically, the potential impact into patient safety and healthcare delivery presented by cyber threats was the clear favorite for the top position in our top 10 this year. And today, we're going to go into more depth on the issue.”
Launders then introduced Andrew Furman, M.D., executive director, clinical excellence, technology assessment, for ECRI. Furman commented that the experts and members of ECRI all agree that cybersecurity concerns are the number one health technology hazard for 2022. “I'll be honest, during my 20 years as an emergency physician, it wasn't something I thought about,” he said. “I download software to protect my own computer, but never really considered the equipment and technology I use every day at work and how it really could be impacted. As a health system executive, I had better awareness, but still did not understand the role I, as a physician leader, specifically needed to play to gauge doctors with both reactive problem solving, and more importantly, proactive contingency planning.”
Furman then introduced Chad Waters, senior project officer, device evaluation, for ECRI, and posed the question, “Why was cybersecurity at the top of the equity health technology hazards list this year?”
Waters responded saying that cybersecurity made the top of the list due to the continued impact to healthcare facilities across the country—whether it be ransomware or security vulnerabilities in relation to medical devices as a whole.
“One of the key things that we wanted to outline this year was to try to look at cybersecurity as more than just PHI [protected health information] breaches but rather from the context of it being truly a patient safety issue that can cause disruption in healthcare delivery organizations, and as a result, lead to delay in care and even in worst case scenarios, patient harm,” Waters continued. “This was one of those years where [we] did not only increase [the] rigorous process of selecting a Top 10 Health Technology Hazard, did that result in cybersecurity being at the top but also, this was one of the first years where our members also voted and agreed that cybersecurity is a top concern for them right now.”
How can health facilities prepare for these cyber threats? Waters commented that security incidents are becoming more and more common. “It's not a matter of if, it is a matter of when,” he added. “We need to be prepared for when these things happen.”
Waters explained that organizations need to branch out and understand that this is not just an IT problem or IT security problem, but a problem that all users of those devices need to be aware of. He added that there is a need to develop response plans that consider clinical functionality, especially because organizations are dependent on certain devices, so there are alternatives to provide care when something happens.
Waters concluded by saying that “There are some technology-related solutions that may assist but ultimately a lot of it still comes down to having those plans and processes in place to prepare. When the security incident occurs, your facility should be prepared to both tackle the issue and remediate it as quickly as possible, and thus, minimize the disruption the connected healthcare environment. And again, the end result is trying to minimize any sort of impact to patient care.”
Launders then turned the webinar over to Christian Dameff, M.D., medical director of cybersecurity and assistant professor of emergency medicine, biomedical informatics, and computer science (affiliate) at the UCSD Health. Launders asked Dameff how to increase awareness of issue of cybersecurity with frontline staff.
Dameff responded by saying that “That's a fantastic question. I appreciate the previous calls to bring in some additional stakeholders into the conversation—a conversation that has traditionally not included that type of frontline worker.”
Dameff continued by explaining that due to the pandemic, frontline workers that are interacting with medical devices are very stressed and burned out, so engaging them in a topic like cybersecurity can be difficult in normal times, let alone in a pandemic time. He offered two insights.
One being leveraging existing requirements to help educate frontline workers, for example there are often annual trainings that cover a variety of topics and one can leverage that framework to educate staff for compliance, as well as the new topic of medical device cybersecurity.
The second insight he offered is that frontline workers may be more receptive if you speak the language they understand. He said to focus on patient safety and not PHI security because that is what clinicians and frontline healthcare workers care about. They want the medications and treatments that they're giving patients to be effective through these medical devices and talking to them about safety concerns of medical device cybersecurity, and how if it was compromised or ransomed, it would directly result in patient harm. “That hook that brings them to the conversation, something they understand and get some more invested,” Dameff added.
Dameff then explained that frontline workers—who are working with medical devices every day— may not realize that when a device isn't working properly that it may be a cybersecurity issue. Although sharing data makes it easy for them to report and for other people to be able to see the aggregate of that data, malfunctions should be reported. There are not many peer-reviewed articles on these types of issues because these institutions are very siloed, and they're not incentivized to share information about potential compromised medical devices.
So how can organizations ensure there’s a minimal impact to patient care due to a disruption in clinical technology? Dameff responded by saying that “That's perhaps the most important question you could ask me today. We spend a lot of time talking about how to prevent these types of disasters of impacted clinical care. I'm of the increasingly sincere opinion that we should just prepare for failure and that engaging the clinical staff in disaster preparedness and swift recovery processes is probably just as important if not more important.”
Launders then introduced Kevin Fu, Ph.D., acting director of medical device cybersecurity at U.S. FDA’s Center for Devices and Radiological Health (CDRH) and program director for cybersecurity, Digital Health Center of Excellence (DHCoE).
Launders asked Fu, “What are some of the key industry efforts that health delivery organizations should be aware of that may help them in securing their environments?”
Fu responded by saying that there are several initiatives going on. First, he mentioned Software Bill of Materials (SBOMB). He said that an SBOMB is essentially an ingredient list of third-party software on the inside of a medical device and that there is a lot of work going underway on how to provide SBOMBs for different use cases. Regarding healthcare delivery and clinical workflow, one key use case of an SBOMB is to help a healthcare delivery organization better understand its risk management for what is on the inside of a medical device. The other part has to do with procurement so that health delivery organizations better understand what they are getting is what they expected.
Second, Fu brought up Threat modeling. Fu said that in his opinion, Threat modeling is equivalent to hazard analysis at a rough 30,000-foot level. Just last year, the FDA announced the Threat modeling Playbook for medical devices. The document is a refence guide aimed at medical device manufactures on how to do Threat modeling. At a high level, this means how do you characterize an adversary, what you’re trying to defend against, and what kind of security properties are you trying to ensure will be in place.
The third area Fu brings up is career development and helping the biomedical engineering community to better understand what it can pull from the cybersecurity discipline into their own work. Fu, partnered with UC San Francisco Stanford Center of Excellence, co-leads a monthly distinguished speaker series on biomedical engineering. “We're bringing in some of the world's best cybersecurity thought leaders from academia, [who have] literally written the textbooks, and having them explain it in a manner to be helpful to biomedical engineers to understand what principle principles can they bring in to their daily life as they're, for instance, designing a medical device, or I hope inspiring students to go into careers for medical device security, such that there will be fresh talent available for hiring by the industry, by academia, by the regulators, by hospitals.”
Regarding the immediate future, Fu says that one of the key challenges is legacy medical devices and, in his view, these are not only known to be unsecure but actually are unsecurable. He says, for example, it may be that the software updates are no longer possible for a particular medical device and therefore cannot be protected using patching mechanisms when a flaw is discovered inside the device. Fu adds that there are always going to be legacy devices and the challenge is how to manage that legacy in a controlled manner. If someone says that they are running Windows 7, that is not a surprise, anyone should be able to figure out what operating system comes on a medical device and should have a plan. Microsoft publishes the day they end support for operating systems. “So, it’s not a surprise to anyone who looks at the fine print on when these devices will become legacy and no longer effectively securable in a reasonable manner,” he concluded.
