By Mike Ahmad, ACHE, VP of Business Growth & Imaging Technology at ABM Healthcare
As increased reliance on Operational Technology (OT) and Internet of Things (IoT) solutions provides welcome ease of use and added connectivity in the healthcare space, it also introduces potential cybersecurity threats that put hospital and patient data at risk. The cybersecurity attacks of last summer point to this risk. To head off attacks, enterprises should provide for continuous threat detection via advanced cybersecurity tools to mitigate risk and protect sensitive information.
These digital solutions are touted to offer healthcare providers real-time visibility and inventory, risk analysis and mitigation, dynamic segmentation, enhanced security, and operational intelligence through next-generation Healthcare Internet of Things (HIoT) applied to medical devices. Ensuring cybersecurity protection for medical devices allows clinical engineering, network, and information security teams to enable uninterrupted care during clinical operations, public health emergencies, and medical surges with the added confidence that the patient information is secure.
A medical device is defined in multiple ways. It could either be a device that is intended to diagnose, cure, mitigate, treat or prevent a disease or is software in an electronic device if it is intended to diagnose, cure, mitigate, treat or prevent disease. A medical device can also be the component of, or accessory to, any medical device. These medical devices are like any other computer system, can be vulnerable to security breaches, potentially impacting the safety and the effectiveness of not only the device but also the entire hospital network. This vulnerability is increasing as these medical devices are constantly connected to the Internet, hospital networks, and to other medical devices.
A medical device is very different from a standard personal computer. It is a fixed-function device with customized software—installing new software on a medical device typically requires a special upgrade process or it will not be supported at all.
As more and more medical devices utilizing network connection technology are developed, cybersecurity will continue to grow in terms of importance and focus among regulators and manufacturers.
Many of these connected medical devices are designed to store or transmit patient data for which there is an expectation of both data privacy and accuracy. Any sort of cyber threat could have consequences for the integrity of the data and the privacy of the patient.
Addressing cybersecurity threats, and thus reducing information security risks, is extremely challenging to the equipment owners because cybersecurity threats cannot be eliminated. Manufacturers, hospitals, and service providers must work together to manage them.
Medical devices are optimized to reduce processing cycles and memory usage, and so they often lack the resources to run additional software beyond their core functions. Security solutions designed for PCs are, in most cases, not applicable to, or not compatible with medical devices.
Patient safety issues — injury or death — related to networked medical device security vulnerabilities are a critical concern; compromised medical devices also could be used to attack other portions of an organization’s network.
The need for effective cybersecurity to ensure medical device functionality and safety has become more and more important with the increasing use of wireless, Internet, and network-connected devices. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities. Such incidents may lead to patient harm through delays and/or errors in diagnoses and/or treatment interventions.
Risks associated with cybersecurity threats and vulnerabilities should be considered throughout all phases in the life of a medical device, from initial conception to equipment end of life. To effectively manage the dynamic nature of cybersecurity risk, risk management should be applied throughout the total product life cycle where cybersecurity risk is evaluated and mitigated in the various phases of the life cycle including but not limited to design, manufacturing, testing, and post-market monitoring activities.
Due to the rise of cyber security threats and the financial impact of data breaches, medical device manufacturers are incorporating strategies to ensure that their medical devices and therefore, organizations remain securely protected. Medical device manufacturers should integrate effective cybersecurity plans during their early stages of development and maintain security throughout the device lifecycle.
Security is important not only for medical devices themselves but also for information systems and endpoints they connect to. For example, MRI machines typically connect to several workstations that enable operators to work with MRI images for post-processing. The MRI, its workstations, and other integrated systems like a picture archiving and communication system (PACS) may be vulnerable to being attacked.
While there is a need to balance protecting patient safety, patient privacy and promoting the development of innovative technologies and improved device performance, ABM Healthcare Technology Management has created a strict process enabling the proper steps to be followed to ensure both patients’ safety and patient information’s safety.
There are cybersecurity solutions, such as ABM’s, which are powered by Cylera’s medical device cybersecurity solution, that is purpose-built to provide healthcare providers real-time visibility and inventory, risk analysis and mitigation, dynamic segmentation, threat detection with clinical awareness, and operational intelligence.
Also, technology developed by healthcare security professionals provides comprehensive coverage for complex healthcare IoT environments, including medical devices, IoT, operational technology, and IT infrastructure. This joint platform allows clinical engineering, network and information security teams to enable uninterrupted care during clinical operations, public health emergencies, and medical surges.
Mike Ahmad, ACHE, is Vice President of Business Growth & Imaging Technology at ABM Healthcare. He has more than three decades of experience in healthcare technology management and is a known industry leader and speaker. Ahmad joined ABM in April 2014. Prior to this, he was a co-founder and director of operations from BioCare Clinical Engineering & Management Services. He graduated with a Bachelor of Applied Science in bioengineering and biomedical engineering from Kuwait University.