Your medical organization likely implements hundreds to thousands of class 3 medical devices every year. From heart monitors to hip implants, these devices are amazing innovations that are extending and improving the quality of life. These devices come equipped with features like wireless connectivity and remote monitoring which allow for noninvasive adjustments which reduce the cost, risk, and frequency of visits for the patient.
Sign up for our next HIPAA HAPPENINGS webinar event! Learn about Conducting a Medical Device Risk Assessment - Don't miss it!
As a healthcare organization implementing these devices, it is also extremely important for you to understand the risks associated with these devices.
Many manufacturers lack the technical skills required to implement security controls. Security must be a collaborative effort between manufacturers and hospital systems. New devices arriving in hospitals were designed at least 5-6 years ago. Comparatively, if you connect a computer from that long ago to the internet, you can expect compromise within 10 minutes without security software or updates. What's more, some wearable devices may be implanted for 15 years on average causing a huge security risk for the patient.
Medical devices currently lack the capacity to detect threats. It is difficult to integrate security controls into medical devices because of their critical function. In many cases, the medical device will continue to be used even if a security flaw is detected because healthcare providers have no alternative option, the device is required to manage the patient’s health.
The FDA does provide guidance regarding medical devices, but it is not enforcing regulations. The FDA wants manufacturers to focus on the safety and functionality of these devices instead of putting the burden of compliance on them. A high-profile case involving a pacemaker administered by Saint Jude Medical was actually the first case of an FDA recall of a medical device in 2017. This was their first major move since issuing an alert for cyber risks of infusion pumps in 2015 which led to their guidance for medical devices in 2016.
Security risk is a patient safety issue. Medical devices implanted into your patients carry their data and perform critical functions to maintain patient’s lives. Loss or alteration of patient data could also present an issue to your patient’s health as they can be denied coverage or treatment as a result. As a healthcare organization, it is your responsibility to monitor your healthcare devices and their security as well.
The responsibility of maintaining medical device security is shared among manufacturers, hospitals, and IT professionals. The first step hospitals can take to ensure patient safety with medical devices is to work with manufacturers who adhere to FDA Cybersecurity guidelines. Always ask your manufacturer about Cybersecurity. Hospitals should adopt a testing schedule for medical devices. Knowing which devices are in use, and what potential security risks these devices may have can lower the chance of problems occurring once they have been implanted.
Many hospitals have their CIOs overseeing medical device management, not hospital IT, this means that clinical or biomedical engineering staff with little understanding of cybersecurity risks are connecting and monitoring medical devices on hospital networks. As demonstrated time and again, medical devices can be used as an entry point into the hospital network, to reprogram and execute patients or even hold them at ransom.
IT professionals at hospitals need to think differently about medical devices in the IoT than they do about their hospital network security. Consider how the medical device and EMR are identifying the patient, this protects the data as it is transmitted. Use security, authentication, and access controls to confirm the patient's identity to ensure the data cannot be altered. Always use devices that capture date and timestamps so the provider knows when the data was gathered. Data transmission protocols should be adopted per device. You may manually transmit data from the patient's device during a visit or automatically transmit that data via the internet. Encryption should always be used to protect data transmissions.
By being proactive regarding your medical device management, you are preparing for security risks that may arise.