21 Jul 2020

Protect medical devices from a cybersecurity threat

By Christophe Dore

A March 2015 poll commissioned by the West Health Institute found that 69 percent of 526 nurse respondents believed documentation took time away from the delivery of direct patient care. One saying, “[transcribing data] takes too much time for the nurses to adequately care for the patient,” with 46 percent believing errors were likely to arise in such circumstances. Additionally, 83 percent of respondents agree 10 percent or more of the errors and adverse events might be prevented if the medical devices were connected.

As hospitals see the value in having point-of-care monitoring and therapy devices communicate through the ‘Internet of Things’ (IoT) and create data that passes to the patient record, new opportunities arise for medical technology vendors to link the legacy, standalone systems. However, many of these legacy systems were produced before cybersecurity required consideration, and without proper security in place, the widespread movement toward connectivity of electronic devices such as MRI machines, anesthesia machines, ventilators, and infusion pumps can open the door to more nefarious and indiscriminate cybersecurity attacks.

A recent survey from CynergisTek of approximately 60 C-level healthcare executives brings the issue of  security threats caused by unsecured medical devices into sharper focus. Though about one-third of executives consider medical device security a ‘top five issue’ facing healthcare, most reported they lack an effective strategy to assess the risks posed by medical devices.

The CynergisTek survey also showed, with 54 percent of respondents, that the biggest barrier to meeting privacy and security challenges was a lack of adequate resources such as tools, money or people. Preparation indeed requires time, money and expertise that are often in short supply for cash-strapped hospitals coping with thin margins, mounting regulations and the management of more financial risk under value-based care agreements.

The lack of resources to remediate breaches allows these breaches to last and attacks to spread, increasing direct and collateral damage. This creates a vicious circle: the smaller the resources to face a breach, the bigger the harmful effects, the more work required to remediate the consequences, the more expensive and painful it is to recover.

The danger of healthcare security breaches is ever-present and costly. In 2018, there were 365 reported healthcare data breaches involving 500 or more records, an increase of 83 percent from 2010, according to HIPAA Journal. Healthcare is the industry most impacted by data breaches, with an average cost per breach of $6.45 million, according to a 2019 report from IBM. The average cost of a healthcare data breach, as reported by IBM, exceeds the average cost of a breach across all industries by 65 percent.

It’s clear that data security, in general, and medical device security, in particular, is an organizational concern, not just a hospital information technology matter.

Why hospitals struggle to respond to security threats

Hospitals began to connect nearly all information systems to a network fairly recently. While this facilitates information-sharing, it also creates exploitation opportunities with devices and systems that were not necessarily designed with network connectivity in mind. Though these systems and devices may come with obsolete approaches to security, they store, process and communicate valuable information that plays an essential role in patient care. They would be extremely expensive to replace, creating a situation that essentially forces hospitals to reactively mitigate cyber risks from these devices as best they can with limited budgets, staff and experience.

Further, hackers continue to grow in number, sophistication, and organization. This challenges healthcare providers to keep pace with the latest security measures and countermeasures. As a result, the “good guys” are always playing catch-up, and are effectively several moves behind the “bad guys.” And in a healthcare setting, a breach can compromise patient data or software, as well as the performance of life-critical devices, such as infusion pumps and ventilators.

The path toward better patient care will rely on medical device data being processed into insights for early detection, as well as improved strategy to avoid health issue escalation. Ensuring availability and integrity to this data will largely be dependent upon a cybersecurity strategy that enables better protection and monitoring of these data assets. When integrating more medical devices to more clinical systems, hospitals must proactively search for integration solutions and deployment architecture which are designed with security as an essential component.

Hospitals can prepare for and help prevent cyberattacks by deploying intelligent medical devices

Among all industries, healthcare is one of the few with the most at stake and the most complex environment; but it is also one of the most innovative. It is very encouraging to see the healthcare industry embrace the concern, face the issue and demand integration solutions and deployment architecture designed with security in mind.

Whether hospitals have legacy or the latest devices – many have a combination – the way the technologies are integrated determines, in a large part, the security of patient and hospital data. The integration solution of the Capsule Medical Device Information Platform (MDIP) enables hospitals to safely and securely connect point-of-care devices to existing IT infrastructure and clinical information systems. Find out about MDIP’s ability to liberate, aggregate, analyze, and share live streaming medical device data to reveal meaningful insights that advance the progress of patient care.

Download “Medical Device Data: Empowering Clinicians and Improving Outcomes”

Christophe Dore is the Security Manager at Capsule Technologies, overseeing all aspects of Capsule’s cybersecurity strategy. He has been answering to the needs of organizations in several industries in understanding and positioning themselves versus the CyberSecurity challenges since 1995, when he supported the development and deployment of the first web applications in the then nascent Internet as an expert for NeXT Software; a company lead by Steve Jobs.