New service helps identify medical device vulnerabilities
Patient safety organization ECRI Institute has launched a cyberattack gap analysis service for healthcare providers, focusing on threats to medical devices that interact with patients.
The organization is using internal experts to assess a hospital’s medical device inventory for cyber-exposures and to develop programs and policy to minimize the hospital’s vulnerability. This may include using reporting mechanisms like ECRI’s hazards and alerts system, as well as others like the National Healthcare-Information System and Analysis Center (NH-ISAC), says Robert Maliff, director of the applied solutions group at ECRI.
There are plenty of gaps to identify and assess, Maliff notes. Too often, organizations do not understand which devices are connected to networks. Also too often, the medical device and information technology departments are not talking to each other.
Further, hospitals and physician practices may train employees against falling victim to phishing attacks, but they still let doctors plug their smartphone into a medical device to charge the phone during a surgical procedure, with the phone delivering a virus to the hospital’s network. “You don’t want staff members plugging personally-owned devices into the hospital’s networks,” Maliff says.
The assessment covers eight areas:
Manage equipment: document, identify and prioritize.
Install the latest security patches: Schedule all updates.
Train security staff: Monitor phishing scams, USB usage and password rules.
Manage risks: Review network security needs and consider adopting standards.
Scan for vulnerabilities: Identify vulnerabilities in medical devices.
Disposal of medical devices: Destroy sensitive data prior to removal or resale.
Include security features in requests for proposal: Consult IT and biomedical engineers, and require a manufacturer disclosure statement.
Device integration lab test: Test and validate patches and updates prior to release.
Other issues to be covered include practices such as password management, user identity and internal controls; technologies such as biometrics and firewalls on patient networks; culture such as leadership awareness and having a chief information security officer; and infrastructure such as secure servers, a disabled USB ports policy and a network security team.
Cost of the medical device cyberattack gap analysis is dependent on the size of a hospital or practice, with discounts for ECRI members, according to Maliff. “This is not a six-figure project, and it is not a $1,000 project either.”
The analysis generally will take one or two days depending on the size of the organization. Leadership that should participate includes the CIO, CISO, sourcing and purchasing personnel; and informatics, risk management and clinical engineering professionals. This is the group that will take the recommendations to the board.
If nothing else, the cyberattack gap analysis can help these leaders improve their relations with the board, Maliff believes. “The last thing any hospital leader wants to do is be in front of the press because there is ransomware in their facility. This is a proactive approach for medical device security.”