HIT Think

Why it’s time to hire a medical device security officer

Healthcare, compared with many other industries, is slow to adopt organizational change around new tools and technologies. This rings particularly true in the creation of new professional roles to revised adaptive organization frameworks.

Medical device security enforcement is a great example of this. Until recently, healthcare leaders prioritized digitizing their collateral, including patient data and health records, without a leading focus on security and data privacy. This classic case of running before walking is affirmed by the Ponemon Institute’s benchmark study on healthcare data security, which revealed 89 percent of healthcare organizations had patient data lost or stolen in the past two years.

Recently though, healthcare has started taking a page out of financial services’ book—another industry where data protection and regulatory scrutiny are paramount—by appointing chief information security officers (CISOs) who can measure a healthcare organization’s security posture and inform all relevant stakeholders.

Infusion-PIC.jpg

While it’s good news that healthcare is warming up to information protection and responding to a lack of formal industry oversight regarding cybersecurity, securing the devices on which data is created and collected is a different ball game entirely.

Despite the volume at which medical devices are entering ORs, ERs and ICUs in the United States, they haven’t received the attention or regulatory scrutiny they deserve (although it is worth noting the FDA created a playbook to help healthcare organizations respond to cyber incidents). In fact, a separate Ponemon Institute study on medical device security reports that 80 percent of device makers and healthcare delivery organizations rate the level of difficulty in securing medical devices as “very high.”

Despite this, only 15 percent are taking significant steps to prevent attacks on medical devices, while only 22 percent of healthcare delivery organizations have an incident response plan in place for attacks on vulnerable medical devices. Such daunting statistics underscore the need for more internal cybersecurity expertise to employ device protection and incident response planning.

Healthcare devices’ prominence as an attack vector is coming to light on an international stage amid a string of recent high-profile cyber-attacks on the industry. WannaCry and NotPetya are just two notable ransomware outbreaks that cost the UK’s National Healthcare System 92 million pounds and shut down 48 NHS Trusts.

To counter the aimless passing of accountability for device security and response planning between IT administrators, project managers, clinical experts and other professionals, we’re seeing a new in-house role emerge within healthcare organizations—the medical device security officer.

The MDSO provides a centralized point of control for the myriad devices throughout a health system. Professionals in the role must be able to align medical devices with organization policies, as well as any technical standards at the industry level. Good communication skills and an understanding of the regulatory landscape are also desirable qualities. While this role is still nascent in the space, it’s never too early to discuss what skills, qualifications and duties create an effective MDSO.

To comprehend and manage the enormous inventory of medical devices in circulation, such as pacemakers and IV pumps, is an incredibly tall order. A 2018 report from KLAS Research and the College of Healthcare Information Management Executives reported that organizations own 10,000 medical devices, on average. Candidly, it’s hard to account for and secure 10,000 items of anything, let alone specialized technologies. Between initial procurement of medical devices, storage and onboarding them to a health system’s network—often in an unsecured state—there are several opportunities for bad actors to intervene.

Step one for the MDSO role is supporting medical device accountability and keeping tabs on inventory. To make procurement more cost-effective, healthcare organizations often buy medical devices in bulk. While economical, this approach means devices are often several years old before they’re even pulled into healthcare operations, by which time they’re already carrying outdated software. Without checks and balances on the security of devices, it’s unlikely they’ve been patched before they enter the network. Any effort to make retroactive updates to devices already in circulation is also complicated by the need to provide undisrupted around-the-clock patient care.

Forward-thinking institutions are already planning for the eventual arrival of MDSOs, engaging in proactive discussion with device manufacturers about how to mitigate potential pain points through collaboration.

This proactive planning has been somewhat characterized by the Medical Device Innovation, Safety and Security Consortium (MDISS), a public-private non-profit partnership led by Dale Nordenberg, MD, that focuses on patient safety and cybersecurity within healthcare in lieu of active regulation or FDA action.

Based out of New York, the group’s new World Health Information Security Testing Lab (WHISTL) is a federated network of medical device security testing labs that are independently owned and operated by MDISS-member organizations. The network represents a collective industry effort to promote transparency between medical device manufacturers, provider organizations and community organizations such as the Health Information Sharing and Analysis Center (H-ISAC). The initiative couldn’t come sooner as cybersecurity vulnerabilities detected within implantable cardiac devices, clinic programmers and home monitors are raising more questions about patient safety.

The data MDISS is collecting on device cybersecurity is quickly becoming an industry go-to for threat intelligence and a critical resource for device officers, medical information officers and other, including head research physicians, CIOs, CISOs, IT directors, legal counsel and compliance professionals (who review agreements with device vendors for liability, financial protection and both sides’ obligations if a device isn’t secured). As the onus falls on the private sector to mitigate medical device risk, issuing testing guidelines and developing a timely process for flagging any flaws detected by the manufacturer are also important.

For those who consider the MDSO too expensive to replicate inside their own walls, a more affordable profession is the medical device security analyst. While analysts typically lack the requisite patching skills of an officer, they are still able to onboard, monitor, maintain, offload and destroy devices.

At the same time, a plethora of emerging companies are investing in automation to help healthcare organizations and managed service providers like Agio secure medical devices, track inventories and routinely patch them. In the last five years, industry players like CyberMDX and Medigate have deployed new tools that provide network administrators with a ‘dashboard view’ of all active medical devices inside their organization.

Time will tell just how prominent technology’s role will be in the battle to keep cyber risks at bay. Regardless, having a MDSO on hand who understands the biomedical industry, the controls different devices have (RFID, Bluetooth and other technologies), FDA reporting requirements and manufacturer disclosure policies is vital to supporting the process. Advanced technology is only as good as the specialists directing them for maximum efficiency.

While MDSO roles are not yet mandated, the industry has set itself a precedent after the Department of Health and Human Services’ Office for Civil Rights instructed healthcare organizations to appoint dedicated chief security officers. Acquiring a medical device and onboarding it to a healthcare network is only one part of the equation for any MDSO.
As technology becomes ever more prevalent in direct healthcare, cross-industry communication, patch management, vendor negotiation, vendor risk assessment, stakeholder reporting, and understanding their organization’s supply chain process are equally critical to a responsible patient-centric security program.

For reprint and licensing requests for this article, click here.