Medical device cybersecurity isn’t just a concern for massive hospital systems.
According to Becker’s Hospital Review, healthcare data breaches cost an alarming $6.2 billion annually—but the financial stakes for your own practice can be hard to perceive on that scale.
A low-level hacker weaseling their way into your reasonably-defended systems could easily end up costing over $100 in HIPAA fines per violated record. Even smaller practices stand to lose big, as breaches that affect over 500 patients within a given jurisdiction must be reported to the U.S. Department of Health and Human Services (HHS), the individuals affected, and even the media.
In terms of fines, you’ll be on the hook for anywhere from $25,000 up to $1.5 million, according to Healthcare Dive, depending on how neglectful HHS deems your conduct to be—and these figures don’t even factor the cost of notifying state authorities or the damage to your reputation.
But what does all that have to do with electronic medical device security? Well, devices are prime launching points for attacks, and the new generation of entrepreneurial hackers is catching on. Why should they fight with heavily protected servers and laptops when connected medical devices are sitting right there, out in the open?
Devices such as glucose monitors or handheld ultrasounds are often connected directly to the same networks that house and process your most sensitive PHI, with many of them automatically collecting data and boosting the value of targeted files. This growing level of risk means that it’s time for healthcare to catch up, and for practice leaders to take action by patching unnecessary security gaps and vulnerabilities.
The current state of medical device protections
It’s no revelation that healthcare is years behind other industries in terms of cybersecurity protections, with some experts claiming as much ten to fifteen years, according to The Telegraph. Still, that doesn’t mean that nothing is being done.
In response to the industry seeing more devices being shut down and causing major disruptions and treatment delays at hospitals, the Medical Device Cybersecurity Act of 2017 was created. This act aims to tackle the safety of confidential medical information of patients requiring medical devices and zeroes in on making the devices more resistant to hacking. It provides clear standards for medical device manufacturers to uphold in order to better counter these threats that, as HIPAA Journal predicts, are only going to become more common.
At the end of 2018, the FDA also announced a proposal to update cybersecurity recommendations for device manufacturers in light of this growing threat. The draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, provides recommendations on device design, labeling, and documentation to be included in premarket submissions for devices that carry cybersecurity risks.
Strengthening your medical device cybersecurity posture
Even with the FDA taking action on the front end, individual practices and healthcare IT professionals need to be ready with a device security strategy that keeps up with growing threats.
Every practice has vulnerabilities around medical device cybersecurity, and they’re all unique. As the HHS notes, make sure you’re implementing recommended vulnerability management practices, including:
Scheduling and conducting vulnerability scans on servers and systems
Remediating flaws based on the severity of each identified vulnerability
Conducting web app scanning of internet-facing web servers
Conducting routine patching of security flaws in servers, third-party software, and applications (including web applications)
Be sure to include a focus on endpoints including laptops, tablets, and printers, which also offer opportunities for creative hackers. Most importantly, make sure you’re working with healthcare IT partners that can help you best secure your devices and networks.
Assemble your resources
Getting your strategy up to date doesn’t have to be daunting. Even in considering the relatively emergent field of medical device security, healthcare IT professionals have quite a few resources at their disposal, including the HHS Health Industry Cybersecurity Practices, which establishes best practices for the industry and can be a useful foundation for your own efforts.
The “Where do I fit?” section of this resource is especially useful as a starting point. It includes advice on selecting the best size tier for your organization based on factors such as HIE relationships, cybersecurity investment, and complexity. The process might seem straightforward, but multiple factors can influence where you fall.
Talk to manufacturers and vendors
Even with growing awareness and protections, no medical device manufacturers—which tend to have one, highly-focused core competency—is going to completely understand the role its product plays in creating or exacerbating security gaps at your organization.
Still, manufacturers and vendors should be open about device security and be able to address any questions you may have, such as those around FDA guidance, how their products will work in your environment, and their role if there’s a cybersecurity emergency.
Ultimately, you’re working toward building a healthy and resilient security posture that keeps your practice humming along with minimal risk. Closing security gaps today will pay off exponentially in the long term.