Are Medical Devices a Blind Spot for Healthcare Cybersecurity?

The importance of medical device cybersecurity cannot be overstated. Medical devices are increasingly connected to the internet and hospital networks, which makes them vulnerable to cyberattacks. A cyberattack on a medical device can have serious consequences, ranging from the theft of patient data to the compromising of patient care.

Often, the management of medical device cybersecurity is not a primary concern of a clinical engineering team in a healthcare organization due to the following factors:

• Clinical engineering teams are primarily focused on scheduled maintenance and bench repairs.
• Clinical engineering professionals may lack IT and cybersecurity skills.
• Only general attributes from medical devices are captured and documented in the Computerized Maintenance Management System (CMMS). Core network and cybersecurity attributes are not maintained in the CMMS.
• Clinical engineering policies, procedures, and processes are not aligned to manage cybersecurity risks.
• Lack of coordination and/or siloed structure between IT and clinical engineering.
• Original Equipment Manufacturers (OEMs) have unique methods of sharing the availability of a validated or approved mitigation for medical devices impacted by a vulnerability, plus there is no industry-wide standard or regulations for releasing validated patches in a reasonable time. This creates a unique challenge for healthcare organizations to track the timely availability of a patch or other mitigations.

The advancement in healthcare technology has not only increased the dependency of integrated medical devices on the network but also provided bad actors with other entry points for cyberattacks due to weak security controls or unpatched vulnerabilities on medical devices.

There are several ways to mitigate the risk of a cyberattack on medical devices:

• Conduct Risk Assessments
• Implement Strong Authentication
• Regularly Update and Patch Devices
• Segment Networks
• Encrypt Data
• Train Staff
• Regularly Test Systems
• Implement Incident Response Plans

Assessment of medical device cybersecurity requires a strong collaboration between IT and clinical engineering. By working together, both departments can develop a cybersecurity strategy and improve the lifecycle management of medical devices. This joint effort can empower healthcare organizations to protect against cyberattacks while contributing to its primary mission: safe and reliable patient care.

This piece was written by Joey Meneses, Chief Technology Officer at Akron Children’s Hospital.