Ten years ago, cybersecurity was not a broadly recognized threat to hospitals; however, that is not the case to
day. Hospitals tend to focus cybersecurity activities on traditional information technology systems (e.g., workstations, laptops, servers) which are built to be managed using standard security tools. While important, it is equally important that hospitals protect network-connected medical devices which are critical in the delivery of patient care, tend to lack standard security tools, and can remain in use well beyond the operating system’s end of support date.
Three reasons hospitals need to implement a medical device security program are to protect patient safety, comply with HIPAA requirements, and meet Medicare Conditions of Participation (CoPs).
Patient safety can be directly threatened by ransomware, a specific type of malware that can encrypt information on systems and prevent the delivery of patient care. Below are two negative patient outcomes that occurred during ransomware attacks at two different hospitals:
· Berlin, Germany: An ambulance needing to transport a patient with a life-threatening condition was diverted to a hospital 20-miles away and the patient died.
· Mobile, Alabama: Fetal monitoring was unavailable and clinical staff did not identify that the umbilical cord was wrapped around the baby’s neck resulting in brain damage and the baby’s death.
A HIPAA breach can be caused by a medical device system including a laptop or workstation containing Electronic Personal Health Identification (ePHI). A Boston area medical facility received an $850,000 fine for 600 exposed records when a laptop that was part of a portable scanner was stolen. In the settlement, the Office of Civil Rights Director highlighted the need to apply appropriate security protections to medical device systems containing ePHI.
Within the Medicare CoPs, there is an emergency preparedness requirement that directs hospitals to implement an all-hazards approach which, according to the Center for Medicare and Medicaid Services (CMS), includes a cyber-attack. CMS has no specific cybersecurity requirements for network-connected medical devices which leads to Medicare accreditation organizations lacking a robust review of network-connected medical devices. In a June 2021 Issue Brief, the Office of Inspector General noted the situation and recommended CMS “Identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals”.
All hospitals can enhance patient safety by identifying and managing medical device security risk through good processes following nine principles:
1. Focus on security basics.
2. Support the program with policies, procedures, and processes.
3. Leverage industry best practices.
4. Consider all product components, not just the medical device.
5. Incorporate security across the device lifecycle.
6. Engage all stakeholders, including clinical staff.
7. Seek manufacturers who build security into products.
8. Measure and monitor medical device fleet security risk.
9. Build security into the hospital network where medical devices reside.
While there is no guaranteed means to prevent cybersecurity attacks from affecting a hospital’s medical devices, the impact can be reduced by having a good medical device security program focused on proactive actions. From an organizational level, hospitals need to establish governance and risk management practices for their medical device fleet. At the asset level, security should be incorporated into the medical device lifecycle (i.e., acquisition, implementation, operations and maintenance, decommissioning). For hospitals with limited resources, implementing these actions does not require expensive tools; they can be achieved through good policy, procedure, and process.
MedSec recommends all hospitals establish a medical device security program to enhance patient safety, prevent HIPAA breaches, and meet the spirit of the CMS emergency preparedness requirement. To support resource limited hospitals, MedSec is developing a modular medical device security program to reduce barriers and achieve incremental risk reduction.
“German hospital hacked, patient taken to another city dies”, APNews.com, September 17,2020, https://apnews.com/article/technology-hacking-europe-cf8f8eee1adcec69bcc864f2c4308c94 .  Jill McKeon, “Lawsuit Links Baby Death to AL Healthcare Ransomware Attack”, Health IT Security October 1, 2021, https://healthitsecurity.com/news/lawsuit-links-baby-death-to-al-healthcare-ransomware-attack .  Paul Roberts, “Latest HIPAA Settlement Underscores Medical Device Risk”, DATAINSIDER Digital Guardian’s Blog, August 6, 2021, https://www.digitalguardian.com/blog/latest-hipaa-settlement-underscores-medical-device-risk .
 “Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals”, hhs.gov, U.S. Department of Health and Human Services Office of Inspector General Issue Brief, June 2021, https://oig.hhs.gov/oei/reports/OEI-01-20-00220.pdf .