All too often when faced with a decision to invest in cybersecurity, organizations chose to pass on that investment. It’s easy to see why. It can be hard to justify an ROI for cybersecurity, so when assessing options for their limited funds it’s often more attractive to boards and management to invest in things that guarantee a return on investment, such as surgery suites or even new EMR systems.
In doing that they may be overlooking the impact cybersecurity incidents can have on patient safety. Senator Mark Warner (D-VA), Chairmen of the Senate Select Committee on Intelligence, recently published a report, Cybersecurity is Patient Safety, to bring attention to the risks of security incidents to patient safety. Senator Warner’s report pointed out the increased vulnerability of the healthcare sector to cyberattacks due to a reliance on legacy technology.
This follows an FBI notice in September 2022 which warned the healthcare industry about increasing vulnerabilities from medical devices that run on outdated software without sufficient security protections.
A study performed by the Ponemon Institute, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care, surveyed 641 IT and IT security practitioners in healthcare organizations. 67% of respondents reported that a ransomware or phishing attack disrupted patient care. Even more disturbing was the admission that mortality rates increased for at least 24% of the respondents due to a ransomware attack. Even if mortality was not impacted, 64% of respondents indicated that the ransomware attack caused delays in procedures and tests that resulted in poor outcomes. As with Senator Warner’s report, one of the areas of greatest concern in this study was insecure medical devices. A subsequent study by the Ponemon Institute, The Impact of Ransomware on Healthcare During COVID-19 and Beyond, indicated that only 36% of respondents say their organizations are effective at maintaining control of their medical devices and only 35% are effective at monitoring for end-of-life or out-of-date operating systems in medical devices.
Perhaps most alarmingly, healthcare organizations tend to address this risk by ignoring it. The HIMSS 2020 Cybersecurity Survey noted that only 29% of respondents included medical devices in their annual risk assessment.
How to Reduce the Risk
HIPAA requires organizations to do risk assessments. This requirement was reinforced by the HIPAA Safe Harbor Rule which directed the Department of Health and Human Services (HHS) to reduce their enforcement efforts if organizations had implemented recognized security practices that includes a comprehensive risk assessment. A comprehensive risk assessment should include all areas of risk. It’s unlikely that HHS will be impressed with your risk assessment that excluded medical devices if they were related to a breach. Make sure your risk assessment evaluates your organization’s risk from medical devices and mitigates that risk
At a minimum the following controls should be implemented for your devices to help mitigate your risks:
- Change that password: Make sure your medical devices don’t still have the default vendor password. Do not tape the password to the device for “easy use.” Also make sure that you don’t use the same password on all platforms and don’t make it easy to guess. (No, the name of your hospital and the device number is not a good password!)
- Protect Your Wi-Fi network: Make sure the Wi-Fi networks your devices use to communicate have good encryption. Also change the default passwords on al your Wi-Fi access points.
- Implement a patching program: Make sure that devices are patched to the most current vendor recommendations. Tracking all devices and vendor recommendations is complex but well worth the effort. Periodically evaluate all devices to make sure they are properly configured with up-to-date software.
- Develop an end of life plan: If you have devices that are no longer supported, start working with your management to address this. If that’s not possible, consider putting them on a segmented network to reduce the risk of them compromising your entire organization.
- Evaluate your vendors: IT should work with clinical staff to make sure that security is considered in device implementation. Make sure that your vendors can provide evidence to you of good security measures such as independent audits, formal certifications such as SOC2 or HITRUST or other acceptable documentation.