Medical Devices at Risk – Introduction to the Cybersecurity Landscape in Health Care

 Published: May 18, 2021

By: Marc Schlessinger, MBA, RRT, RRT-NPS, RPFT, FACHE

 

spoty spotlight graphic

Ventilators, BiPAPs, and pulse oximeters are all equipment every Respiratory Therapist uses to provide patient care daily. However, are you aware that most of this equipment is connected to your hospital’s network? Gone are the days when most medical equipment was “stand-alone” or unable to transmit or receive data. Being connected to the hospital network offers advantages to both the caregiver and patient; however, along with these advantages comes cybersecurity risks.

Why Health care Organizations are a Target

Health care organizations have been and continue to be targeted by hackers and other threat actors for several reasons, including:

  1. Medical equipment and IT systems hold large volumes of non-disposable data, including protected health information (PHI) and Social Security numbers. Non-disposable data is valuable to identity thieves because it cannot easily be changed, unlike credit card numbers.
  2. Due to the critical nature of their services, hospitals may feel more pressure than other businesses to pay a ransom if hacked.
  3. Providers possess a large amount of legacy hardware that is likely to be poorly protected, making them an easier target for
    1. opportunist hackers, who are always looking for easy targets.
    2. Hackers who are not interested in the data but are instead looking to commandeer computing hardware to help achieve larger goals.

It is not uncommon to find hospitals using computer operating systems that use a legacy operating system that cannot be upgraded or have routine security patches applied. I have personally seen PFT and sleep lab equipment, not to mention laboratory and imaging equipment, running on Windows 98 as recently as 2020 even though Microsoft stopped all support for Windows 98 in 2006. When purchasing any equipment, select an operating system with several years of guaranteed support. This secured support ensures that software updates and security patches can be applied for many years to come.

Medical Equipment Vulnerabilities

Several security vulnerabilities have impacted medical equipment. It is not uncommon for medical equipment manufacturers to use a hard-coded password that cannot be changed. Suppose a password is revealed, for example, through a user manual. In that case, anyone gaining physical access to the device could make changes to critical equipment, including ventilators, physiologic monitoring equipment, and radiographic equipment. In some instances, hard-coded passwords may also grant easy access to the device configuration, including wireless network settings.

USB ports are common on most medical equipment found today in a hospital. Unless these USB ports are locked down either by software or a physical USB lock, it is possible to introduce a virus not only onto that particular piece of equipment but potentially the entire network. Patients, families, and caregivers see a USB port and believe they can charge their personal devices. However, plugging in a phone on specific devices has been known to shut the device totally down, possibly compromising patient care.

The primary concern remains device availability. A disruption to a device or system due to a security issue can impact patient care or clinical workflow. In the worst-case scenario, this disruption may lead to patient harm.

Advertisement

Cybersecurity is a Patient Safety Concern

The increase in network-connected medical devices poses a unique security challenge for health care facilities. While organizations attempt to employ best practices across connected medical devices to manage security risks and avoid disruptions, the clinical use requirements sometimes outweigh what IT/security best practices would otherwise dictate. Managing the security of medical devices is associated with several complex challenges:

  1. Medical devices are used to deliver life-supporting therapy. These devices cannot easily be removed from service to provide urgent security patches or updates. Additionally, these devices are often used 24/7, and disconnecting the device from the network as mitigation to a security concern often is not practical. Doing so could disrupt the clinical workflow that is critical to patient care.
  2. Medical devices are designed for a long useful life, with many devices having an expected lifespan of 10 or more years. Although beneficial from a financial perspective, the long life of medical devices often proves difficult from a cybersecurity perspective. While some clinical functionality may be relevant for many years, infusion pumps are an example of this. The security environment is constantly changing, with new vulnerabilities, threats, and exploits exposed every few months.
  3. With the ever-increasing digitization of health care, including EMR and more connected devices, there are more inherent cybersecurity risks. Many early medical devices designed to communicate with the hospital network did not have robust cybersecurity features built-in, as do today’s devices. Hospitals often balance the need for clinical functionality with cybersecurity concerns. Cybersecurity features and functionality has become a key differentiator between device models. An investment in a device with robust security features and wireless software update capability, for example, can pay dividends in the long run.
  4. Replacing medical equipment is expensive, and many times the only issue with the equipment is obsolete software and security features. This issue is prevalent with imaging equipment. A result is often a patchwork of compensating controls, including, but not limited to, isolation behind firewalls to extend these devices’ lives. This patchwork of custom fixes can, however, become complex and challenging to manage over time. The cost of replacing the equipment needs to be weighed against the increased risks and costs to protect it with compensating controls as it ages.

What Can You as a Respiratory Therapist Do To Help?

You might be saying, “I am a clinician, not an IT guru, so what part do I have in this?” There are many ways to contribute to minimizing cybersecurity risks at your hospital. Here are just a few ways to help:

  1. Partner with your IT and clinical engineering to help them understand your clinical needs and requirements. Outlining how devices are typically used and what they need to communicate with can be extremely helpful. This will also aid identification of the most appropriate cybersecurity risk control measures to implement.
  2. Ask IT and clinical engineering to provide a short training session on cybersecurity best practices for yourself and other Respiratory staff related to medical equipment/systems.
  3. When performing an RFI (Request for Information) or RFP (Request for Proposal) for the newly connected equipment, include specific cybersecurity language as per your IT policy. Proactively incorporating this can avoid lengthy delays in the procurement process.
  4. When evaluating newly connected equipment for purchase, ask the vendor to provide you with the device’s MDS2 (Manufacturer Disclosure Statement for Medical Device Security) form. This is a standardized form that contains details of the device’s security features and functionality. This form can assist your IT department when conducting a security risk assessment and may require the IT sign-off to proceed with the purchase.

In Conclusion

The risk to health care institutions from cyber-attacks is real. Security incidents have already impacted several health care facilities. In some facilities, this has directly impacted the ability to deliver patient care. The recovery from a security incident can be costly financially, and it can decrease patient confidence in the health care institution, especially if it leads to a breach of PHI.

Health care institutions are devoting many resources to minimize cybersecurity risk, including ransomware, viruses, malware, and privacy intrusions, to name a few. Medical device security can often be one of the weakest links in an organization and is a particularly challenging area to manage.

Cybersecurity in a health care organization is a team sport. Clinicians, including RTs, can play a critical part in helping IT and CE secure medical devices and networks by following the organization’s security policies. RTs can also provide invaluable awareness about common medical device use and communication requirements during procurement. This increased awareness can include the initial device implementation and ensure that the security controls are practical and do not interfere with clinical workflows. With the increase in network-connected medical devices, cybersecurity considerations will likely continue to gain importance and finding practical ways to manage it will be imperative.

Email newsroom@aarc.org with questions or comments, we’d love to hear from you.

Marc Schlessinger is a Senior Associate in the Applied Solutions group at ECRI and provides consulting services and assistance to hospitals concerning patient safety, alarm management, technology, strategic planning, operations, and purchasing.

Copyright © 2021 American Association for Respiratory Care
9425 N. MacArthur Blvd, Suite 100, Irving, TX 75063-4706
(972) 243-2272  |  info@aarc.org