Posted in Breaches

Providers need a holistic approach to medical device security

Chris Nerney
Chris Nerney, Contributing Writer |
Providers need a holistic approach to medical device security

Connected medical devices already are delivering on their promise to provide healthcare providers and patients with data that can improve diagnoses, trigger effective interventions, and facilitate positive long-term outcomes.
But connected medical devices are no less vulnerable to security breaches than non-medical connected devices – the Internet of Things (IoT) – used in the technology, transportation, retail, and manufacturing sectors.
Worse, as a survey from last year showed, medical device security isn’t being taken seriously by hospitals or vendors. Only 5 percent of healthcare organizations test medical devices at least once a year, while more than half (53 percent) don’t test medical device security at all. Manufacturers are almost as bad: Only 9 percent of medical device manufacturers test devices at least once annually, while 43 percent don’t bother with any device security testing.
The stakes are high. Not only can patient data be stolen in a security breach, devices theoretically can be hacked and controlled by an unauthorized person. That’s a sobering thought for a cardiology patient relying on a functioning pacemaker to stay alive.
More ominously, just as some healthcare organizations may not know their network has been hacked, hospitals and patients may be unaware that a medical device has been breached.
Clearly hospitals and other providers should routinely test connected devices, as should manufacturers. But there are other steps healthcare IT professionals can take to help improve the security of connected medical devices.
John Schoew, a managing director at consulting firm Accenture, says providers need a comprehensive medical device security strategy.
“Medical device risk must be addressed holistically with a coordinated governance approach across security, patient safety, supply chain and biomedical engineering,” Schoew tells Healthcare IT News.
That means reviewing – and if necessary, changing – existing network assets and clinical workflows to ensure medical devices connected to provider systems are safe.
“With the clinical integration of connected devices, health systems will need to assess if changes are needed within their IT infrastructure,” Schoew says. “As with any new connected device, health systems should assess potential privacy and security risks such as PHI, data management/handoffs, confirm basic provisions such as encryption and credentialing, embedded functionality such as firmware updates, and how it connects to the existing IT infrastructure such as the EHR.”