4. Fourth, medical device replacement can be cost-prohibitive. Even in situations in which medical devices exhibit significant security shortcomings, replacement is not a financially feasible option for many facilities. Facilities are often stuck with designing and implementing customized compensating controls to mitigate security risks until device replacement at a later date.
Practical steps to make a significant impact
Healthcare facilities are faced with a number of competing demands, and cybersecurity is just one of them. It is important to identify a game plan that is feasible, given the resources, time, technology, and staff available. Cybersecurity in a healthcare facility should not be looked at solely as an IT issue, but rather as a patient safety issue that impacts all personnel. From the frontline clinicians to clinical engineers and IT, everyone can and should play a role in ensuring a safe and secure care delivery environment.
Many facilities still struggle to find the best way to get started. ECRI Institute recommends prioritizing the following efforts:
1. Complete an inventory of all network-connected medical devices. The most common issue we have encountered with healthcare facilities is a lack of visibility to their own assets. Collecting and organizing the required networking details for each medical device in the inventory can aid in security risk mitigation and security threat response.
2. Establish a plan to respond to medical device security vulnerabilities, threats, and incidents. While most organizations have a general security incident response plan, it is paramount to develop policies and procedures that also address incident response for medical device security in particular. Consider assigning specific resources with responsibility for monitoring and responding to medical device security threats. Also consider running tabletop and hands-on exercises with scenarios that include unavailable network-connected medical devices or systems.
3. Develop minimum security recommendations for procurement of medical devices. Many facilities have identified that security should be factored in during the procurement stage, but resources for in-depth security assessment are often scarce. A good place to start is to define the minimum requirements appropriate for your organization. A joint effort between IT and clinical engineering is required in order to establish reasonable requirements.
4. Assign a medical device security specialist. While managing medical devices traditionally falls in the realm of clinical engineering, with the expanse of required network connectivity, IT has also taken a prominent role. Involvement from both groups is required to attain the understanding of the infrastructure, of the devices themselves, along with how they are used in a clinical setting, and of how the devices need to be configured as a part of the facility’s network to ensure safe and secure functionality. A medical device security specialist can also serve as a liaison between IT and clinical engineering staff.
About the authors: Juuso Leinonen is the senior project engineer for health devices at ECRI Institute. Chad Waters is the senior cybersecurity engineer for health devices at ECRI Institute.
Back to HCB News
