The average US hospital room contains an estimated 15 to 20 connected medical devices.1 Those numbers are rising due to the accelerated adoption of internet-connected devices to reduce costs for health systems, provide better care to patients, and save clinician time.
Connected devices, which are used by pharmacology, oncology, radiology, neurology, surgery, and other departments, perform essential monitoring tasks. IV pumps, wearable biosensors, connected thermometers, ECG monitors, and other innovative, useful medical devices are essential to quality care delivery. However, there are mounting concerns about their safety. In 2019, 82% of healthcare organizations experienced an Internet of Things (IoT)-focused cyberattack.2 And as many as 53% of medical and IoT devices and 73% of IV pumps in hospitals have known critical vulnerabilities.3
Connected medical devices provide an opportunity for bad actors to intercept data, hijack the device, infiltrate a network, or plant malware or ransomware. In 2019, a ransomware attack disabled patient monitors for days at a Georgia Medical Center significantly affecting patient care. A lawsuit alleges that those disabled monitoring devices contributed to the death of an infant being delivered at the center.
Healthcare providers must proactively secure connected medical devices to prevent negative potential patient outcomes and other impacts to the delivery of care. It’s critical to protect both healthcare providers and patients by implementing supply chain risk management practices, following FDA guidelines on procuring and managing connected medical devices, conducting cyber program capability assessments, implementing asset intelligence, creating and documenting better policies and processes, automating updates and patching, ensuring proper network segmentation, automating device isolation, and more.
The FDA helps secure medical devices by providing the following:
It’s essential for healthcare organizations to ensure they are following all FDA recommendations and guidelines for protecting devices. This includes updating procurement guidelines for medical devices to take into account potential cybersecurity risks, as well as working with manufacturers over the device life cycle. The latter is a vital part of making sure devices are maintained and regularly updated with patches as new vulnerabilities emerge.
Healthcare organizations should also conduct a cyber program capability assessment to understand and baseline their organization’s asset intelligence capabilities and processes. This will help organizations understand the current state of their ability to identify, protect, detect, respond, and recover from threats or breaches to connected medical devices. It will also identify areas where capabilities and processes need to be improved to boost ongoing security and incident response.
Creating effective cybersecurity processes and policies to protect against connected medical device vulnerabilities starts by bringing together the right stakeholders. This often includes the chief medical information officer, biomedical teams, finance/purchasing teams, IT staff, and cybersecurity professionals. These key stakeholders must then work together to create processes and policies that are informed by appropriate risk management procedures and address all potential vulnerabilities throughout the device life cycle.
First, healthcare providers should create processes and policies to ensure they’re following the FDA’s advice on procuring connected medical devices.4 The FDA recommends things like building the cost of mitigating device vulnerabilities into the purchase price or maintenance fees, having extra devices available in the event of an incident, setting clear expectations for vulnerability management, and outlining supplier responsibilities during incident response and recovery.
Organizations should also request a software bill of materials from manufacturers to identify vulnerable components in order to conduct supply chain risk management and better understand potential vulnerabilities and risks. Additional supply chain illumination research could also be appropriate depending on the risks of a particular device.
Creating better policies and processes for integrating medical devices into a health organization’s network in a secure way, managing devices effectively, and responding to a cyberattack or breach are also critical. Doing these things well involves collaboration between device manufacturers, IT, cybersecurity professionals, and others.
IT maturity around connected medical devices involves:
The critical role that connected medical devices play in the delivery of healthcare both today and in the future mandates that organizations build a comprehensive cybersecurity program for their connected devices The risks are too great for patients, providers, and healthcare delivery organizations not to act.
Guidehouse has significant experience in both cybersecurity and the healthcare sector that enables the delivery of holistic solutions for medical device security. Guidehouse has helped many healthcare organizations decrease their overall cyber risk, secure their healthcare delivery model, and protect their patients and healthcare system. Maintaining proper security protocols ensures that healthcare organizations can leverage the value and savings of connected medical devices while reducing risk. This ensures that healthcare organizations are better prepared to meet the future of connected devices.
This article is authored by Matthew Phillips.
1“Healthcare Cybersecurity for Connected Medical Devices - Businessnewsdaily.com.” n.d. Business News Daily. https://www.businessnewsdaily.com/15031-connected-medical-devices-healthcare-cybersecurity.html.
2 Heather. 2019. “82% of Healthcare Organizations Have Experienced an IoT-Focused Cyberattack, Survey Finds.” FierceHealthcare. August 29, 2019. https://www.fiercehealthcare.com/tech/82-healthcare-organizations-have-experienced-iot-focused-cyber-attack-survey-finds.
3“StackPath.” n.d. Www.hcinnovationgroup.com. Accessed June 15, 2023. https://www.hcinnovationgroup.com/cybersecurity/medical-device-security/news/21254226/report-fiftythree-percent-of-connected-medical-devices-have-vulnerability.
4Review of Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook Quick Start Companion Guide. 2022. MITRE. November 2022. https://www.mitre.org/sites/default/files/2022-11/pr-2022-3616-medical-device-cybersecurity-regional-preparedness-response-companion-guide.pdf.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.