Interconnected devices in medical settings enable clinicians to meet the healthcare needs of their patients while driving efficiencies for their practices and facilities. From electronic health record (EHR) systems to advanced fall detectors and ventilators, connected medical devices have become essential. In fact, the average hospital room contains between 15-20 connected devices.
What is the downside? The rise of data interconnectivity at healthcare facilities makes them a bullseye for cybercriminals. Even with stringent safeguards in place, most systems and devices are vulnerable to breaches that place the facility and sensitive patient data at risk.
What happens when a practitioner relies on a real-time location system (RTLS) to immediately find available treatment equipment, and that system fails? Aside from overall chaos, a patient’s life could be put in jeopardy. Magnify that over an entire hospital population, and suddenly the gravity of a cyber attack is evident
More than 80 percent of hospitals have incurred some form of a cyber attack in the last two years. In 2016, the Food and Drug Administration (FDA) issued guidelines for connected medical devices security, but many providers continued to grapple with the best way to invest in initiatives to reduce risks their devices pose. In 2018, the FDA issued a medical device security action plan for critical data protection.
By being proactive, your healthcare organization can protect its connected devices – and its people and patients – against cyber attacks and improve patient security. Fortunately, there are steps you can take.
- Run an assessment of all connected devices
It’s difficult to mitigate risk without taking inventory of all connected devices within your network. Be sure to include servers, wired or wireless devices and understand the connections between these devices. This will help you identify and monitor vulnerabilities when you make changes, such as software updates.
- Determine Your Risk and Remediation Strategy
Develop a system for prioritizing the risk of each device based on likely threats and known vulnerabilities. By being armed with a risk profile, you can more accurately pinpoint the action needed should a cyber attack occur. The assessment should include:
~A high-level summary of institutional data security
~A detailed focus for single devices
~A thorough analysis of possible risk factors
~Feasible mitigation strategies—a cybersecurity professional can help you develop your plan
Now you can turn to an actionable remediation plan using established controls and those that need to be implemented for recovery. Again, you may want your IT team to partner with a cybersecurity expert to identify and address the most critical issues for remediation.
- Build a Secure Culture
Security should transcend IT teams and include all of an organization’s professionals. Think about all the data you share—that’s why you need to integrate secure measures into all operational workflows. You may want to install a data dashboard that will provide breach alerts and other relevant cyberattack information.
All of these actions will call for an ongoing training program to help ensure your staff can identify threats and implement the action plan.
While there is no one-size-fits-all approach to hospital device connectivity, every hospital that wants to maximize the benefits of its devices must consider the privacy, safety, and security of its facility, patients and employees. Cybersecurity experts can work with healthcare IT specialists to proactively develop an enterprise strategy for securing medical devices.
Do you have question about protecting your healthcare practice or facility? The healthcare accounting team at Goldin Peiser & Peiser can help. For more information about cybersecurity contact Jason Cope at 214-635-2546 or our healthcare services, please contact Angie Walters at 214-635-2547.