In October 2020, the federal government issued a dire warning of increased ransomware attacks on hospitals in the United States. The joint alert from the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation called the situation an “increased and imminent cybercrime threat.”
Following this report, researchers at the IT firm Check Point reported a 45% increase in cyberattacks against healthcare organizations—more than double the average increase seen across other industries.
Clinical laboratories’ data and operations have been no exception, and the risk could be growing, according to experts. For lab medicine, a wave of mobile technology and other trends are driving a more digital and connected ecosystem. Without cybersecurity controls, networked laboratory devices can be compromised and lead to patient harm.
Stephen Grimes, principal consultant at Strategic Healthcare Technology Associates in Swampscott, Massachusetts, knows why the cybersecurity threat to the medical community is rising: “Hackers look to hit the most vulnerable targets. Unfortunately, healthcare organizations have some of the least secure information systems, and the monetary value attached to selling or ransoming medical records is huge.”
HEALTHCARE’S GROWING VULNERABILITY
Healthcare organizations have an increasing number of networked medical devices that communicate with internal databases like electronic health records and other systems across the internet. IT experts estimate that a large hospital could have up to 85,000 networked medical devices. Each is a potential risk.
Cory Brennan, JD, an IT attorney and medical device security advisor at Hall Render Killian Heath in Indianapolis, Indiana, said she has seen cyberattacks triple in number over the past 3 months—at large healthcare systems and small medical practices alike. While news reports mostly focus on large ransomware attacks, Brennan said basic phishing attacks are the most common for her clients. While not as immediately devastating as ransomware attacks, the cumulative effect of phishing schemes can be severe enough to warrant an insurance report.
Jim Jacobson, chief product and solution security officer at Siemens Healthineers in Malvern, Pennsylvania, said he is fielding an increasing number of calls from concerned customers. “Whenever there’s a cybersecurity incident featured on the news, I get calls from customers asking if they should be concerned about our medical devices. The uptick in ransomware reports and the COVID-19 pandemic are stretching our healthcare professionals and IT staff to their limits, which unfortunately also adds to the opportunities hackers can exploit.”
GOVERNMENT IS ACTING, BUT CALLS ON HOSPITALS TO PLAN
Federal government agencies, medical device manufacturers, and professional associations are stepping up to identify cracks in the system and find ways to improve medical device security.
The HHS Office of the Inspector General (OIG) published a report in June 2021 detailing its review of the Centers for Medicare and Medicaid’s (CMS) accreditation organizations response to growing cybersecurity threats to networked medical devices. The OIG found that CMS accreditation organizations “rarely use their discretion to examine the cybersecurity of networked devices during their hospital surveys.” Not surprisingly, the OIG recommends that it is more important than ever for hospitals to have a plan for securing their networked devices.
At the same time, the federal government has been slow to issue specific information security regulations and requirements. Instead, it has focused on incentives and more general guidance. Brennan noted the recent HITECH Act amendment that encourages healthcare organizations to adopt recognized cybersecurity standards. “Under this amendment, any organization that adopts an industry-recognized cybersecurity program, like the National Institute of Standards and Technology Cybersecurity Framework, has the opportunity to reduce financial penalties they may receive after a security breach,” Brennan said. “The goal here is to make these frameworks standard for healthcare organizations across the board.”
The National Electrical Manufacturers Association, an ANSI-accredited standards developing organization, released an updated Manufacturer’s Disclosure Statement for Medical Device Security (MDS2) in 2019 to help manufacturers communicate their products’ security capabilities and potential vulnerabilities to the IT professionals and clinical engineers. Grimes conceived of the first MDS2 in 2004 and has worked on subsequent iterations. “The more your space is automated, the higher your risk of a security breach,” Grimes said. “Tools like MDS2 help manufacturers and end-users better communicate security needs and expectations.”
This also means clinical laboratorians should expect manufacturers and other vendors they partner with to be able to explain how they approach cyber threats. “Hackers only have to get it right once—we have to get it right all the time. Cybersecurity transparency is a priority for us as a manufacturer,” Jacobson said. “We proactively provide the customer with information about device security, for example, identifying third-party components that might be present in the device, spelling out assumptions that we built into the use of the device, really anything that would involve the secure use of that device.”
In his role with Siemens Healthineers, he has collaborated with other manufacturers, healthcare providers, and government agencies to improve cybersecurity of legacy devices and promote best practices for medical device cybersecurity.
PEOPLE REMAIN THE FIRST LINE OF DEFENSE
As one of the industry’s first medical device security experts, Grimes is sober about the risks of cyber threats, but he remains bullish on the potential for information technology. “I’m a clinical engineer by training,” he said. “One of the things I get on my soapbox about is my firm belief that technological advances will lead to better, more effective, and timely healthcare. But if we don’t change the way we operate—like securing our systems—we will never see that benefit.”
He uses the term “cybersecurity hygiene” a lot to describe the everyday things laboratory professionals and other medical personnel can do to secure their systems. “Lab technologists, managers, and directors already have a lot to do. But they are also an organization’s first line of defense against cyberattacks for their systems,” he said.
Grimes encourages laboratorians to know who within their organization is responsible for cybersecurity risk management. “You should feel comfortable going to these people if you need help—and engage with them before you buy a new piece of equipment to assess potential security gaps before the device is networked.”
To keep security breaches at bay, Brennan is a proponent of end-user education and training. “I really push any organization I work with hard to get the technicians using the equipment involved with the cybersecurity framework conversation from the beginning,” she says. “The laboratory staff will know if a change in the organization’s security protocol will negatively impact clinical workflow. That conversation is so important, and it gets overlooked.”
For laboratory professionals who want to help their organization prevent breaches or who have general questions about medical device security, Brennan recommends reaching out to the security team directly and asking for a briefing. If the laboratory is not associated with a system or hospital that has its own security team, there are some free resources. Brennan, who sits on the board for the American Association for Medical Instrumentation, recommends the association’s free cybersecurity resources page and the HHS Office for Civil Rights Security Risk Assessment.
For specific instruments, the best way to learn about cybersecurity issues is directly from the manufacturer, according to Jacobson. He also recommends getting software patches directly from the manufacturer. Many companies have customer portals that labs can use to check device performance or enter repair and maintenance tickets. Jacobson points out that Siemens Healthineers also posts security white papers to their customer portal that describe security factors in detail.
STAY HOPEFUL, STAY VIGILANT
Despite the growing number of cybersecurity risks, laboratorians have many reasons to be hopeful. Technical advances are emerging that will protect patient care and detect security breaches before they happen. For example, manufacturers are working on artificial intelligence applications built into devices that can alert users to anomalous behaviors that might indicate a cyber adversary at work.
“Try not to panic when you see cyberattacks on the news,” Jacobson said. “Not all of the ransomware you hear about are going to impact medical devices, and there is a good chance your device manufacturer is going to be on top of the latest vulnerabilities and is developing mitigation strategies to thwart security breaches.”
The threat will continue to be an issue for the foreseeable future. While manufacturers, information security staff, and IT professionals work to stay one step ahead of cyber adversaries, it is essential for laboratories to stay current with and use cybersecurity best practices.
Sarah Michaud is a freelance writer who lives in London. +Email: [email protected]