Image: Natali_Mis / iStock / Thinkstock

At a time when the security of healthcare information technology is under siege, healthcare consultants are urging medical device manufacturers to take additional steps to thwart outside threats and to seek out cybersecurity expertise in designing their products.

Global research and consulting firm Frost & Sullivan lists cybersecurity of medical devices and patient data privacy as one of the six biggest adverse events to patient safety, along with antibiotic resistance, medication safety, patient diagnostics safety, sepsis, and unnecessary emergency department admissions.

The industry needs to learn how to “design defensively” to ward off cyberattacks and better protect patient information, the Battelle Memorial Institute suggested in a recent article. “Most companies don’t have the resources, bandwidth, or time to add this talent to their design team. Complicating the issue is the reality that cyberthreats to the medical community are growing in frequency and severity. This can be an overwhelming feeling for manufacturers,” according to the article. Battelle is a nonprofit science and technology development company in Columbus, Ohio.

Device manufacturers need to expand their definition of patient harm and what constitutes a “safe” device. “It’s no longer about ensuring that our devices won’t harm someone—but also that our devices can’t be hacked and used to harm users or hospitals,” according to Battelle. This involves changing the security culture to design products with the expectation that they could be hacked.

The company has proposed a “security engineering” approach to developing or maintaining any product regardless of its function, intended use, connectivity, use environment, or end user. According to Richard Brooks, Battelle’s director of systems/software/electrical engineering and DeviceSecure Services, this is about risk management and building onto the minimum requirements of a published industry standard.

Device manufacturers and device users such as hospitals, patients, and clinical labs all should be asking the same questions. What are the current vulnerabilities of this device? How do we mitigate them? What would happen, and what do we do if a vulnerability were exploited, either intentionally or by accident? “Proactive risk management is much more effective than reactive risk management. Understanding the security risks during device development can result in a more robust product,” Brooks told CLN Stat.

Battelle’s article also stressed the importance of teaming up with cybersecurity experts who know how to monitor and identify threats.

The goal is for the healthcare system to be as secure as possible to minimize the number of security breaches, Brooks noted, adding that a 100% secure device doesn’t exist. “The landscape of cybersecurity is constantly evolving, with new threats and attack vectors coming to light regularly,” he said.

Keeping these factors in mind, Brooks advised that the healthcare industry adopt the following assumptions:

  • Devices are not inherently secure and could present direct or indirect risks to patient safety, data privacy, or network security; and
  • An attack or breach will occur at some point, so be prepared to respond effectively when it happens. This includes public disclosures, working directly with clients to minimize the impacts, and knowing how to handle a situation when a third party’s product is the source of the vulnerability.

Device manufacturers, as well as healthcare IT and consulting companies are taking the issue of cybersecurity very seriously, Anuj Agarwal, senior research analyst for Frost & Sullivan’s transformational health team, told CLN Stat. All of these stakeholders have begun working with government agencies, industry associations, and security researchers to improve medical data and device security features. “They have also been deploying better cybersecurity standards in their design and development process to minimize risks and help reduce exploitation, address known malwares, enhance security controls, and expand security awareness,” Agarwal said.

Manufacturers have also been collaborating with specialized healthcare cybersecurity companies such as Clearwater Compliance, NexusGuard, DB Networks, Digicert, and Coalfire to augment their systems and prevent any potential breaches, he continued. “There is also a growing interest in using blockchain technology for encryption of patient-generated health data and medical device data security,” Agarwal said.

Laboratories and other healthcare facilities have a definitive role to play as well, according to Agarwal. Labs that use sophisticated laboratory information management systems and radiology information systems should be careful to not allow any unknown phishing attacks or malware to corrupt their systems. “Educating laboratory staff, enhancing security awareness, recommending security best practices, etc., are some of the measures healthcare facilities undertake to reduce chances of cyberattacks,” he suggested.

Lab and other clinical staff also should follow recommended user guidelines for medical devices, Agarwal said.