- Medical device integration and support for the Internet of Things are raising cybersecurity concerns for healthcare CIOs and CISOs and leading to a call for Congressional action.
In comments submitted to a recent House subcommittee hearing on the relationship between connected devices and cyberattacks, the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) warned members of Congress about the health data security and privacy threats posed by networked medical devices.
“As the committee continues to evaluate the cyber threat landscape, we urge members to ensure that networked medical devices factor into the broader conversation of consumer-facing devices that could be leveraged in a denial of service cyber-attack or manipulated to cause harm to patients,” reads the joint statement to the House Committee on Energy and Commerce Subcommittee on Communications and Technology and Subcommittee on Commerce, Manufacturing and Trade.
“A more proactive policy management process is vital for healthcare organizations,” it continues. “Viewing security as a component of safety and efficacy of device functions is necessary to keep pace with these variable threats.”
According to the two groups representing healthcare CIOs, CISOs, and other IT professionals, “the era of ubiquitous connection” — otherwise known as the Internet of Things — has come to the healthcare industry but its implications for health data security and privacy are not fully known, especially where medical device integration is concerned:
Much of the attention in healthcare when it comes to cybersecurity is centered on data breaches and threats to patient information. Unfortunately, medical devices also present and expand threat attack surfaces, as these devices can be directly connected or implanted in a patient. Often, these devices are connected to the hospital network and upload vital information to electronic health records. Medical device vendors use the internet to link to their machines to install updates or patches.
A major problem related to networked medical devices, the groups argue, is their cost. Both CHIME and AEHIS note that healthcare organizations cannot afford to replace medical devices and thus aging devices not properly equipped for networking are still in service.
“Given the consumer expectations about devices being networked, we must ensure proper security management, including thorough risk assessments and risk treatment, are incorporated in the device’s design,” they write. “Meanwhile, wearables and remote monitoring technologies are on the uptick making blurring the links between what are strictly consumer devices and what is a medical device. As more connected devices enter the healthcare realm, additional attack surfaces and vulnerabilities become available to bad actors.”
The organizations’ letter highlights numerous existing challenges for networked medical devices with healthcare ranging from a lack of basic security requirements (e.g., encryption, access control) and vulnerabilities inherent in their design to their storage of protected health information (PHI) and limited oversight of pre-market approvals by the federal authorities.
In response to the “ever increasing interconnectedness of medical devices” as part of health IT infrastructure, CHIME and AEHIS are advocating for improved collaboration between medical device manufacturers and healthcare organizations.
“To better safeguard healthcare systems and the patient data they have been entrusted to protect, we must improve threat and incident information sharing across the industry,” they explain. “No single sector of the healthcare ecosystem can solve the problem alone. Only by pulling together and sharing best practices can we thwart cyber criminals and protect patients.”
More specifically, the duo has made three recommendations to address health data security and privacy risks posed by networked medical devices, including Congress holding manufacturers accountable for abiding by industry security standards and empowering the Food & Drug Administration to respond to reported risks.
“A secure healthcare system will ultimately enable greater consumer confidence and will spur better care coordination, enhanced information exchange and improved patient care,” the letter concludes.