ECRI Institute's Applied Solutions Group (ASG) offers customized services and on-site assistance to help healthcare facilities and health systems identify and address patient safety vulnerabilities. This column discusses risk management implications of device cybersecurity based on the experience of ASG experts.

News of healthcare cybersecurity breaches—some of which compromised tens of thousands of patient medical records—continues to dominate headlines, leaving many hospitals wondering whether they would be prepared in the event of an attack. Because even a single data breach could lead to compromised operations and possibly to patient harm, as well as steep fines imposed by federal agencies, risk managers need to ensure that their facilities have taken the appropriate steps to deter hackers.

"When it comes to cybersecurity, risk managers have to try to be ready for 'zero day' events, which means you have to take proactive steps," says Robert P. Maliff, director of ECRI Institute's Applied Solutions.

Lou Schonder, ASG senior planning specialist, adds, "It's about weighing the risks. What's going to happen? What's more likely to happen?"

What Do Cyberattackers Want?

"A credit card company can tell you within minutes whether someone's hacked your card, but hospitals don't always know when they've been hacked," says Maliff.

According to Schonder, cyberattackers will often use any lag in response time to accumulate vast amounts of patient information found in medical records. "Cyberattackers may intentionally stay quiet on a network," Schonder explains. "They'll do it to accumulate more information and to verify the information that they've obtained."

"We've heard that a single medical record goes for $50 on the black market," Maliff reports. "That's a lot of information, and if it goes undetected it can cause a lot of damage." For instance, hackers could take the information and file a fake tax return based on the information in a stolen medical record, Maliff says.

Hackers may also attack a hospital network in an attempt to disable it and collect a ransom. Often, attackers ask that the ransom be paid in bitcoin, a digital currency traded through encryption techniques. Bitcoin ransom demands are typically for comparatively small amounts—often $25,000 or less—but, as Schonder explains, the attackers may ask for smaller amounts to ensure a "speedy process."

Where Are the Vulnerabilities?

Hackers can gain access to a hospital's system through many vectors. According to Schonder, a cyberattack can be as simple as inserting a USB drive into a medical device, or accessing an open and unsecured port in a lobby. Other vectors could involve basic cybersecurity mistakes made by hospital staff, such as using common passwords or failing to log off from a device.

"A common [vector] is the simple old fashioned way of picking out someone's password [by seeing it written] on post-it notes, or having a shared password for a single department," says Schonder. "Also, a lot of areas in the hospital are publicly accessible, so someone can just walk up to a nurses' station and look around for a few minutes and [they] may find something interesting. This kind of thing happens more often in hospitals because they typically have more devices to log on to than other industries."

Outdated underlying software can also leave medical devices vulnerable to hacking. According to Schonder, "Some manufacturers have not updated the operating system [such as Windows or Linux] that's on their devices. They may be running an older version with no security patches because they don't want to compromise the operation of their device. So, they take the easier way out—not doing security patches at all as opposed to redesigning software."

Recently, the Food and Drug Administration (FDA) warned medical device manufacturers to ensure that cybersecurity issues are addressed before devices hit the market, and stated that monitoring for and addressing cybersecurity vulnerabilities should be a regular part of managing a device. "FDA's advisory should assure improved security for devices launched into the market going forward, but hopefully . . . will also have an impact on the security policies for devices already on the market," says Schonder.

Where to Begin?

When confronted with cybersecurity issues, many facilities may be asking, "Where do I begin?"

According to Maliff, facilities should address cybersecurity issues during the technology acquisition process. "Typically, procurement is asking for technical requirements and pricing information, but no one asks what the vendor's policy is on updating underlying software," he says. However, asking for this type of information "should be part of the evaluation of the supplier during acquisition."

Schonder recommends that facilities ask manufacturers for an MDS² form—a Manufacturer Disclosure Statement for Medical Device Security—during the device acquisition process, at a minimum. This form details information about the security-related features of medical devices. However, Schonder warns, facilities should be sure to confirm that the information on the MDS² is accurate and should do their own checks before purchasing. "On the vendor side, [the MDS²] is often being filled out by someone from sales rather than [someone] on the technical side. They could be all over the place in terms of value. It's possible that no one is evaluating the [MDS²] for accuracy."

Facilities should also ensure that the information technology (IT) department and the clinical engineering department are involved in any device purchase, and that these departments conduct thorough evaluations to assess device vulnerabilities. Several forms designed to aid this process have been released by organizations such as the U.S. Department of Veterans Affairs (VA Directive 6550 Pre-Procurement Assessment for Medical Devices/Systems) and the Mayo Clinic. "Hospitals need to start asking the right questions," says Maliff.

Replacing devices that are compromised and phasing out vulnerable older devices should be budgeted as part of the capital planning process, Maliff recommends; however, few hospitals set aside funds for such a purpose. "Security for the network is probably in place, but when there are an additional 2,000 medical devices connected to the network that aren't all subject to the same protocol, it's a higher risk," he said.

Protect Your Hospital with a Cybersecurity Gap Analysis

ECRI Institute's ASG service offers an unbiased Cybersecurity Gap Analysis designed to help hospitals identify network-connected medical devices and any risks they may pose, pinpoint vulnerabilities to manage risk, ensure appropriate security training, and undertake other important cybersecurity measures. To learn more, contact ASG at (610) 825-6000, ext. 5130, or rmaliff@ecri.org.