Health Care Facilities Should Address Medical Device Cybersecurity Risks

Hospitals and other health care facilities should evaluate and address the cybersecurity risks posed by medical devices.  There are many medical devices connected to hospital or health care provider networks, including hard-wired devices such as patient monitors, ventilators, and imaging devices (X-ray machines and computer systems used for radiology and cardiac procedures).  Many other devices are connected wirelessly to a hospital or a health care provider network.  For example, a physician might use a wireless electrocardiogram to monitor data from a patient:  The device uses hardware and software connected to a network to transmit data.

Connecting medical devices to an information technology (IT) network makes the network vulnerable to intended and unintended threats.  There have been several media reports about cybersecurity incidents.  The Department of Homeland Security reported that 300 medical devices used by doctors to view MRIs from a single manufacturer were infected with the Conficker Worm.  The computers were older and did not have updated antivirus software and became infected with the Conficker Worm when they were connected to the Internet.  The Wall Street Journal reported  that the Food and Drug Administration (FDA) is aware of “hundreds” of medical devices that have been infected by malware or dangerous computer software.  Further, the article stated that malware has infected at least 327 devices at Veterans Administration hospitals.  Finally, there is the possibility of an intentional attack on a medical device.  Reuters reported that a cybersecurity researcher discovered a bug in an insulin pump and wrote a program that could remotely dose patients with potentially lethal amounts of insulin.

Due to the growing use of medical devices connected to hospital and health care provider networks, the FDA has issued guidance to medical device manufacturers for premarket submissions for management of cybersecurity in medical devices, most recently in November 2014.  The agency’s guidance to medical device manufacturers recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities.  Thus, hospitals and health care facilities should take steps to combat cybersecurity threats.

The Department of Homeland Security and the FDA have listed some best practices to combat cybersecurity threats that can be useful to hospitals and health care facilities, including the following:

• only purchase and use networkable medical devices with available safety features;
• only use networkable medical devices that can be configured safely on the hospital and health care facility’s network;
• purchase vendor support for ongoing firmware, patch, and antivirus updates when they are an appropriate risk mitigation strategy—in other words, update software, firewalls, and antivirus protection as appropriate;
• operate security features such as firewalls, network monitoring, and intrusion detection to the extent practical;
• establish strict policies for connecting networked devices;
• establish policies to maintain, review, and audit network configurations when the network changes;
• restrict unauthorized access to the network and networked medical devices;
• do not provide access to the entire network for all users, but grant the least privilege necessary to users;
• implement patch and software upgrade policies for the network;
• secure communication channels by using encryption and authentication;
• use and enforce password policies; and
• develop a back-up plan to maintain network function during adverse conditions.