Health Care Facilities Should Address Medical Device Cybersecurity Risks

Hospitals and other health care facilities should evaluate and address the cybersecurity risks posed by medical devices.  There are many medical devices connected to hospital or health care provider networks, including hard-wired devices such as patient monitors, ventilators, and imaging devices (X-ray machines and computer systems used for radiology and cardiac procedures).  Many other devices are connected wirelessly to a hospital or a health care provider network.  For example, a physician might use a wireless electrocardiogram to monitor data from a patient:  The device uses hardware and software connected to a network to transmit data.

PVCY BLOG_shieldConnecting medical devices to an information technology (IT) network makes the network vulnerable to intended and unintended threats.  There have been several media reports about cybersecurity incidents.  The Department of Homeland Security reported that 300 medical devices used by doctors to view MRIs from a single manufacturer were infected with the Conficker Worm.  The computers were older and did not have updated antivirus software and became infected with the Conficker Worm when they were connected to the Internet.  The Wall Street Journal reported  that the Food and Drug Administration (FDA) is aware of “hundreds” of medical devices that have been infected by malware or dangerous computer software.  Further, the article stated that malware has infected at least 327 devices at Veterans Administration hospitals.  Finally, there is the possibility of an intentional attack on a medical device.  Reuters reported that a cybersecurity researcher discovered a bug in an insulin pump and wrote a program that could remotely dose patients with potentially lethal amounts of insulin.

Due to the growing use of medical devices connected to hospital and health care provider networks, the FDA has issued guidance to medical device manufacturers for premarket submissions for management of cybersecurity in medical devices, most recently in November 2014.  The agency’s guidance to medical device manufacturers recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities.  Thus, hospitals and health care facilities should take steps to combat cybersecurity threats.

The Department of Homeland Security and the FDA have listed some best practices to combat cybersecurity threats that can be useful to hospitals and health care facilities, including the following:

  • only purchase and use networkable medical devices with available safety features;
  • only use networkable medical devices that can be configured safely on the hospital and health care facility’s network;
  • purchase vendor support for ongoing firmware, patch, and antivirus updates when they are an appropriate risk mitigation strategy—in other words, update software, firewalls, and antivirus protection as appropriate;
  • operate security features such as firewalls, network monitoring, and intrusion detection to the extent practical;
  • establish strict policies for connecting networked devices;
  • establish policies to maintain, review, and audit network configurations when the network changes;
  • restrict unauthorized access to the network and networked medical devices;
  • do not provide access to the entire network for all users, but grant the least privilege necessary to users;
  • implement patch and software upgrade policies for the network;
  • secure communication channels by using encryption and authentication;
  • use and enforce password policies; and
  • develop a back-up plan to maintain network function during adverse conditions.

Key Points to Consider When It Comes to Bed Rail Safety

In recent years, the use of bed rails has received increased scrutiny from the health care community and regulators.  There have been many reports of death and injury, such as entrapment, falls, and asphyxiation, due to bed rail use.  Between Jan. 1, 1985, and Jan. 1, 2013, the Food and Drug Administration (FDA) received 901 incident reports of patients caught, trapped, entangled, or strangled in hospital beds, including 531 deaths.

In January, the FDA, working in conjunction with the Consumer Product Safety Commission (CPSC), developed a new webpage that provides guidance about bed rail use.  The guidance addresses bed rail safety, safety concerns about bed rails, and recommendations for health care providers, consumers, and caregivers about bed rails. Among the information available is clinical guidance to assess an individual patient’s needs when using a bed rail and a bed safety entrapment kit containing information and tools that can be used to assess entrapment risk.

The Colorado Department of Public Health and Environment (CDPHE) also has information on its website to assist nursing homes with bed safety.  The CDPHE has pointed out the risks of using restraints such as bed rails.  The risk of bed rails include falls caused by climbing over the rails, becoming trapped between the bed rail and mattress, which can result in asphyxiation, and fracture from rolling into the transfer rails.

The FDA cautions that health care providers should avoid the routine use of bed rails and that bed rails should not be used as a substitute for proper monitoring, especially for people at high risk of entrapment.  Likewise, the CDPHE encourages the use of alternatives before using bed rails, such as lowered beds, futons, or waterbeds.

Nursing homes often run into conflict with family members who request bed rails.  However, nursing homes cannot use family requests to justify using bed rails.  Surveyor guidance emphasizes that the legal surrogate or representative cannot give permission to use restraints for the sake of discipline or staff convenience when the restraint is not necessary to treat the resident’s medical condition.  In other words, the facility cannot use restraints in violation of 42 C.F.R. § 483.13(a) solely based on a family member’s request or approval.