Cyberattacks can cost lives, especially in the Health care sector. Nearly a quarter of healthcare providers victimized by ransomware reported increasing death rates following a stroke, and 70% experienced longer hospital stays or procedural delays leading to poor patient outcomes. Congress is working to pass cybersecurity legislation, but the process is cumbersome. Therefore, healthcare systems must act to prevent security breaches and protect patient data.
More than two-thirds of healthcare providers are victims of cybercrime. In fact, according to statistics from the Civil Rights Office of the Department of Health and Human Services, an average of two health data breaches occur every day, twice as many as four years ago. Each breach costs healthcare organizations on average more than $10 million, based on IBM’s annual report on the cost of data breaches. In 2021, attacks compromised the data of 40 million people, and since 2009 hackers have accessed data records representing 95% of the US population.
Along with stolen data and lost money, these breaches could mean the difference between life and death. While we hope to see more government action to protect health data, health systems should not wait for this legislation to pass. They must strengthen their own defenses now. Particular emphasis should be placed on securing medical equipment.
Legislative movement on the cybersecurity of medical devices
The U.S. federal government is considering several proposals to regulate cybersecurity of medical devices compliance to counter the frequent and clinically impactful cyberattacks experienced by healthcare systems across the country.
In April 2022, the FDA released its long-awaited draft medical device safety guidelines for public comment. The document provides device manufacturers with guidance on how to address cybersecurity for device design and associated pre-market submissions. Under the policy, original equipment manufacturers (OEMs) must create procedures to verify and validate the design of a connected device for reasonable assurance of safety and effectiveness. The FDA recommends that OEMs establish a secure product development framework to reduce product vulnerabilities and implement medical device cybersecurity requirements. The framework encompasses all aspects of a product’s lifecycle, including development, release, support, and retirement.
The Senate is currently considering the Law on strengthening the cybersecurity of medical devices. The proposal requires the FDA to regularly update cybersecurity guidelines, publish public information on improving cybersecurity of medical devices and access to resources, and issue a report identifying cybersecurity challenges. for medical equipment, including legacy devices.
According to the proposal of the Senate eHealth Protection and Transformation Act (PATCH), equipment manufacturers should provide information on the safety of a connected medical device before it is placed on the market. Requirements include disclosure of vulnerabilities and defined processes and procedures to make updates and patches available to the device throughout its lifecycle.
The House passed the 2022 Food and Drug Amendments, giving the FDA the authority to require device makers to include certain cybersecurity information in their premarket submissions, in line with the FDA’s recent draft guidance. The Healthcare Cybersecurity Act is also being evaluated in the House. This legislation requires the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services to work together to improve cybersecurity measures in hospitals and other medical facilities and develop products specific to the needs of healthcare facilities. Organizations should also provide cyber risk and mitigation training to healthcare staff.
These proposals are steps in the right direction to better harden medical devices against security vulnerabilities, but none are close to implementation. Faster action is needed.
How to Take Proactive Measures for Medical Device Cybersecurity Compliance
To immediately protect patient health and data and prepare for future legislation, healthcare systems must assess and address current risks and create an ongoing remediation strategy. A successful cybersecurity program requires collaboration between clinical and IT engineering teams and well-defined workflows.
Start by following the recommendations of the National Institute of Standards and Technology Cybersecurity framework. The framework consists of five principles:
- Identify: Identify a complete inventory of devices and software, cybersecurity policies, legal requirements and vulnerabilities.
- Protect: Enable appropriate protections, including access control and identity management, staff training, and information protection policies.
- Detect: Define appropriate monitoring strategies to quickly identify cybersecurity events.
- Answer: Create an action plan to respond to a violation.
- Retrieve: Develop a strategy to restore the capabilities or services affected by the incident.
Integrating a medical device cybersecurity solution and implementing real-time threat monitoring keeps healthcare systems one step ahead of hackers (and future compliance requirements). Healthcare systems can begin to identify remediation priorities by creating a comprehensive medical device inventory list with information on key attributes, location, and current use of equipment. Using this data, device management teams assess a device’s cyber vulnerability, risk, and impact on patient safety to create a risk gauge.
Each health system will have its own risk threshold and priorities, so remediation approaches will vary. This is why every organization must identify a risk management strategy. Including technology in the medical device cybersecurity plan can improve threat monitoring by managing equipment inventory and identifying vulnerabilities for medical device teams to address.
Cyberattacks threaten patients’ lives and sensitive data and cost significant sums. Although preparing for and preventing attacks is not simple, it is imperative. Help will eventually arrive in the form of government regulations, but in the meantime, healthcare systems must develop and implement their own cybersecurity strategy to protect their patients.