Protect medical devices from cybercrime

It's disconcerting to think that medical devices, such as MRI machines and insulin pumps, are increasingly the victim of hacking, malware and other cybercrimes.

But it's particularly frightening when one remembers that the security breach of a medical device goes beyond a breach of confidential patient information and exposing the provider to HIPAA liability. A security breach of a medical device can also adversely affect patient safety. It can affect the operation of the device, causing it to malfunction, fail outright or alter the data. The Veteran's Administration reported 173 incidents of security breaches of medical devices from 2009-2011, disrupting glucose monitors, cancelling patient appointments and shutting down sleep labs. 

And it's especially onerous when one takes into account that most of the one billion patient encounters that occur in this country per year involve a medical device--and that they don't contain the basic security features, such as encryption and passwords, that other devices have.

What's more, these medical devices are also connected to at least one EHR, Dale Nordenberg, a pediatrician and executive director of the Medical Device Innovation, Safety and Security Consortium, told FierceEMR in an interview.

"These devices no longer standalone, attached to a wall. They're attached to a network. HITECH is making a tremendous push to drive adoption of EHRs and interoperability. Medical devices and EHRs are or will be tightly integrated," he said.

Protecting medical devices from cybercrime becomes is tricky because adding antivirus programs can affect the patient data and/or violate the warranty on the device. Moreover, since they're regulated by the Food and Drug Administration, a device that has manufacturer-installed antivirus protections can't be upgraded without FDA approval, Kevin Faulkner, director of product marketing for security firm Tech Micro, told FierceEMR in an interview. Some of the problems the industry is seeing include:

  • The infected device no longer communicates with the EHR or is otherwise faulty in its operation, such as operating too slowly or not at all.
  • The device is used as an easy entry into the provider's entire network. "It's an extremely weak link in the chain," Faulkner warns.
  • The infection changes or deletes patient data, corrupting the data in the EHR and making it inaccurate and unreliable.
  • Providers often don't check medical devices for viruses. When not identified as the location of a virus, the device can reinfect the network, since the device is not included in the cleanup of the original infection, warns Faulkner.

"This is an emerging problem," Nordenberg tells FierceEMR.

Moreover, these problems are occurring within the walls of a hospital, which can have up to 30,000-40,000 medical devices, says Nordenberg.

Imagine the increased danger when Stage 2 of Meaningful Use goes into effect, with the required interoperability and use of health information exchanges. Your EHR can become infected because of someone else's medical device.

To protect your network, consider taking these steps:

1. Acknowledge that both implantable and non-implantable medical devices are vulnerable to cyber attacks. Inventory your medical devices and have the hospital's IT and bioengineering departments work together to protect them, says Nordenberg.
2. Monitor the devices for infections; consider installing network monitoring programs and take prompt action when you detect an infection, says Faulkner
3. Find out from the devices' manufacturers any particular security risks they're aware of, says Nordenberg
4. Consider limiting access of medical devices to your EHR system, or isolating them in the network so that if infected it can't spread, says Faulkner.