Anticipation and preparation are key to mitigating the security and patient safety risks associated with networked medical devices, according to a new report from the Deloitte Center for Health Solutions.
For the report, Deloitte interviewed representatives from nine healthcare organizations about patient safety issues associated with device security.
There were a range of potential vulnerabilities identified, including electromagnetic interference (low-power heart monitors overwhelmed when a nearby TV station turned on a digital television transmitter); untested or defective software; and theft or loss of networked devices. But organizations have to be aware of potential intentional threats as well, according to the report, including organized crime entities attacking a VIP patient's personal medical device; hackers targeting Distributed Denial of Service (DDoS) attacks against a hospital network; or disgruntled employees uploading Trojan horse code to networked medical devices.
The paper suggested that security leaders must assess, then map out a strategy for managing privacy and cybersecurity issues in the areas of governance, risk identification and risk management.
"Healthcare organizations are challenged to anticipate the full spectrum of intentional and unintentional threats that might expose potential vulnerabilities in their networked medical devices," the reports authors said. "Yet anticipate they must, as well as put into place comprehensive systems to mitigate regulatory, financial and ethical risk; facilitate workflow and work force efficiency; strengthen the privacy and cybersecurity of protected health information; and promote the safety of patients under their care."
Other recommendations made included:
- Read the U.S. Food and Drug Administration's guidance on beefing up security of networked devices
- Understand the organization's risk by conducting an organization-wide situational and environmental analysis
- Inventory and classify networked medical devices
- Adopt a formalized risk-management framework and implement appropriate policies
- Protect legacy devices, where appropriate, with network segregation
- Increase security education and awareness among medical device stakeholders
Over the past week, U.S. Food and Drug Administration has issued its long-awaited final guidance for the regulation of mobile medical applications and its final unique device identifier rule.
The non-profit Center for Internet Security recently announced it is developing guidelines on securing Internet-enabled medical devices, starting with insulin pumps.
To learn more:
- read the report (.pdf)