Upfront

Innovative system protects medical devices from cyber-attacks

December 2013 Upfront
|

If you're still waiting to protect your health care facility's medical devices from a cyber-attack, let a close call at Methodist Hospital of Southern California, Arcadia, serve as a cautionary tale.

In 2011, hospital physicians accessed diagnostic information from medical devices without the knowledge of the facility's information technology (IT) department.

Once hospital administrators caught wind of what happened, they took action to safeguard its medical devices because they knew the next incident involving the access of patient data might not be so benign.

The hospital was smart to act quickly. As medical devices have increased in complexity and are commonly tied to computer networks, they pose a higher risk for cyber-attack.

In June, the Food and Drug Administration issued a safety communication alerting medical device manufacturers and health care facilities to ensure that appropriate safeguards are in place to reduce the risk of failure due to cyber-attack either through malware or unauthorized access to devices and networks.

In May, the Department of Homeland Security issued a bulletin warning that too little consideration has been given to the potential for misuse of features like wireless networking connectivity to steal patient information or even change the operation of the medical device.

The bulletin reported how medical device hackers could alter or shut off the settings of an insulin pump without the user's knowledge and jam or disrupt glucose monitors remotely. Implantable medical devices without software protection are at risk, too, the bulletin stated.

Implementing appropriate safeguards is exactly what Methodist Hospital began doing two years ago. It hired an outside firm to develop an integrated systems management (ISM) program, which greatly reduces vulnerability of its more than 6,000 medical devices to cyber-attack.

The ISM program was developed by Renovo Solutions LLC, Santa Ana, Calif., and managed by Anthony Coronado, biomedical engineering manager at Methodist Hospital, and his team. The program is so innovative that last month the hospital received ECRI Institute's 8th annual Health Devices Achievement Award.

"Methodist Hospital conducted a great project to address a looming and national concern related to cyber-security and medical devices," says Jim Keller, vice president, health technology evaluation and safety, ECRI Institute, Plymouth Meeting, Pa.

"Not many hospitals have put a concerted effort toward addressing the risks of cybersecurity of medical devices. The Methodist program sets a great example that other hospitals can follow and in a very organized and methodical way," Keller says.

A cornerstone of the program entails performing a rigorous 57-question, risk-assessment inspection of each new and existing medical device at the hospital to determine how it stores, transmits and protects electronic patient information, Coronado says.

Part of the risk-assessment involves interviewing the end user, whether it is a physician, nurse or other staff member, to see how he or she uses the device, he adds.

Another problem was that almost all the medical devices at Methodist Hospital were on their own networks and not monitored for security, a common situation at many health care facilities, Coronado says. "I feel it's probably the same way at the majority of hospitals around the world," he says.

Integrating the multitude of networks at Methodist made it easier to control and monitor its medical devices by taking advantage of the safeguards that were already in place within the hospital's IT infrastructure for all the PCs and medical record networks, he adds.

Keller believes Methodist Hospital's ISM program could serve as a model for all hospitals as the need to protect devices against hackers grows.

"With the rapid growth of connectivity for medical devices, this is a serious problem," he says. "This is why the Methodist project is so important. It will help many hospitals get moving on their cybersecurity initiatives before serious damage is done."

Hospitals need to develop a plan to safeguard medical devices from cyber-attack.

Related Articles