It’s 2:00 a.m.; are your medical devices secured?

by Rikin Patel

Most of us have become a lot more risk-averse when it comes to cyber crime. The WannaCry ransomware attack in May 2017 caused massive upheaval, affecting more than 200,000 computers in 150 countries and at extraordinary cost — with some estimates putting the cost in the billions.

Healthcare organizations breathed a sigh of relief that the attacks didn’t affect patient care, but it was — or should have been — a loud wake-up call. Healthcare is targeted by cyber criminals today more than any other industry. In 2016, more than 16.6 million patient records were exposed, according to data from the U.S. Department of Health and Human Services.

The risk of cyber attack is intensifying, and addressing these attacks is growing more complex as more and more people embrace digital technologies — smartphones, wearables, etc. Network connected medical devices or internet of medical things (IoMT) devices are among the largest and most vulnerable attack surfaces.

Complicating the issue is the fact that cyber security risk mitigation for medical devices is difficult. Structural and organizational impediments limit a healthcare system’s ability to address medical device cyber security. Among these are the separation of IT, which is responsible for systems and solutions that enable clinical care and back office functions, and clinical engineering, which is responsible for deploying medical technology designed to focus primarily on the delivery of care.  Both departments share the principles but have a different focus on solution availability and patient safety. Lack of cross-departmental cooperation, separate reporting structures, and process gaps that lead to inconsistencies also make it difficult to reduce the risk of cyber crime.

Pressure to act to protect patients

Aside from the enormous financial and reputational costs that cyber attacks cause healthcare organizations, there are also compelling regulatory reasons to address cyber security.

The U.S. Food and Drug Administration (FDA) has issued a Medical Device Safety Action Plan, which among other issues seeks to address the cyber resiliency of medical devices for the safety of patients. The agency noted that — as with all the computers and networks they operate in — such devices are vulnerable to security breaches, which could threaten the safety of patients. In response the agency has adopted a “multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery and resilience that applies throughout the life cycle of relevant devices.”

Manufacturers are expected to take a risk-based approach to cybersecurity throughout a device’s life cycle and to act quickly to address any vulnerabilities.

Three steps to better cyber security

As a result, healthcare organizations will need to find ways to improve cyber resilience and mitigate risk. The following three steps will help healthcare organizations prepare for any potential cyber attacks and ensure that devices are safe and secure for patients.

  • Start by addressing the separation of IT, security and clinical engineering. Working collaboratively, the various parts of the IT organization need to develop an approach that leverages best practices through a proven Cyber Reference Architecture. The purpose of a Cyber Reference Architecture is to establish a set of standards, guidelines and best practices to manage cyber security-related risk.
  • Cross-departmental collaboration is crucial to reducing the threat to patient care. By working together and trusting the knowledge of each team, departments can bring together the strengths and expertise they have across the organization. In this way, clinical engineering teams can take advantage of the mature processes, tools and platforms that IT departments have used to mitigate security risks.
  • Manage the clinical asset life cycle from procurement to retirement through compliant processes that integrate cyber security risk assessment and reduce the options through which new devices are introduced into the organization. A modern enterprise asset management platform enables better visibility into clinical assets and manages clinical devices as configuration items with attributes that describe the security profile and threat intelligence capabilities. This results in a significant reduction in time from detection to response when dealing with security incidents.

Healthcare organizations are particularly vulnerable to cyber attacks, in part because the data is so valuable and also because there are so many opportunities to breach security. With so much riding on cyber security with healthcare data and assets — including patients’ lives because of the potential for attacks on implanted medical devices — healthcare organizations must mitigate risk and address the security gaps that exist across the organization.

Progressive, risk-averse healthcare organizations will be those with the technology, processes and expertise needed to counter cyber crime.


Rikin Patel is a DXC Technologist with 25 years of diverse experience in Information Technology.  He serves as the Chief Technologist for DXC’s Americas Healthcare & Life Sciences and is a member of the Office of the CTO. Rikin is responsible for building key client relationships, advising senior leadership on technology trends, and providing thought leadership to effectively grow client and DXC business.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: