Cybersecurity pro: Networked medical devices pose huge risks to patient safety
LAS VEGAS – The standing-room-only status of the HIMSS16 Cybersecurity Symposium on Monday told the story: The healthcare industry finally grasps the acute risk posed by cybercriminals to hospital systems and medical devices.
That said, awareness still doesn't necessarily mean folks always grasp the extent and severity of the problem, said Stephen Grimes, principal consultant at Strategic Healthcare Technology Associates, in his education session, "Biomedical Devices: Could Lack of Security Harm Patients?"
Past chair of HIMSS Medical Device Security Task Force and current chair of HIMSS Patient Safety Task Force, Grimes has been working on device safety for years – and he said the challenges are only growing in quantity and complexity.
Consider these numbers: There are 10 to 15 million medical devices in U.S. hospitals today. The average is 10 to 15 devices per bed, so a 500-bed hospital could have 7,500 devices – most of them networked. A 2,000-bed health system might have 1,500 infusion pumps alone.
Once upon a time, not too long ago, things were simpler: "Up until 10 to 20 years ago, medical devices were one device, one patient," said Grimes.
But recent history has shown this clinical machinery becoming more computerized, with more features, containing more data. Monitors, infusion pumps, ventilators, CT and MRI scanner all have critical patient information that could be accessed or tampered with.
And most are now connected to IT systems and legacy technologies that "have their own vulnerabilities."
That means single points of failure could open the door for hackers to take out significant portions of a hospital's medical network. The addition of smartphones and other personal devices into the security mix only complicates matters. Meanwhile, many medical device manufacturers are moving to the cloud, said Grimes, with the data processing taking place remotely – introducing yet another threat vector.
Despite all this, "there are no real effective standards for integrating medical devices," he said. "Especially when related to security."
That has to change. While IT systems are "mission critical," said Grimes, medical devices are "life-critical." A hacker compromising the confidentiality of protected health information is bad enough. By adversely impacting data's availability or integrity, a cyber criminal could cause fatal consequences in a clinical setting.
The question of who has responsibility for keeping these devices secure, like so many other facets of this issue, is complex.
IT professionals know about technology and security – but generally have a limited knowledge about the quantity and type of medical devices in a hospital, said Grimes.
Clinical and biomedical engineers, meanwhile, have traditionally been responsible for devices – but might not always be attuned to the magnitude of the new security threats.
That's "two big silos," said Grimes, and "often there's not a sufficient exchange of information" between them.
For hospitals looking to get a handle on networked medical devices and protect patient safety, Grimes said it was critical to determine the scope and nature of their medical device inventory and the type of data that's vulnerable: "You can't manage what you can’t measure."
It's also key to identify gaps and establish processes to address vulnerabilities, he said, specifically with an eye toward bringing IT and medical personnel into a closer working relationship.
This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.