Tips to tackle the biggest cyber challenge hospitals face: medical device security
The ECRI Institute put managing medical device cybersecurity threats at numero uno on its 2018 list of top 10 challenges facing healthcare.
When dealing with medical device cybersecurity, ECRI’s focus has been largely making sure it provides practical guidance for its member hospitals, Leinonen said.
“We really need to make sure that there are appropriate resources for the healthcare facility to tackle medical device cybersecurity,” ECRI project engineer Juuso Leinonen said. As he sees it, a practical path to reach organizations’ security goals to improve their “security posture” is critical.
When asked what actions health systems could take now to boost medical device security, he didn’t have to think about it.
“Have an appropriate inventory of your medical devices,” he said. “It’s nearly impossible to effectively patch and protect medical devices without this kind of information.”
When buying medical devices, he cautioned hospital executives to make sure they are buying them with the security they need.
That’s not easy.
“At a healthcare facility, you’re looking at having thousands of devices from hundreds of manufacturers,” Leinonen said. “Each one of those could potentially have their own security requirement, which makes it almost a nightmare to manage.”
Leinonen said it is important to recognize that cybersecurity is not just an IT problem. From IT, clinical, engineering, risk management, purchasing to the front-end clinicians, just about every department is touched by security gaps.
Technology can help, but Leinonen warned, “you can’t solely focus on technology.”
When breaches occur, often there is a human component – people clicking on this or that – and recovery from an attack like that can be rough.
His best advice? Conduct an inventory of medical devices as well as the related software and incorporate security considerations as a formal part of the purchasing process
“Recognize that this is not just an IT problem,” he said. “All different individuals within an organization really should play a role in managing overall risk.”
Leinonen will be speaking in the session, “10 Challenges in Managing Medical Device Cybersecurity,” at 11:30 a.m. March 7 in the Venetian, Marcello 4401.
An inside look at the innovation, education, technology, networking and key events at the HIMSS18 global conference in Las Vegas.