Healthcare organizations must make some big moves to improve the cybersecurity of medical devices used in their environments, says medical device cybersecurity expert Stephen Grimes. Among these steps: Create new procedures for their IT teams, biomedical engineers and clinicians to better and more quickly understand the vulnerabilities and risks inherent in these products.
"They need to become educated about the vulnerabilities, what are the issues, and what is the scope of the challenges within their own organization," Grimes says. The average 500-bed hospital often has more than 7,500 medical devices falling into hundreds of different categories, and all of them face a variety of potential security risks, he notes.
Complicating matters often is a "knowledge gap" between stakeholders who have varying responsibilities related to the technology of these networked devices, he says.
"One of the significant challenges that we have is that those people who are responsible for healthcare IT and IT cybersecurity aren't that familiar with the medical technology side," he says. Meanwhile, biomedical or clinical engineers, who are typically the ones responsible for medical devices at healthcare provider organizations, aren't familiar with the security issues, he says in an interview with Information Security Media Group. "They have traditionally been siloed," he says.
"There needs to be some significant collaboration, getting those two groups on the same page, as well as bringing in the users of these technologies, which are primarily the clinicians, but also the leadership," he says.
It's not only the internal teams within healthcare organizations that need to step up their awareness and become more proactive in addressing medical device cybersecurity, Grimes says.
"The manufacturers also need to work with the clinical engineering and IT [teams] to ensure they're providing information to those people who are going to be attempting to secure these devices in a working environment," he says.
"It's important that these groups work with the manufacturers to get this information, and that the manufacturers cooperate."
In the interview, Grimes also discusses:
- How healthcare organizations should handle legacy medical devices running older operating systems and other software that cannot be patched;
- Access management and authentication challenges involving networked medical devices - including when remote clinicians need to access to patient data;
- The Food and Drug Administration's recent draft guidance on post-market cybersecurity of medical devices.
Grimes is managing partner and principal consultant at consulting firm Strategic Healthcare Technology Associates. Prior to that, Grimes was chief technology officer of ABM Healthcare Support Services. Grimes has more than 30 years of experience with hospitals, shared service organizations and healthcare consulting firms. He is also a Fellow of the Healthcare Information and Management Systems Society where he currently chairs their Medical Device and Patient Safety Task Force. He will be speaking about medical device cybersecurity at the HIMSS 2016 conference in Las Vegas.