Cybersecurity and Medical Devices: 'Ducking Bullets'Consultant Brian Selfridge on Threats to Patient Safety
"We've been ducking bullets" when it comes to cybersecurity incidents impacting patient safety, says consultant Brian Selfridge, a former healthcare CISO.
"I believe there are tangible harms happening at present based on information security lapses, but I believe there are a lot more potential [bad effects on patients]," says Selfridge, who leads consulting firm Meditology's IT risk management practice. "In terms of the harm that's happening today, it's primarily more of a business harm."
For instance, ransomware attacks and other incidents are resulting in "folks having longer wait times ... and that's harmful in the sense that people are needing to be treated.... and any delays in care can be produce harmful outcomes that probably aren't very easy to measure."
In addition, some security incidents result in health data about a patient not being available at the time of care - such as information about serious allergies to certain medications. That could potentially result in poor treatment decisions that could cause harm.
"The bigger story and the bigger concern is more around things like medical devices where we have some of the weakest security controls of any assets in devices that are old, outdated, or there's a lack of coordination with all the parties that need to get together to figure out how to get those devices secure," Selfridge says.
For instance, on Aug. 29, the FDA issued an alert concerning vulnerabilities in implantable cardiac devices sold by Abbott Laboratories (see FDA First: Cyber Recall for Implantable Devices).
"We have some vulnerable devices that are very susceptible to some of the attacks we see out there ... malware, ransomware, hacking attacks. The concern there is because they are so vulnerable [and] accessible and increasingly networked, and increasingly impactful to patients' physical well-being ... if one or more of those devices across a single environment ceases to function correctly at a critical juncture, then we have very real patient safety implications."
In the interview (see audio link below photo), Selfridge also discusses:
- Security mistakes that healthcare entities often make;
- Ways to improve access controls;
- Why it's critical for entities not to lose sight of everyday security issues as they deal with high-profile incidents, such as ransomware attacks.
Before joining Meditology, Selfridge was CISO at AtlantiCare, a large integrated healthcare provider in southern New Jersey. He has more than 13 years of experience in healthcare security, including implementation and execution of operational information security programs. Selfridge also has expertise in ethical hacking, medical device security and strategic security considerations for areas such as health information exchange and regulatory compliance.