Q&A with ECRI Institute's Juuso Leinonen and Chad Waters
In its annual 2019 Top 10 Health Technology Hazards report, ECRI Institute identified "hackers can exploit remote access to systems, disrupting healthcare operations" as its top concern.
We spoke with ECRI Institute Senior Project Engineer Juuso Leinonen and Senior Cybersecurity Engineer Chad Waters about the inclusion of cyber threats on its list, why organizations are vulnerable to cyber attacks, and what organizations can do to improve their security preparedness.
Q: What earned cyber threats their spot at the top of your 2019 Health Technology Hazards list for the second year in a row?
Juuso Leinonen (JL): Last year, ransomware and other cybersecurity threats topped ECRI’s Health Technology Hazards list, which outlined cybersecurity as a patient safety issue that impacts most departments within a healthcare facility one way or the other. From your C-suite to your front-end clinicians, all can and should contribute to creating a more secure environment.
This year we focused on a specific technology-related concern of remote access with practical steps to address it. Remote access to devices in a healthcare environment is getting more prevalent due to the benefits it provides ranging from clinical workflow to streamlined manufacturer system maintenance. But as outlined in our top 10 hazard article 2019, remote access can also be an avenue for compromise if appropriate protections are not in place for the remote access.
Cybersecurity in a healthcare facility is a complex problem. It is paramount that we focus on identifying areas where practical steps can be taken to make a significant impact.
Chad Waters (CW): Remote access hacks have increasingly become the attack vector of choice. These means to get into networks have resulted in the many recent SamSam ransomware infections that have paralyzed healthcare facilities and even government entities. Last month, the FBI also published an alert on the rise of organized remote desktop protocol attacks, which further emphasizes this growing concern. Exploitation of remote access to systems used in care delivery can result in delays to patient care and, in the worst-case scenario, lead to patient harm.
Q: Are we seeing any improvements or best practices in how healthcare leaders are approaching this growing challenge?
JL: Healthcare facilities still struggle with numerous priorities of which cybersecurity is one of many. We have seen healthcare facilities increasingly consider medical device security during procurement and ongoing device management. Medical device manufacturers are stepping up with increased transparency about security capabilities and vulnerabilities in their products. Many are also making product design enhancements related to security a priority.
Q: How are organizations leaving themselves vulnerable to cyber attacks?
JL: Many organizations are faced with a problem of managing relatively old medical device fleets often from hundreds of different vendors. Designing products with security in mind simply was not a priority five to seven years ago and many of those devices are still in clinical use. The long-expected life of medical devices makes it difficult to manage them from the security perspective. ECRI estimates that most medical devices last seven to 10 years.
The problem has been further exacerbated by the increase in network-connected medical devices. While such devices can improve patient safety and provide workflow enhancements, they always leave a potential for compromise if systems are not appropriately protected. Lack of sufficient resources to manage device security is still a key issue for many facilities.
Q: What are some steps organizations should take to improve their efforts to safeguard assets?
JL: Facilities should ensure that appropriate resources and personnel are in place to address medical device security. Cybersecurity should be thought as a responsibility for all and not solely an IT issue. A key step to start with is taking a complete inventory of all your medical devices, which should include software and networking details. Also, a formal technical assessment of medical device security is recommended during procurement by both IT and clinical engineering.
CW: Specific to remote access, as outlined in our top 10 for 2019 report:
- Inventory all remote access systems and the purpose of the remote connection.
- Implement policies to approve and govern remote access.
- Deploy appropriate security controls to protect systems during initial implementation.
Q: How can organizations work more effectively with their technology vendors to enhance security?
JL: Transparent communication between the facility and device vendors about security is a key to success. Healthcare organizations and medical device vendors need to share the responsibility of ongoing management of device security. It is about building partnerships, where both have an important role to play.
CW: Facilities should include the security department in the product evaluation process and provide requirements prior to procurement. These requirements should address the security controls present and spell out terms of product maintenance and upgrades.