Medical units are a weak link in the security chain, uniquely inclined to cyberattack. And the stakes – patient lives – couldn’t be higher.
Traditionally, medical units were standalone and only interacted with the patient. However, currently, devices are storing and transmitting data, and include configurable embedded computer programs and are linked to the network, doubtlessly accessible by anyone on the network and subject to a cyberattack.
Complicating the picture, many are legacy gadgets with no control choices, and current medical gadget inventory lacks fundamental IT info.
Durfee mentioned it is a good idea to work through a medical gadget governance committee, develop a risk matrix, and assign a threat-based rating to each medical machine.
For instance, a medical device with Windows XP – an outdated and unsupported OS – storing digital patient health data and linked to the hospital network is a higher risk than a medical device with no ePHI not linked to the network, she stated.
She explained health providers and hospitals can better put together for the security concerns around linked medical gadgets by implementing a tool safety program with sturdy executive oversight and help from the board.
She stated the greatest danger medical gadgets are those linked to the affected person and people instantly connected to the network, which means evaluate remediation choices and action plans to resolve risk or implement mitigating controls to scale back risk should be created.
It is necessary to have reporting and accountability through the governance committee, she added.