By Todd Ebert
Advances in technology have led to unprecedented developments in the healthcare sphere. Medical device and service technology are improving patient care and creating efficiencies in the healthcare system. However, medical devices and services, like any computer system, are vulnerable to cybersecurity threats that could jeopardize patient health, safety and privacy. The increased use of connected medical devices and software as a service (SaaS), adoption of wireless technology, and overall increased medical device and service connectivity to the Internet, significantly increase the risk of cybersecurity threats.
The Healthcare Supply Chain Association and its group purchasing organization members are the sourcing and purchasing partners to America’s hospitals, long-term care facilities, surgery centers, clinics, and other healthcare providers. Given our unique line of sight over the entire healthcare supply chain, and our experience working on the front lines of the healthcare industry, HSCA has an intimate understanding of the challenges the healthcare industry faces as it seeks to protect patients’ privacy while improving patient care. As a result, HSCA has issued the following key cybersecurity considerations to medical device manufacturers, healthcare providers, and service providers:
- Providers and suppliers should participate in one or more Information Sharing and Analysis Organizations (ISAOs) and ensure their policies and practices reflect widely accepted standards, such as those provided by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and Federal Information Security Management Act (FISMA) recommendations and requirements for cybersecurity.
- Suppliers of network-accessible medical devices, software and services should warrant that they are compliant with current U.S. Food and Drug Administration guidance documents and industry standards. Providers should not acquire or use devices, software or services not so warranted unless no practical alternatives exist. In these cases, providers should ensure devices, software or services are deployed in a manner that reduces the risk of a security event.
- Suppliers of network-accessible medical devices, software and services should, at their own expense, provide reliable and timely information regarding any issues or risks identified with one of their devices or services, the firmware, software and/or any other security issues, and provide guidance on what should be done to address any vulnerability.
- Providers should avoid acquiring any device or service from a manufacturer that does not warrant that they actively participate in ISAOs. Providers are encouraged to participate in ISAOs as well. Information-sharing among the user community is a significant factor in battling cybercriminals, and participation in ISAOs is a platform for such sharing and a factor in improving the cybersecurity of all participants.
- Medical device manufacturers should provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2) for any medical device that can be connected to a network (i.e., any device that has a MAC address). Providers should avoid acquiring devices for which a supplier is unable or unwilling to provide an MDS2. When suppliers provide MDS2s, those MDS2s should be reviewed by provider network security teams, or their designated third party, prior to the purchase, use, or implementation of any medical device. All medical devices and services should be installed and operated in a manner consistent with the organization’s security policies and practices.
- Although compliance with current guidelines can significantly reduce the cybersecurity risks associated with medical devices and services, legacy devices and possible future noncompliance pose ongoing risks. Providers have a considerable investment in connected legacy devices, software and services that may not be compliant with current guidelines and standards but that are critical to maintaining patient care. Recognizing that it is not practical or feasible in the short term to retire or replace those assets, manufacturers should realize that acknowledging responsibility for the security of legacy devices and working expeditiously to upgrade those to current security standards, or provide device upgrade paths to providers at no or minimal additional cost, may afford competitive position relative to future sales.
Maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services, as well as the providers that use them. Providing this security is a continual effort that requires vigilance, adaptation, and ongoing communication as we continue to provide the best possible care to patients.
Todd Ebert, R.Ph., is the president and CEO of the Healthcare Supply Chain Association (HSCA).