Protecting patients from emergent cybersecurity threats is the shared responsibility of the entire healthcare supply chain
Advances in information technology and medical devices and increasing interoperability of information systems, devices and services are improving patient care and creating efficiencies in the healthcare system.
However, the increased use of connected medical devices and software, coupled with widespread adoption of wireless technology have made health systems more vulnerable to cyberattacks and cybersecurity threats than ever before.
Each new capability is a potential on-ramp for introducing malware into the system. Medical devices are often life-sustaining and provide vital clinical functions that cannot be compromised without diminishing direct patient care. Accordingly, the availability, reliability, and safety of these devices is essential.
High profile cyberattacks at hospitals and healthcare facilities, including the recent WannaCry attack that paralyzed the United Kingdom’s National Health Service, consistently demonstrate the vulnerability of the healthcare system to potentially crippling 21st century cyber-threats.
The average cost to an organization of a data breach, as reported by IBM in 2017, was $7.35 million. Beyond the financial impact, cyberattacks also pose an existential threat to patient health, privacy and safety. Protecting patient health through device and information security is the shared responsibility of medical device manufacturers, providers, and all supply chain stakeholders.
Fortunately, there are a number of common-sense practical and evidence-based steps that suppliers, manufacturers and providers can take to decrease the likelihood of attacks.
First, suppliers of network-accessible medical devices, software and services should warrant that they are compliant with current U.S. Food and Drug Administration (FDA) cybersecurity guidance documents. In addition, suppliers should ensure the security of all procured or developed systems and technologies throughout their useful life, including any extension, warranty, or maintenance periods.
Because information-sharing is a significant component in battling cyber criminals, suppliers and providers should, at minimum, participate in one or more Information Sharing and Analysis Organizations (ISAOs), utilize risk assessment IT security methodologies, and ensure their policies and practices reflect widely-accepted standards, such as those provided by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and/or the Federal Information Security Management Act (FISMA) recommendations and requirements for cybersecurity.
Other important preventative steps include the use of network access controls to restrict user access to systems and data based on need, cyber training and assessment for all employees with network access, data encryption wherever and whenever practical, and robust backup and restoration procedures.
As the sourcing and purchasing partners to virtually all American hospitals, as well as the vast majority of long-term care facilities, surgery centers, clinics, and other healthcare providers, healthcare group purchasing organizations (GPOs) have a unique line of sight over the entire healthcare supply chain. Given that line of sight, the Healthcare Supply Chain Association (HSCA) recently released cybersecurity key considerations for healthcare providers, medical device manufacturers and service providers to help protect patient health, privacy and safety.
Recognizing that a one-size-fits-all approach doesn’t work across the healthcare system, and that medical technology is more specialized with fewer replacement options for legacy devices, HSCA’s cyber considerations address a broad range of possible scenarios in terms of the costs, technical complexity, risks and benefits associated with connected devices and services.
Mitigating the risk of cybersecurity threats while supporting improved patient care and safety will require a cooperative and collaborative effort among all supply chain stakeholders, including suppliers, manufacturers and providers. Working together to implement cybersecurity measures will ensure that hospitals and their physicians have the tools necessary to combat 21st century cybersecurity threats while also providing uninterrupted first-class care for patients.
Todd Ebert, R.Ph., is President and CEO of the Healthcare Supply Chain Association (HSCA)
Curt Miller is Executive Director of HSCA’s Committee for Healthcare eStandards