[00:00:00] Christian Dameff, MD: Hi again, I'm Dr Christian Dameff, practicing emergency medicine physician and medical director of cybersecurity. Whether we're in the doctor's office for a routine checkup, monitoring our heart with a wearable device on a morning jog, or having surgery in the operating room, we rarely consider that devices connected to us for medical care are also connected to hospital networks, wireless networks, and the internet.
[00:00:30] These connections, while often providing more convenient and cost-effective care, also make these devices vulnerable to a cybersecurity attack. We know that the benefits from rapid advances in the use and capability of connected health also come with potential risks. According to the American Hospital Association, the US is home to 6210 hospitals, each between 50 and 500 beds and 10 to 15 network devices per bed. That means with a total of more than 930 000 staffed hospital beds across the United States, there are some 14 million connected medical devices in the US just at the bedside. Many of these must be protected against cyber attacks and other threats and vulnerabilities. Thus, it is evident that patient safety depends on cyber safety. This fact is acutely on the mind of both health care providers who manage these devices and the health care technology and health IT companies who manufacture them. Certain principles are understood when we think about health care cybersecurity.
[00:01:31] First, because the threats are constantly evolving, security practices have difficulty keeping up. Second, health care institutions do not have the time, money, or resources to independently fix cybersecurity vulnerabilities. Third, patching for updates and vulnerabilities in the medical device ecosystem can be more complicated than your average IT update. That's because there is a human, not an app, connected to that medical device, and system reboots are not an option. And finally, while certainly necessary, government regulation, mostly from the Food and Drug Administration, can't always anticipate changing technologies and the complexities of cybersecurity in a clinical environment.
[00:02:12] So, recognizing that these challenges are a shared responsibility, government and health care stakeholders are working together to address these health care cybersecurity challenges. So what are medical devices? A medical device is a name given to a technology used in patient care. It is a general name for a very broad category of devices, ranging from pacemakers to brain stimulators to insulin pumps, EKG machines, and MRI devices.
[00:02:37] They assist caregivers in providing care to patients and facilitate involvement by friends and family. They also provide significant benefits by automating manual functions and performing functions people can't always do, such as imaging and providing continuous monitoring. They allow multiple patients to be monitored at once. These devices often rely on wireless or wired connections that link them together through networks, and that can be the problem. Cybersecurity is a widespread issue affecting medical devices connected to the internet networks and other devices. And when we think of the practice of cyber security for medical devices, it means preventing unauthorized access and modification, misuse or denial of use or unauthorized transfer of information from a medical device to an external recipient.
[00:03:23] The US Food and Drug Administration works with medical device companies to strengthen their product cyber security. They provide guidance to device manufacturers about putting security in devices before they go to market, and about helping their customers keep them secure. Everybody in our community—the FDA, manufacturers, health care providers—all understand that failure to maintain cybersecurity in a device can result in malfunctions, loss of medical or personal data, loss of data integrity, or the spreading of cybersecurity threats to other connected devices or network.
[00:03:58] And this can result in patient harm, such as injury, illness, or even death. Although it is not possible to completely eliminate all the cybersecurity vulnerabilities from medical devices, Manufacturers do have a responsibility to inform their health care providers about vulnerabilities and how to mitigate them.
[00:04:15] Your medical device servicer should be able to detect those problems and take actions to protect the device. In other areas, the manufacturers don't have as much control, like with the operating system they use or other third party software they install on the device to make it work. In time, those software programs will age and won't be supported either. So the IT and medical device specialists in your health care system will have to make informed decisions about keeping those devices in service. or come up with temporary protections. Often, there may be a financial reason why a health care provider must continue to use a device past the point where it can be protected against cyber vulnerabilities. If the device remains clinically useful and safely performs its intended use, the provider may be willing to take the risk that unpatched devices will become increasingly vulnerable. Unfortunately, this makes them a convenient entry point for cyber attacks. These attacks can either be directed on the devices themselves or through the computers that control and monitor them.
[00:05:14] Many of these devices have 10- to 20-year lifespans and do not have the latest updated operating systems or software. Also, many of these were not designed with security in mind and the assumption that they would be connected to networks that presented risk. This presents a significant issue because these devices are used in direct patient care processes and contain sensitive patient information. They often automate functions that would otherwise require significant manual work to accomplish.
[00:05:35] So what does this mean for you, the clinician? Every year we host a conference about medical device security, and during that conference we stage a simulation featuring a third year medical student treating a person, an actor, showing indications of a stroke.
[00:05:55] The first step in that situation is performing a CT scan on the person's brain to see if that stroke is caused by a clot or a hemorrhage. But what happens if the CT scan image doesn't come back because the machine has been hacked and disabled? The student never thinks that the malfunction could have been caused by a cyber attack, let alone know how to recognize a cyber attack on a machine. So they are forced to improvise.
Medical devices provide significant benefit to the care environment. They also come with significant risks. We hope this video has demonstrated steps that you can take to further protect you and your environment, and also to continue to provide excellent care to your patients.
[00:06:35] Up next, we'll have tips for protecting you and your environment.
Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.
If applicable, all relevant financial relationships have been mitigated.