Cost for QD employees to rent an apartment in Chico, CA. $1,200/month. Please turn off your ad blocker in Quality Digest
Our landlords thank you.
Doug Folsom
Published: Tuesday, December 6, 2022 - 12:02 Unpatched vulnerabilities remain a target of cyberattacks, and an ever-present risk for healthcare organizations. Medical devices pose an additional burden because patches are frequently unavailable for medical devices. So, dealing with the potential threat isn’t usually straightforward. The stakes are also high in healthcare, because cybersecurity risks can expose or hinder access to electronic protected health information (ePHI) or even harm patients if the equipment malfunctions or is inaccessible. Medical device cybersecurity hinges on knowing the vulnerabilities of each device and whether patches are available, as well as how critical each piece of equipment is to the overall function—and determining any risk to patient safety, among other factors. Continuous assessment and real-time risk measurement help prioritize surveillance efforts, raise red flags, and mitigate risk efficiently. Federal regulators say that unpatched vulnerabilities will become increasingly susceptible to cyberattacks. Recent cybersecurity incidents have forced hospitals to relocate surgical patients, divert ambulances to other hospitals, and otherwise delay care. Regulators note how troublesome healthcare software vulnerabilities are to contend with because one issue, like the Log4j logging tool, can have multiple vulnerabilities, and remediating risk can be a time-consuming and tedious process. Medical devices are even more complicated than other connected devices, requiring both clinical engineering and IT expertise to manage them effectively. It is a fine line to address vulnerabilities while also ensuring that the safety and effectiveness of the device will not significantly change, potentially affecting the quality of care. In some cases, cyber safety measures could compromise the device’s capability to provide care. Software patches and other changes to a medical device require a risk assessment and validation from the original equipment manufacturer (OEM). Manufacturers aren’t required to issue updates unless it’s determined that the risk presented by the vulnerability rises to the level of a recall, so it’s common that OEM-validated patches aren’t used. Healthcare systems must consider several factors when assessing real-time threats: known vulnerabilities, device risk profile, and patient safety. Before evaluation begins, teams must gather a detailed inventory of all medical devices for visibility into each device, including its core attributes, where it is, and how it’s deployed. When evaluating each piece of equipment for cyber vulnerability, medical device teams should ask these questions: Considerations for device risk include: Patient safety assessment focuses on these crucial questions: What is the potential risk to patient safety and the consequence of failure? Medical device teams can prioritize which devices require risk mitigation based on the answers to these questions. The priorities can vary widely by health system. Designating the devices of first concern depends on the system’s risk tolerance, life cycle management criteria, and budget capacity. A comprehensive medical device cybersecurity solution with a technology-enabled assessment can be useful in understanding the scope of risk. Risk assessment requires a combination of technology, people, and process. The clinical engineering team gathers a device inventory, the technology solution manages the inventory, and the medical device team executes a process to respond to vulnerabilities. To begin addressing vulnerabilities, start with devices with the most critical risk. Before installing any patch, confirm that it’s validated by the manufacturer. Unverified solutions may affect the performance of the medical device, risking patient safety. If a patch is unavailable, other compensating controls, such as moving it to a care setting that doesn’t require it to be on the network, may be prudent but must be carefully vetted. As teams continue the risk assessment and measurement process, establish a risk gauge to help prioritize mitigation efforts. The gauge reflects known cyber vulnerabilities, known patches, and risks to patient safety. This scale requires continuous updates based on device changes and evolving degrees of risk. Risk mitigation is a team effort among healthcare providers. When equipment posing a security risk is identified, care providers can approve compensating controls or accept the risk for a given vulnerability based on their knowledge of the risks and benefits to patients. Preventing cyberattacks on medical devices is vital, but mitigation isn’t simple. Teams should use the process above to evaluate the risks and benefits of repairing vulnerabilities, and act on the most vulnerable and crucial assets. The assessment isn’t a one-and-done process. Monitoring and evaluating risk must be continuous as new vulnerabilities are identified, new patches are issued, and the state and importance of equipment evolve. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Doug Folsom is president of cybersecurity and chief technology officer for TRIMEDX, an industry-leading, independent clinical asset management company delivering comprehensive clinical engineering services, clinical asset informatics, and medical device cybersecurity. Doug has nearly 30 years of information technology leadership experience. He earned his master’s degree in business from Ohio University, and a bachelor’s degree in electrical engineering technology from DeVry Institute of Technology.How to Prioritize Cybersecurity Risks in Medical Devices
Unpatched vulnerabilities will become increasingly susceptible to cyberattacks
The scale of threat from unpatched vulnerabilities
Assessing real-time threats is critical and complicated
• How critical is the vulnerability?
• What will it expose?
• How easily is it exploited?
• What’s the original manufacturing remediation status, if any?
• How is the device used: Is it life-supporting, diagnostic, or have another mission-critical use?
• Is the issue tied to the operating system?
• Is the issue connected to an FDA alert or recall?
• How old is the device? Is it at risk of being designated as reaching “end of life” and no longer receiving support and updates from the manufacturer?
• Is the device capable of storing ePHI? Continuous cybersecurity risk assessment
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Doug Folsom
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.