Over the past decade, many technological advances have improved how we deliver healthcare. Technology now automates many previously manual processes and connects information directly from the bedside into caregivers’ hands. Medical devices can integrate into the electronic health record (EHR) and can move critical patient information quickly. Radiology systems make images available on many different devices, including mobile phones and tablet computers. This rapid acceleration of information sharing has improved efficiency and care, all while reducing medical errors. This technology also has enabled better care with leaner staffing.
That same technology – especially medical devices – has introduced serious security risks. These unique security challenges cannot be solved by the Information Technology (IT) department alone. They require a team approach, and the first steps on building a solid security foundation is the responsibility of the procurement team.
What are the risks?
It is easy to assign medical device security risks to the hospital’s Information Security Officer (ISO). After all, IT manages the computers, and medical devices are just another computer. These assumptions can lead to a disaster for several reasons. First, many hospitals have not assigned responsibility for medical devices to the Chief Information Officer (CIO). This leaves a management gap that often leaves critical tasks undone. Second, some hospitals have outsourced the management of their medical equipment or departments like radiology, laboratory and pharmacy to third parties, leaving an accountability gap between what the hospital is responsible for and the vendor/third party.
These are challenges, but the ultimate barrier to good medical device security is the inherent nature of the devices. For example, IT departments typically have a technology refreshment program with workstations being replaced every four years (give or take) and servers/network components every five to seven years. Medical devices are kept much longer, with some in excess of 15 years as not uncommon. The operating systems in these devices are many years past end of life. By comparison, on January 14, 2020, there was a shock wave across the sector, as an estimated 71 percent of medical devices still run on Windows 7 and Windows Server 2008, both of which reached their end-of-life support. Future software updates will not be available.1
While this disturbing revelation generated a lot of media attention, medical devices actually have been running with obsolete and unsecure software for decades. Manufacturers are not forthcoming to disclose their software bill of materials (SBOM) so new equipment is still being shipped with Windows 7 embedded, even though the software won’t be patched.
Supply Chain’s reaction?
The impacts of unpatched devices can be devastating to providers. In November 2019, Roosevelt General Hospital discovered ransomware on their radiology devices.2 Reacting to these incidents should have begun before the contract award, during the request for proposal (RFP) process. It is only then that healthcare entities can outline the security responsibilities with which each vendor must comply.
Please note that language like “industry best practice” in the security section is meaningless, especially when you consider that 13 out of 14 organizations failed the government’s HIPAA desk audit. The average “best” just isn’t good enough as 30 percent of all healthcare breaches have been traced to a vendor’s weak security controls.
Diving into the specifics
So how can the procurement community support the medical device security challenge? First, all RFPs should include a requirement that vendors provide a SBOM for every device sold, as well as the date for the software’s end of life. It would also help to obtain a commitment that future software versions will be supported. As Microsoft typically provides support for 10 years post-launch, there is no reason medical device manufacturers could not eventually meet this same threshold. Decision makers can use this information to select the product with the best chance of being supported long-term, indirectly supporting a secure environment.
Second, vendors that require internet access to their devices for remote diagnostics, management and even operations should be held to the same security standards as other critical cloud providers – perhaps those that host the EHR. These persistent connections into a hospital’s networks are prime targets for hackers. We have seen multiple instances now where attackers first compromise a third-party vendor, then leverage the direct connections to infect providers. The December 2019 attack on Complete Technology Solutions3 impacted 100 providers. Further, healthcare providers saw a 60 percent increase in attacks in 2019.4
Finally, procurement executives need to actively participate in the security and privacy governance committees. The best defense starts before the contract is signed.
References:
1. Tech Republic. https://www.techrepublic.com/article/71-of-medical-devices-still-run-on-windows-7-windows-2008-and-windows-mobile/
2. “New Mexico Hospital Finds Malware Infection on Digital Imaging Server,” https://healthitsecurity.com/news/new-mexico-hospital-finds-malware-infection-on-digital-imaging-server
3. “Ransomware Hits Another IT Vendor, Impacting 100 Dental Providers,” https://healthitsecurity.com/news/ransomware-hits-another-it-vendor-impacting-100-dental-providers
4. “Careless Users Pose Risk to Healthcare Endpoints, Data, Access,” https://healthitsecurity.com/news/careless-users-pose-risk-to-healthcare-endpoints-data-access
