Best Practices for HTM and HFM Cybersecurity: Does Your Healthcare Organization Lack Any of These?

Medical devices are more advanced, connected and ubiquitous than ever.

These devices not only house sensitive patient data but also connect to broader systems as part of fully developed network with features like two-way communications and wireless connectivity. At the same time, healthcare facilities themselves are more connected, with core infrastructure systems like security cameras, HVAC, power supplies and other systems tied together through a building’s IT infrastructure.

As a result, healthcare organizations have become the targets of bad actors looking to exploit medical device and facility vulnerabilities every chance they get.

Cyberattacks pose significant threats to the healthcare sector, jeopardizing patient care and costing providers billions. Keeping an organization safe from cyberthreats takes a concerted effort on the part of many teams, including clinical engineering, facilities management and IT. This overview of critical best practices is designed to help your healthcare organization boost medical device and medical facility cybersecurity – so that you can best ensure the health and safety of your patients, employees and visitors.

Best Practice #1: Perform an inventory check for risk analysis

You can’t protect what you don’t know about. With thousands or even tens of thousands of networked medical devices in your healthcare facility, making sure each device is accounted for is crucial so that you know what needs to be protected, what each device interacts with, and where to focus your energy. The same is true for all your networked building systems, such as power supplies, lighting, water and sewer, security cameras, elevators, HVAC, access control systems and more. And in addition to these individual components, be sure to take into account any building automation systems (BASs).

Taking inventory of your medical devices and systems is the fundamental first step in protecting them.

Best Practice #2: Work with suppliers to ensure devices and systems are secure on their end

Cybersecurity protection does not fall solely on the shoulders of your healthcare delivery organization; it’s a multi-layered process that involves not only your facility but also the vendors and contractors who supply your devices and systems. Be sure to ask vendors and suppliers:

  • What vulnerabilities could have been introduced during development, and how did you address them?
  • Do you offer a contract that guarantees the cybersecurity of the device or system?
  • What installation services do you offer, and what security do they entail?
  • What ongoing cybersecurity support do you offer, and do you conduct annual risk assessments?

 

Best Practice #3: Secure assets and devices throughout their lifecycles

Aging devices and systems are not only at risk of failure as parts wear out and break; they’re also at risk of breach. Take medical devices, for instance. From June 2019 to June 2020, an astonishing 15-19% of medical devices were running on operating systems Windows 7 or older, according to a survey from ordr. This puts them well past Microsoft’s end-of-life date, where the software is no longer serviced via upgrades, patches and overall maintenance, making them vulnerable to hackers.

HTM and HFM departments have long provided post-acquisition support and management of medical equipment and facilities assets with planned and corrective maintenance throughout their useful life, often with the help of a healthcare CMMS that facilitates scheduling routine maintenance, tracks asset repair history, and automates workflows when security gaps or risks are found.

Best Practice #4: Monitor network traffic

What information is going to and from your devices and your systems? What networks are they interacting with? Who has access to these networks and what levels of authorization do they have?

Malicious network traffic is the number one cybersecurity risk for healthcare providers, according to security firm Wandera. If activity falls outside normal traffic patterns, an organization must be able to act quickly, before serious damage is done. Real-time notification allows HTM and HFM resources to be disconnected from medical devices and systems to prevent or reduce the spread of cyberattacks, allowing you to swap out a device – in many cases even when it’s currently being used on a patient.

Best Practice #5: Establish safe practices for personal devices

Personal devices proliferate in hospitals, from phones to smart TVs. Healthcare organizations create avenues for hackers to infiltrate their network(s) when they allow access to network resources and do not have a protection plan that prevents access to infrastructure and business systems. Knowing how vendors, manufacturers and others will access medical devices and systems will provide a layer of security by ensuring those access points are secured.

Healthcare cybersecurity based on data

Ensuring medical device and facility cybersecurity is a complex undertaking, and it can’t happen without reliable data to help identify security gaps, automate mitigation steps and track fixes as they happen. To discover more best practices and deepen your understanding of how to prevent the growing body of HTM and HFM attacks, please download our eBook EBook: 7 Best Practices for HTM and HFM Cybersecurity.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars