Medical device cybersecurity & how hospitals may be affected in a breach: Q&A with MedCrypt CEO

Mike Kijewski, CEO of medical device cybersecurity company MedCrypt, discusses the reality of cyberattacks on patient medical devices and how hospitals can best approach prevention.

Responses have been lightly edited for clarity and length.

Question: How is technology keeping up with changes in the healthcare landscape in terms of cybersecurity?

Mike Kijewski: Technology companies are seeing that security by design has worked in other industries and have started to adopt it in healthcare. The technical advantages of designing security into medical devices creates a scalable and sustainable approach for devices that are increasingly operating in outpatient settings. Security cannot be considered a 'one and done' — it requires ongoing support and maintenance, which can only be accomplished through intentional inclusion in design. Success requires collaboration between the device vendor, end-user and ecosystem administrator.

Q: Can you share some of your thoughts on cyberattacks on patient medical devices? Is this a threat that hospitals should be prepared for, and what is the best way to do so?

MK: The dramatic storyline from the TV show Homeland, where the vice president's pacemaker was hacked, makes it easy to think that this could never happen to a 'normal' individual. However, instances where device vulnerabilities were used to access and shut down hospital operations demonstrates there are patient safety and information protection requirements that must be considered in medical device cybersecurity.

Hospitals play an important role in securing the ecosystem medical devices operate in. A recent publication helps apply the [U.S. Department of Commerce's National Institute of Standards and Technology] cybersecurity framework specific to hospitals. However, they face technical limitations on how much they can change medical devices without voiding warranties of clinical support. We believe hospitals should be proactive in procurement processes to incorporate FDA medical device cybersecurity guidance, such as the Rochester, Minn.-based Mayo Clinic, which has been transparent about their position to collaborate with other providers.

Finally, we'll sometimes be asked 'has this ever actually happened?' The short answer is, we don't know. While the FDA has never been alerted to a patient injury as a direct result of a cybersecurity issue, most devices don't yet have features that would detect if there were a breach, so we may not even know if it happened. Also, we're starting to see studies showing patient outcomes suffering as a secondary effect of cybersecurity incidents. One study saw an increase of 2,160 patient deaths from heart attacks at hospitals that had suffered a breach in the previous two years.

Q: What are some of the implications a medical device security breach can have?

MK: An exploited cybersecurity vulnerability or an immature response to a potential cybersecurity incident can have ramifications across the entire healthcare value-chain. Imagine a patient demonstrates symptoms associated with cardiac arrest, but due to a ransomware attack, the hospital devices are not operating as intended. This can result in a delay in care or inability to diagnose using technologies that would have otherwise been available. A paper published studies the impact of a 4.4-minute delay in care, finding a higher 30-day mortality for acute myocardial infarctions, or cardiac arrest, patients. Patient outcomes are at the core of what medical devices are trying to manage and the FDA has confirmed safety concerns as demonstrated in recalls due to cybersecurity vulnerabilities.

Q: What advice would you give hospital CISOs to get staff on the same page in the aftermath of a cyberattack?

MK: While we haven't seen a regulatory requirement, hospitals must accept that a cybersecurity threat is not theoretical. Like clinical crisis management, [healthcare delivery organizations] must have a plan should a potential cybersecurity incident arise. This begins with an inventory of medical devices, including patch versions, plans to isolate infected devices if possible, redundancy training for employees if they must rely on nontechnology-based documentation, a communication plan for different communities and relationships with relevant authorities. The post-mortem from an incident must also be completed so organizations can continue to improve.

To learn more about clinical informatics and health IT, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.

To participate in future Becker's Q&As, contact Jackie Drees at jdrees@beckershealthcare.com.

More articles on cybersecurity:
New strain of ransomware claims to donate profits to fictitious children's cancer charity
Cyberattacks, cloud-based storage & more: 4 hospital CISOs share insights
Man gets 10 years for hacking network of Boston Children's Hospital

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months