01/15/2022 | News release | Distributed by Public on 01/15/2022 16:35
As events around the world continue to change on an hourly basis the demands for healthcare services flourish, not exactly how anyone envisioned or projected, but the use of services, precautions, and clinical equipment nonetheless are in high demand. As the needs and uncertainties escalate so does the concept of fraud, phishing, and tremendously devious social engineering tactics, and good cyber hygiene practices should be in place. The best practices discussed here refer to the activities, settings, and considerations healthcare delivery organizations should undergo to improve safety and reduce the threat landscape of the medical device ecosystem. As CTEK continues to operate and protect our clients and customers, the potential impacts these threats could have on medical equipment must be evaluated. These realistic threats can serve as entry points into or through our clinical technologies. With focus and care around people, processes, practices, places, and things, the hidden dangers or vulnerabilities in medical devices can be easily exploited.
Although new medical device technologies have engineered great improvements in the reliability and advancement of quality care, these same advances in technology can potentially create risks leading to security-related problems that have the potential to outweigh some of the benefits. Only through the thoughtful selection, deployment, proper operation, and support of healthcare technologies and the environment, can the risk of cybersecurity failures be successfully managed. As a result, stakeholder awareness is a key goal in mitigating those risks during this epidemic and it starts with the loss of data.
Right now, most devices are strategically placed, accounted for, and setup accurately ensuring proper workflow. As many healthcare delivery organizations' objectives change and adapt to accommodate COVID-19, it is becoming more challenging to obtain the medical devices and clinical technologies that are necessary. What is happening in most hospitals is the shifting of resources to prepare and accommodate all, not just those that are ill by ensuring proper isolation, sanitization, protection mechanisms, and safety. Therefore; relating to best practices, using good judgment, and being accountable during the intense pressure placed on clinical staff is will help manage the risks and incorporate cyber hygiene. Much of these resources are people, processes, and devices. When these resources are shifted it opens the door to risk, risk that someone may not understand the new process and procedures, risks in human and operational errors, and risks in how devices are used to support patients in this difficult time.
It was comparatively easy to obtain a medical device out of a clinical department or unit, such as a blood pressure machine, an EKG, or an ultrasound and acquire data. Many of our devices are connected to the network, either directly (wireless and/or wired) or through a piece of middleware. As resource shifts occur, it is becoming common practice to move medical devices that have low utilization or those from departments in the hospital that are serving fewer patients at the moment and place them in dedicated isolation or quarantined areas to accommodate those that may be infected by COVID-19. Something that needs to be addressed is the selected location may not have the same technological capabilities as the area the device originated. This highlights several risks that can easily be mitigated if properly identified beforehand. First, the infrastructure may not support the device, therefore ensuring it can, is important, and if it can't the device will have to store information locally. This first item of concern is the loss of data. If acquiring patient information periodically, say with an EKG device, the information is stored locally on the device and transmitted later, this potentially creates a problem with corruption of data or a device malfunction that may render the data unusable. It is best that if the device can transmit during or directly after an acquisition while in the determined location, the chances of data loss significantly diminish. Likely when in quarantine, process and procedures will not allow for the device to be moved out of this designated area into a non-designated area to transmit.
Devices not connected to the infrastructure or moved to an isolated area may not be updated with patches or firmware when it becomes available, therefore, leaving them vulnerable. Any mobile medical device that may have a Windows operating system or a device that uses a multipurpose computer or laptop could be vulnerable if it is in isolation for extended periods. If it is not connected to the infrastructure its chances of becoming attacked or infected are very low.
Additionally, throughput on the infrastructure is critical to maintaining the integrity of the data. Even if the infrastructure can handle the data, this doesn't mean it should if it cannot meet manufacturer specifications. For instance, if multiple devices are transmitting large amounts of data on the network at the same time, data may not reach its destination reliably or accurately.
This same topic coincides with misplaced data, where did it go? Did someone forget to transmit the data? If a device is storing data locally and sending later; validating the data is an important step. An example is a mobile van or unit that is sent into the community to test and take vitals or physiologic measurements on patients, this data will be stored until network connectivity is established and can be transmitted. Forgetting, or overwriting data with other patient's information creates a loss of integrity or lost data altogether.
A common practice in situations where equipment inventory is low or additional is needed is the use of rental companies. For instance, there is a shortage of ventilators right now for numerous healthcare delivery organizations. One approach they may take is contacting a rental company to temporarily acquire the ventilators or patient monitors to adequately care for their patients. Many ventilators are equipped to store and transmit PHI as well as other sensitive information such as network configuration settings. If your organization has chosen to acquire rental devices it is extremely important to properly sanitize the media upon conclusion of the equipment agreement. This ensures the equipment does not have remnants of sensitive information. The clinical engineering department will likely help set this up and should be able to assist with sanitization as well, otherwise, it should be considered within the rental agreement.
Many organizations are buying used equipment from multiple vendors or third parties to help convert medical-surgical or pre/post-surgery areas with monitoring and ventilators. This is a sensible purchase amid the crisis, but keep in mind some of these devices may come with someone else's data, they may have limited licenses and features, and outdated operating systems and firmware. Please advise with clinical engineering to ensure you get the correct licenses and firmware and update the system if possible. Additionally, if these devices are a few revisions behind, make sure there are no current vulnerabilities or at least nothing greater or riskier than what you currently have. This significantly opens the door to cyberattacks when you choose this option. Even reputable dealers or resellers are not focused on cybersecurity efforts, and usually, older revisions and firmware are easier or more cost-effective to repurpose and resell.
In an attempt to overcome the overwhelming need for specific devices, it is not safe to use old outdated pieces of medical equipment that may have software vulnerabilities. In an attempt to round up medical devices for a separate site, there may be pressure to use the devices that are in storage. These may not be adequate not because of their inability, but because the system may never have been patched, updated, or have a compensating control that can provide a layer of security for the device. Not all old devices will be affected, multi-purpose workstations that are connected to a medical device, imaging devices, and patient monitors are more likely to be affected, buts it's best to check with clinical engineering to verify.
Ensuring an accurate inventory of clinical assets - clinical engineering maintains this information but should be able to help determine asset utilization and where assets may be located that can be repurposed during this time. They should also maintain records that way when this event is over, the device can be properly disinfected, sanitized, and returned to the proper department.
Device settings used in a normal clinical environment may not be necessary or applicable in a temporary setting like what they may be deployed for an organization. If moving to an offsite, separate clinic or facility to care for COVID-19 patients, the frivolous features that are coupled to a medical device may not be necessary and should be turned off if they are not needed.
What this means is feature sets like wireless and Bluetooth should be turned off if the device does not need them and you have chosen to move these devices to a separate or non-clinical or just an area where the device was not originally designed or intended to be in.
Recently a set of cybersecurity flaws found in a range of medical devices with Bluetooth Low Energy (BLE) could allow a hacker to remotely crash a device or access its data, according to a recent alert from the Food and Drug Administration. The BLE is used to pair and exchange data between two devices. However, researchers discovered a vulnerability, labeled SweynTooth, that could allow an attacker to remotely crash the device, stop its function, or access functions typically only available to the authorized user. There are publicly available exploits that could put these devices at risk of attack. These exploits can be performed within Bluetooth radio connection distance, therefore someone near windows, locations just outside and within the building, or floor is capable of exploiting this vulnerability.
The Food and Drug Administration issued guidance to provide a policy to help expand the availability and capability of non-invasive remote monitoring devices to facilitate patient monitoring while reducing patient and healthcare provider contact and exposure to COVID-19 during this pandemic. This policy is intended to remain in effect only for the duration of the public health emergency.
The enforcement policy described in the guidance applies to the following non-invasive remote monitoring devices that measure or detect common physiological parameters and that are used to support patient monitoring during the COVID-19 public health emergency:
These non-invasive monitoring devices have the potential to be connected to a wireless network through Bluetooth, Wi-Fi, or cellular connection to transmit a patient's measurements directly to the provider or other monitoring entities.
The Food & Drug Administration is indicating that healthcare organizations can leverage the use of current non-invasive patient monitoring devices that have these features. It is advised that anyone who chooses to use these features be cautious and understand the cybersecurity risks of these types of medical devices.
For healthcare delivery organizations these steps should be common practice every day, but in a time of critical need the basics may often be disregarded. With changes in the environment and specific caregiver needs, new cybersecurity threats and vulnerabilities can arise, therefore asking questions and working together to practice good cyber hygiene habits with medical equipment should not be overlooked.
Additional Resources
Matt is a dedicated clinical engineer with knowledge, skills, and experience in all technological facets of healthcare. Proven experience in servicing and managing medical devices and systems, developing and teaching university courses, and medical device cybersecurity and risk management.
Follow on Linkedin