Cybersecurity of medical devices is on top of ECRI Institute's 2018 list of top 10 challenges facing healthcare. And experts from the independent nonprofit organisation offer practical guidance for its member hospitals to protect medical devices against security threats.
“We really need to make sure that there are appropriate resources for the healthcare facility to tackle medical device cybersecurity,” ECRI project engineer Juuso Leinonen said. For him, a practical path to reach organisations’ security goals to improve their “security posture” is critical.
Especially for large health systems that operate a network of hospitals and related care facilities, they need to have an inventory of countless devices used in the day-to-day operations of different departments or units. A timely inventory of medical devices is necessary because, as Leinonen points out, you cannot "effectively patch and protect medical devices without this kind of information.”
Another tip for hospital executives to improve device security: When buying medical devices, make sure you are buying them with the security you need.
“At a healthcare facility, you’re looking at having thousands of devices from hundreds of manufacturers,” Leinonen said. “Each one of those could potentially have their own security requirement, which makes it almost a nightmare to manage.”
It's also important for healthcare leaders to recognise that cybersecurity is not just an IT problem. From IT, clinical, engineering, risk management, purchasing to the front-end clinicians, just about every department is touched by security gaps, according to Leinonen. Technology can help, but he warned, “you can’t solely focus on technology.”
When breaches occur, often there is a human component – people clicking on this or that – and recovery from an attack like that can be rough.
His best advice? Conduct an inventory of medical devices as well as the related software and incorporate security considerations as a formal part of the purchasing process.
“Recognise that this is not just an IT problem,” he stressed. “All different individuals within an organisation really should play a role in managing overall risk.”
Source: ECRI Institute
Image Credit: Pixabay