Protecting And Maintaining Medical Devices
The Intersection of Clinical Engineering and Medical Device Cybersecurity
Michael Ahmad has over 33 years of experience in Healthcare Technology Management. Michael, a known industry leader and speaker, graduated from the Kuwait Institute of Technology biomedical engineering program, and from the Villanova University, advanced leadership development program.
WHAT IS THE NEW DEFINITION OF A MEDICAL DEVICE?
MA: A medical device is defined multiple ways. It could either be a device that is intended to diagnose, cure, mitigate, treat or prevent a disease OR is Software in an electronic device if it is intended to diagnose, cure, mitigate, treat or prevent a disease OR is the component of, or accessory to, any medical device. These medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of not only the device but also the entire hospital network. This vulnerability is increasing through their constant connectivity to the Internet, hospital networks, and to other medical devices. Addressing cybersecurity threats, and thus reducing information security risks, is extremely challenging to the equipment owners because these threats cannot be completely eliminated. Manufacturers, hospitals and service providers must work together to manage and mitigate their risks.
HOW DOES ABM SUPPORT ITS CLIENTS?
MA: There is a definite need to balance protecting patient safety, patient privacy and promoting the development of innovative technologies and improved device performance. ABM has created a strict process enabling the proper steps to be followed to ensure both patient safety and patient information safety by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework. This process is practiced by creating an inventory, replace/upgrade plan where possible, documented retirement timelines, and suggested updates and patches to be presented as a preventive procedure.
WHAT IS THE BEST APPROACH TO PRACTICING SAFE MEDICAL DEVICE CYBERSECURITY?
MA: Medical device manufacturers and healthcare facilities should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. Manufacturers should consider cybersecurity risks when designing and developing their medical devices–including design inputs, software validation and risk analysis–to better diminish patient risks. Hospitals can prepare and manage such risks by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework. Hospitals also will want to ensure that the approach they adopted remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.
WHY MUST THREATS TO MEDICAL DEVICES BE ADDRESSED?
MA: Cybersecurity vulnerabilities and intrusions pose risks for every hospital and its reputation. While there are significant benefitsfor care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices and electronic databases; for clinical, financial and administrative operations, networked technology and greater connectivity, also increase exposure to possible cybersecurity threats that require hospitals to evaluate and manage new risks. Medical device manufacturers and healthcare organizations need to implement safeguards to reduce the risk of failure or misuse in the event of a cyber-attack; with manufacturers considering cybersecurity risks when designing and developing their medical devices including design inputs, software validation and risk analysis.
HOW SHOULD LEADERS ADDRESS THESE THREATS?
MA: The key is acknowledging that things can go wrong and demonstrating the creativity in finding a solution. We certainly don’t need to respond to every risk imaginable. The goal is to provide the method to help secure what we have anticipated and to deal with any potential major risks.
These threats are set to increase further with adoption of the Internet of Things (IoT) by healthcare organizations and consumers. This integration of networking, computing technology and software has enabled increased integration and efficiencies of Hospital Information Technology( IT ), Clinical Engineering (CE), and their suppliers through remote connectivity, but it has additionally opened a gateway of risk that we need to defend.