Healthcare News & Insights

Prepare for another cybersecurity threat

New cybersecurity vulnerabilities are threatening hospitals’ mobile health (mHealth) devices. 

100277456The Department of Homeland Security is in the middle of investigating two dozen medical devices and other pieces of hospital equipment for potential cybersecurity vulnerabilities, according to Reuters.

This is just the latest cyberthreat to hit the healthcare industry, following recent announcements about Shellshock and  Heartbleed — two computer bugs that open hospitals’ computer systems to outside attacks.

Federal response to threats

Specifically, Homeland Security’s Industrial Control Systems Cyber Emergency Response Team is looking at products like an infusion pump from Hospira, Inc., and implantable heart devices from Medtronic, Inc., and St. Jude Medical, Inc. The agency believes hackers could take over the devices and cause harm to patients, or extract valuable health data stored in them.

Currently, the agency is working with the manufacturers to ID and repair software coding bugs, but has declined to name all the companies involved.

The good news is that, so far, no attacks through these devices have been reported, but it’s clear that mHealth devices could pose serious security issues for hospitals.

In response to these growing concerns about medical devices and cybersecurity, the Food and Drug Administration (FDA), which regulates the sales of these devices, recently released guidance about how manufacturers can secure medical devices.

The guidance recommends steps for manufacturers to develop security controls that identify possible targets for attacks and vulnerabilities that might give hackers access. The guidance also provides  a list of security provisions vendors should document for premarket submission.

Some of the recommendations are steps hospitals should also try to follow, such as:

  • limiting access to devices through user authentication via IDs, passwords, smartcards or biometics
  • strengthening password protection by avoiding common passwords, and
  • placing physical locks on devices and their communication ports to prevent tampering.

Ensure vendor security

Cyberthreats to patients’ protected health information are constantly evolving, so it’s not reasonable to expect vendors’ products to be 100% bullet proof from cyber attacks. However, hospital leaders should still be cautious and due their research before purchasing new mHealth devices.

They need to look at what kind of security measures are in place in devices, as well as determine what security testing has been conducted on the products. They also need to make sure vendors follow the FDA’s guidance to reduce the risk of outside attacks, and can provide the documentation to show they’ve taken substantial cybersecurity measures.

And since no device is fool-proof, it may be time to look at your facility’s cyberinsurance policy, or consider purchasing one if you haven’t already. This can help protect hospitals from paying large fines entirely on their own in the event a breach occurs and HIPAA penalties are levied.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.