Taking a Stand on Medical Device Cyber Safety

It’s no small task to secure high-tech medical devices. The total number of staffed beds in all registered U.S. hospitals is nearly 895,000 and there are an average of 10-15 networked devices per bed, adding up to more than 10 million possible networked devices. That necessitates a delicate balance between connectivity and cybersecurity.

Today’s technology brings more rapid diagnoses, lifesaving treatment options and enhanced patient care. But it also produces significant risks, some that we know, and others that we don’t. The discussions are ongoing: How can stakeholders best collaborate on medical device cybersecurity? What are best practices today? What can health care providers and organizations do to protect themselves from device hacking?

To provide leadership and facilitate collaboration, Vizient launched the Medical Device Cybersecurity Task Force. Its mission is to minimize the risk and cost of medical device cybersecurity by fostering standard practices for the benefit of the health care industry. The 25-member task force includes chief information security officers, as well as clinical engineering, IT and legal professionals from Vizient member hospitals and health systems. The group is also working collaboratively with device manufacturers, cybersecurity consultants and government and industry experts to bring much needed change.

“It's not just the level of risk that is impacting our members. It’s also the cost of assessing and managing those risks. This is where the collaborative effort is really critical. We don’t want security concerns to inappropriately inhibit the level of innovation that is happening in health care today,” said Ross Carevic, director, technology sourcing operations at Vizient.

The Vizient task force identified three areas of focus and created dedicated workgroups that are actively working on these initiatives: risk landscape, sourcing enhancements, and standards and regulations. Near-term deliverables for the Vizient task force include the development of a multiphase roadmap where key enhancements can be identified, implemented and updated in a structured and phased approach.

Assessing the risk landscape

The threats presented by unsecured medical devices are far-reaching and are the focus of the task force’s risk landscape workgroup. Engaging with suppliers to get information about such things as a product’s software bill of materials, which lists what’s inside the product; and its digital fingerprint, which identifies what data is captured, what systems it is shared with and how; will be a priority. Are they using a certain operating system or an off-the-shelf management interface, for example? What are the different software and processes on the various platforms so there is a plan on how to respond if a certain device is hacked? What patient and analytics information is captured and is it uploaded to a cloud? Having this information is vital for understanding the types and levels of risks associated with the different devices, as well as the proper mitigations and controls that might need to be put in place.

A frequently discussed risk scenario involves older, unpatched medical equipment. “One of the questions we hear quite a bit is how to secure devices that have been in use for 10 to 15 years. A lot of these devices weren’t designed with today’s security requirements in mind, so that’s a huge challenge. Hospitals must factor in replacement strategies in addition to keeping newer devices patch-current,” Carevic explained.

“What we see in the marketplace today is going to be different in six months or a year. The tactics and types of attacks are continually changing. We must be proactive in our approach and identify key information needed from the suppliers, which helps the providers protect themselves more effectively and respond more quickly to cybersecurity-related incidents.”

Updates to the sourcing process

The sourcing workgroup is assessing the sourcing processes, identifying areas where improvements can be made and implementing changes.

“The question first and foremost in our minds is, ‘How do we look at it so that all Vizient members, as well as suppliers and those outside of our membership, are able to take advantage of this workgroup’s learnings to improve the overall security posture of the medical device industry?,’” said Carevic.

Carevic also noted that Vizient will be an early adopter of the task force’s recommendations for improving contracting language, as well as modifications to the weightings related to cybersecurity safeguards in the Vizient RFP scoring process. This will enhance the cybersecurity of the devices in the Vizient portfolio for the benefit of its members and their patients.

Enhanced standards and regulations

Historically, the U.S. Food and Drug Administration (FDA) has provided very comprehensive regulations surrounding device approval from a safety and effectiveness perspective, but enforcing strict cybersecurity compliance was not necessarily part of the approval process. The recently released Medical Device Action Plan, published by the FDA, shows their willingness to adapt their benefit-risk framework and helps support efforts for the Vizient taskforce.

The most significant priority for this workgroup will be to identify improvement areas in standards and regulations that will enhance the overall cybersecurity maturity level for medical devices for the entire health care industry.  

“Vizient is uniquely positioned to step up and take the lead in this endeavor. The task force and its various workgroups are energized and ready to spearhead efforts to improve the overall cybersecurity maturity of the health care industry. And the more momentum you have behind something, the more of a change you can drive.”

Want to know more about the Vizient Medical Device Cybersecurity Task Force? Send an email with your questions or feedback to mdc@vizientinc.com.