Siemens Healthineers’ Cybersecurity Officer for the Americas, Brett Harris, recently discussed the long-term impacts of cyberattacks on healthcare institutions and offered insights on how healthcare providers can protect patients’ personal data and medical devices. In this Help Net Security interview, Harris highlighted the vulnerabilities of various hospital information systems and emphasized the importance of securing medical devices before deployment.
Harris first addressed the vulnerabilities of hospital information systems, such as Electronic Health Record (EHR) systems and Picture Archiving and Communications Systems (PACS). These systems contain large amounts of sensitive data and present a risk to confidentiality. While they may not pose a direct patient safety risk like devices directly interacting with patients, the potential breach of this data can lead to hefty fines and compromise the privacy of a large number of people.
On the other hand, devices directly interacting with patients, such as infusion pumps and X-ray machines, pose a direct patient safety risk if compromised. These devices need to be protected and secured to ensure patient well-being. Additionally, any other systems or devices connected to a hospital’s network can serve as a gateway for further attacks, potentially leading to massive ransomware attacks if proper network controls are not implemented.
Addressing the long-term impacts of significant cyberattacks on healthcare institutions, Harris noted that the frequency of these attacks has been increasing and is unlikely to slow down. To mitigate the risks associated with cyberattacks, healthcare institutions need to allocate larger budgets to cybersecurity. In the short term, implementing proper medical device security programs is essential, considering the backlog of systems that need to be managed for risk. In the long term, stricter requirements from regulatory bodies such as the FDA and HHS can be expected, and it is crucial for every institution to have a dedicated medical device security program in place.
When it comes to patients ensuring the safety of their personal information during virtual interactions with healthcare providers, Harris acknowledged that patients have limited control over the matter. Currently, there is little visibility into which healthcare institutions are effectively protecting patients’ data, and in many regions, there is a dominant institution that lacks competition. However, patients can take certain precautions, such as using their institutions’ secure portals for communication and avoiding the use of email.
Regarding steps healthcare organizations can take to secure and assess medical devices before deployment, Harris emphasized the importance of thoroughly evaluating the security features of products before purchase. Ideally, healthcare organizations should look for products that meet their clinical needs while offering robust security. However, if it is not feasible to purchase a highly secure product for every application, organizations should identify and implement compensating controls to mitigate any security risks associated with the device. Reviewing the product’s Manufacturer Disclosure Statement for Medical Device Security (MDS2) can provide crucial insights into its security controls and guide decision-making.
To ensure that sensitive data is not left behind during the decommissioning and disposal of medical devices, healthcare organizations must securely erase any potential storage media. This can be done either through the use of tools that meet NIST standards for secure erasure or through physical destruction. If a third party is involved in the decommissioning process, organizations should require a report or attestation of secure erasure.
In summary, the protection of patients’ personal data and medical devices is of utmost importance in healthcare institutions. The vulnerabilities of hospital information systems and devices must be addressed through proper cybersecurity measures, secure erasure of data, and risk assessment before deployment. As cyberattacks become increasingly prevalent, healthcare organizations need to allocate sufficient resources and adopt comprehensive security programs to safeguard patient safety and privacy.