By Renee Diiulio
Hospitals have been dealing with viruses since they first started seeing patients. In most facilities today, there are entire departments devoted to discovering, identifying, preventing, treating, or monitoring viral infections. Viruses can be deadly, and mutation is a well-established (and well-publicized) trait, so the medical community keeps a close eye on potential emerging diseases, attempting to minimize infection and spread while developing a treatment and/or vaccine to maximize outcomes.
It’s an effort that drives an entire industry and has been a thrilling subject for books and film. Viruses can be fast, elusive, and very destructive—replication is a defining trait of the organisms. But now, they do not need to replicate in humans to do damage.
There is one order of “virus” that, while it does not pose a direct threat to human health, can adversely affect patient care: the computer virus. Healthcare organizations are aware of the potential impact of this serious emerging threat. The danger comes not only from viruses, but from a wide variety of cyberthreats in general. Yet with few resources and no protocols, healthcare groups have been slow to implement effective programs.
The good news is that there has yet to be any cybersecurity issue resulting in patient harm. As of June this year, the FDA had not been informed of any patient injuries or deaths associated with such incidents. However, the FDA made this acknowledgement in an FDA Safety Communication in which it recommended that medical device manufacturers and healthcare facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.1
For many healthcare organizations, the announcement was no surprise, but the question about how they should deal with the threat remains. Many may look to Methodist Hospital of Southern California, located in Arcadia, Calif, for ideas. The facility’s clinical engineering team has developed a cybersecurity protocol as part of its integrated systems management program that has achieved not only success, but also attention and recognition. The team is the recipient of this year’s Health Devices Achievement Award given by the ECRI Institute of Plymouth Meeting, Pa, for the work.
“The cybersecurity risk with medical devices is a serious and emerging concern which most hospitals have yet to significantly address. Methodist Hospital is getting an early start, and we congratulate them for this important initiative. It sets a great example for other hospitals on how to tackle this issue,” says James P. Keller, Jr, ECRI’s vice president of health technology evaluation and safety.
Way of the Future
“One major concern is that a device connected to the system could be used to change data or shut down the operation of other devices on the same system,” Keller says. A microcosm of the world, a network’s risks can range from petty theft to cyberterrorism.
Anthony J. Coronado, biomedical engineering manager at Methodist Hospital, concurs that patient safety was the major driver, but adds that patient privacy (and HIPAA law) was also a factor. So the team developed a three-phase project involving risk assessment, mitigation, and continuing management, each with carefully managed deadlines and milestones. However, before phase one was implemented, some early preparation was needed.
The project did not require a huge investment, but it did require a budget and, therefore, administrative approval. Buy-in, however, was easy to obtain. Although there had been no security breach, a device vulnerability had been discovered via a physician’s remote access. Clinical engineering followed the event with a presentation on the evolution of biomedical devices from isolated pieces of mechanical equipment to networked systems focused on data collection, analysis, and storage—and support was immediate.
“They understand that IV pumps have become smart devices just like their flip phones have become smart phones, and that this is the future,” Coronado says.
The biggest cost for the program has been labor. Coronado estimates that the capital cost per device averaged about $150 and typically covered upgrades. Time involved has been more expensive and involved training for all team members, but the effort has been worth it. “The work has been integrated into our daily activities and become part of the culture,” Coronado says, noting culture change may have been one of the biggest challenges.
When the clinical engineering team first decided to tackle cyberdefense, it did not have the luxury of starting from scratch with new, properly vetted equipment. So the group had to address both new equipment coming in and existing equipment already in place. Any device that was on a network was included in the program.
“We moved away from a single-unit approach and instead focused on systems. Every device is networked into one of 28 systems within the hospital,” Coronado says. Each system has at least 100 devices, and combined, the systems connect with close to 70% of the hospital inventory. “Roughly 61% of our equipment is networked in some way into the hospital domain,” says Coronado, noting infusion pumps alone account for 1,500 devices within one of the systems.
Each model within a system, such as a particular type and brand of infusion pump, is then evaluated for vulnerabilities. The Methodist Hospital team developed a risk assessment protocol that includes 57 questions. “We want to know who is using the device, how they are using it, what information is being stored, and how data is transmitted,” Coronado explains.
Sample questions include the following:
- What elements of electronic protected health information (ePHI) does a device system maintain, transmit, or store (eg, name, treatment date, date of birth, medical record number, social security number, or an image)?
- What is the source of the ePHI? Is it a keyboard, barcode, optical imaging, metric, or voice recognition?
- How is it stored or maintained (eg, via hard disk, wireless transfer, or removable disk)?
The team also reviews how information is backed up and integrity maintained; whether a device is vulnerable to threats, such as malicious software, Trojans, or worms; and if electronic or magnetic interference poses a threat. And they do so using every possible resource, including manufacturer information, software assessments, and user interviews.
“We always speak with the end user, whether it’s a physician, nurse, or other clinician. To define vulnerability associated with cybersecurity, you have to complete a thorough risk assessment and take a deep look at the equipment you have and how it is being used,” Coronado says.
System by System
The effort, in general, requires an interdisciplinary approach and collaboration with IT. Clinical engineering partnered with their IT colleagues closely throughout the initiative, but particularly during the mitigation phase of the program. “We need IT approval to satisfy their security and policy procedures, and we meet with them weekly to review plans,” Coronado says.
Clinical engineering opted to work within the existing IT network rather than develop its own because IT already had safeguards in place. “It made it easier to use theirs, but everything had to meet strict standards, such as compatibility with Windows 7 or later,” Coronado says.
Plans to bring each device up to “code” were approached on a systems basis. A two-member team from clinical engineering was assigned to each system; they then worked with an IT team member and the security compliance officer to approve a mitigation plan.
The aim for each plan was to turn any “no” answer regarding cybersecurity into a “yes,” according to Coronado. Each system was tackled separately. “We took them on one by one,” Coronado says.
Some training was required. In some instances, mitigation could involve a simple upgrade; at other times, a far more extensive effort was needed. To maximize effectiveness, everyone underwent training. “We did cover configuration management and patch management, but even more importantly, we reviewed all aspects of the program, including how to conduct the risk assessment and user interviews,” says Coronado. Every new hire now receives similar education.
Cybersafe Not Cybersorry
The training helped to effect a cultural change within the department, and the hospital as a whole, that maintains cybersecurity as a top-of-mind concern. This new perspective is expected to contribute to the third phase of the project: continuing management.
“We took the new framework and incorporated best practices for individual components to support the whole system, which redefined our management methods,” Coronado says. The team also worked closely with its database vendor, Renovo Solutions of Santa Ana, Calif, to incorporate modifications so that the team’s clinical engineering software could be leveraged to help the program succeed.
The new integrated systems management initiative now covers configuration management, incidence management, problem management, software upgrades, and security management. “Now, when we do PMs, we’re not just checking the device operation, but we’re also monitoring password protection, performing software updates, verifying virus protection, providing vendor-approved patch management, working on server workstations, and confirming disaster recovery and backup,” Coronado says.
And the effort extends from before equipment enters the hospital until after it leaves. New equipment is now evaluated with an eye toward cybersecurity. “We ask vendors if their technology will match our security protocol and policy procedures, and we evaluate the equipment to determine whether it is safe enough to be included as part of our hospital system,” Coronado says. If extensive and expensive modifications are required, another choice can be made before it is too late.
“There is often quite a bit of verbiage in the vendor contract stating the company is not responsible for virus protection or Internet security,” Coronado says. This leaves the responsibility solely in the customer’s hands. And now, customers must own it.
“Cybersecurity is here and real, and poses a legitimate risk to patient safety,” Coronado says. Lapses may not pose a direct health threat, but whether it’s a computer virus or malware, a hacker or a cyberterrorist, the danger does exist, and Methodist Hospital has developed a possible vaccine.
Renee Diiulio is a contributing writer for 24×7. For more information, contact editorial director John Bethune at firstname.lastname@example.org.
1. US Food and Drug Administration. FDA Safety Communication: Cybersecurity for medical devices and hospital networks. Safety Communications. June 13, 2013. Available at: http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm. Accessed November 4, 2013.