“Cybersecurity is currently one of health care’s largest concerns. The unlawful manipulation of medical devices locally, or more recently remotely, via malware and ransomware attacks, represents an immediate threat to the safety and security of those for whom we provide care. Biomedical Engineering must now consider the impact of the 'Internet of Things' as a growing number of medical devices and systems are electronically integrated, including integration into the medical record.”
Medical devices — whether imaging machines, infusion pumps, lasers, medical ventilators or the plethora of other equipment used for diagnostics or treatment — are central to patient care in every hospital. Ensuring their safe, effective, and efficient use is the responsibility of medical device teams, who every day bring to bear a unique blend of knowledge and skills across clinical and engineering disciplines.
These medical device professionals, found in every hospital, are known by many names; sometimes called EBME (Electrical and BioMedical Engineer), they may alternatively use titles such as medical engineer, biomedical engineer, CBET (Certified Biomedical Equipment Technician) or clinical engineer. Regardless of the exact title, these are the people who support the use of devices by health professionals and aim to simultaneously optimize clinical efficacy, patient and operator safety, care quality, technology innovation, and equipment costs.
These healthcare heroes often also have a leading role in managing device procurement, ensuring that each device and its usage complies with relevant regulations, and that those selfsame devices are properly maintained to manufacturer and best practice specifications. If that weren’t enough, clinical engineers are also tasked with maintaining an accurate and detailed inventory, training users, and knowing to spot and what to do when something is wrong with a medical device.
The role is especially challenging given the breadth of knowledge and skills required, the need to manage a wide range of stakeholders (in most cases clinical staff use the devices while the clinical engineering team are responsible for them), and keep on top of a changing medical device landscape.
For example, most medical devices that involve serious engineering are today designed with network connectivity. This connectivity opens up a whole new frontier of operational considerations and points of potential compromise for clinical engineers to concern themselves with. Yet, only ten years ago, that frontier was totally absent from the occupation.
Clinical Engineering and Cybersecurity
Maintaining a high-level of cybersecurity is difficult for any hospital, but medical devices have their own challenges:
- Even a mid-sized hospital has thousands of connected medical devices, and up-to-date device inventories are a rarity. Without possessing a knowledge of inventory and what devices are deployed, what purposes they’re meant to serve, where they’re located, and which staff are authorized to use them, effective cybersecurity is well-nigh impossible.
- The medical device industry isn’t a single vendor, single product marketplace. Many manufacturers use their own proprietary communication protocols (or unusual protocol combinations) with unique security implications that, if not properly understood and attuned to, could introduce highly consequential but hard-to-detect vulnerabilities.
- Medical devices are often connected to legacy infrastructure that’s been developed over many years, resulting in a patchwork of systems and networks, with complex interdependencies and entangled operational vulnerabilities.
As the primary in-house source of medical device expertise, clinical engineers are expected to know the ins and outs of those devices and avail themselves to any and all barometers for the device’s normal functioning and usage. In 2019, that needs to include some basic cybersecurity training and wherewithal. While that may seem intimidating to someone accustomed to thinking of his/her job as largely mechanical, the truth is that some digital training, tailored to medical device uses, will help you do your job quicker, easier, and better.
Consider the following:
- Designing ongoing cyber education initiatives to keep clinical engineers (as the tip of a hospital’s medical device spear) abreast of current threats and protection practices.
- Incorporating cyber hygiene and device-specific dos and don’ts into staff-wide medical device SOP (standard operating procedure) training.
- Leveraging cyber tools as oversight mechanisms to assist with meeting other clinical engineering responsibilities.
An Expanding Training Prerogative for Clinical Engineers
The best source of training for any given specific device is usually the manufacturer, and most now include some level of cyber education in the product training they deliver during initial device deployment, or follow-on refresher courses.
Since, however, manufacturers are themselves somewhat new to the cybersecurity game, it’s a good idea complement manufacturer-provided training with something from a cybersecurity firm specializing in the healthcare space.
Larger, more mature, medical operations will also have their own in-house medical device training, and while these courses don’t always incorporate cybersecurity, it is a best practice that’s quickly gaining popularity.
The FDA recently announced recognition of UL 2900-1 and, although the standard is largely targeted at medical device manufacturers, some elements of UL training courses could be useful for clinical engineering teams.
Training providers such as Sans Institute, MediaPRO and Intraprise have cybersecurity courses tailored for healthcare, while cross-industry courses — such as cybersecurity for business or executives — contain content that could help medical device teams build their training programs with broader business goals in mind
Aside from canned curricula, it’s good to develop courses around the specific needs of your hospital, in which case you may look to adapt some of the resources freely provided by Homeland Security, Cyber Aces, or Cybrary, among others.
Some healthcare providers have gone even further, commissioning courses that have been developed to make the training experience more fun and more memorable.
Cyber Training for Medical Device Users
For healthcare providers, insiders pose a bigger threat than outside actors — providing a case in point for the need to better incorporate cyber hygiene education into medical device user training. A lot of the training undertaken by the clinical engineering team can be condensed and re-packaged for delivery to clinical staff and other users — with a focus on cybersecurity awareness and threat detection.
Staff training needs to cover general cybersecurity protection, such as the basics of password management, how to spot and what to do when encountering malicious websites or emails, social engineering, etcetera. It might seem obvious, but staff needs to understand that clicking on the wrong link can trigger a malicious script that may ultimately compromise the delivery of care.
At the same time, training needs to include harder to spot and device-specific threat awareness. Sometimes subtle changes in device behavior patterns can indicate malfunction or worse — tampering. Accordingly, anyone handling these devices will need to know what to look out for as well as to whom and how to report a suspected problem.
Many medical device SOPs don’t adequately cover cybersecurity, yet it’s quickly becoming one of the most vulnerable operational dimensions.
What’s more, it’s often the first place the FDA or other regulators look during an audit. Besides training, other procedures eligible to be updated greater cyber awareness are:
- Inventory/asset management: the more detailed the information held for each device, the easier it will be to smartly utilize and manage your available assets. It also makes your efforts to proactively maintain and protect your medical devices a lot more straight forward. For example, a management system that tracks your inventory according to device name and description, physical & logical (e.g. IP address) location, operational status, active software versions, patch statuses, etcetera, makes it much easier to monitor for vulnerabilities and alert managers when intervention is required.
- Risk assessment: risk assessments are already an important part of clinical engineering, but the scope of those assessments needs to be extended to cover cyber considerations such as known device vulnerabilities (taken from CVE lists and manufacturer disclosure statements), new vulnerabilities (revealed through pen testing), and latent network or IT infrastructure weaknesses.
- Incident response procedure: the recently issued FDA medical device incident preparedness and response playbook provides useful guidance on medical device-specific incident response planning — including stakeholder communications, notification to regulators and manufacturers et al, business continuity and post-incident reviews.
The AAMI guide on medical device cybersecurity is also worth consulting when considering medical device SOP and training amendments.
Leveraging Cyber Tools to Streamline Medical Device SOP and Management Workflows
Cybersecurity solutions built for endpoint mapping and network visualization can be leveraged to see how medical devices are being used and making sure that they’re working as intended.
Modern healthcare cybersecurity solutions have functionality that maps directly to the responsibilities of the clinical engineering team:
Operational fluidity: aside from recording device information that helps cybersecurity, an inventory management system supports procurement planning, helps optimize deployment of high revenue generating devices, and allows maintenance downtime to be intelligently planned to minimize operational disruption.
Recall management: a data feed updated in real-time with information from manufacturers or regulators about medical devices requiring recall, automatically cross-referenced against devices in use, will help preempt problems.
Performance optimization: monitoring a device’s behavior can provide useful information about possible problems. For example, battery power being consumed at an above normal rate, or irregularities in device performance can indicate or even trigger problems. Performance indicators of these types can be linked to automated alerts sent to the medical device team, allowing them to take prompt action.
With the increase in connected medical devices, the risk of malicious attacks is growing — 77% of hospitals are concerned about unsecured medical devices — and cybersecurity is already a key component of the hospital strategic planning process. It’s a natural next step to make cybersecurity an integral part of normal clinical engineering workflows.
Aside from helping prevent attacks on medical devices and ensuring nothing is preventing them from performing as designed, the clinical engineering team can also play an important role in delivering a security-aware culture across the hospital. And if that can be achieved, the entire organization will be a lot better off.