All too often when faced with a decision to invest in cybersecurity, organizations chose to pass on that investment. It’s easy to see why. It can be hard to justify an ROI for cybersecurity, so when assessing options for their limited funds it’s often more attractive to boards and management to invest in things that guarantee a return on investment, such as surgery suites or even new EMR systems.
In doing that they may be overlooking the impact cybersecurity incidents can have on patient safety. Senator Mark Warner (D-VA), Chairmen of the Senate Select Committee on Intelligence, recently published a report, Cybersecurity is Patient Safety, to bring attention to the risks of security incidents to patient safety. Senator Warner’s report pointed out the increased vulnerability of the healthcare sector to cyberattacks due to a reliance on legacy technology.
This follows an FBI notice in September 2022 which warned the healthcare industry about increasing vulnerabilities from medical devices that run on outdated software without sufficient security protections.
A study performed by the Ponemon Institute, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care, surveyed 641 IT and IT security practitioners in healthcare organizations. 67% of respondents reported that a ransomware or phishing attack disrupted patient care. Even more disturbing was the admission that mortality rates increased for at least 24% of the respondents due to a ransomware attack. Even if mortality was not impacted, 64% of respondents indicated that the ransomware attack caused delays in procedures and tests that resulted in poor outcomes. As with Senator Warner’s report, one of the areas of greatest concern in this study was insecure medical devices. A subsequent study by the Ponemon Institute, The Impact of Ransomware on Healthcare During COVID-19 and Beyond, indicated that only 36% of respondents say their organizations are effective at maintaining control of their medical devices and only 35% are effective at monitoring for end-of-life or out-of-date operating systems in medical devices.
Perhaps most alarmingly, healthcare organizations tend to address this risk by ignoring it. The HIMSS 2020 Cybersecurity Survey noted that only 29% of respondents included medical devices in their annual risk assessment.
HIPAA requires organizations to do risk assessments. This requirement was reinforced by the HIPAA Safe Harbor Rule which directed the Department of Health and Human Services (HHS) to reduce their enforcement efforts if organizations had implemented recognized security practices that includes a comprehensive risk assessment. A comprehensive risk assessment should include all areas of risk. It’s unlikely that HHS will be impressed with your risk assessment that excluded medical devices if they were related to a breach. Make sure your risk assessment evaluates your organization’s risk from medical devices and mitigates that risk
At a minimum the following controls should be implemented for your devices to help mitigate your risks:
See more »
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC