How medical device security can improve patient safety

This post was sponsored by AT&T Business, but the opinions are my own and don’t necessarily represent AT&T Business’s positions or strategies.

Like most enterprises, healthcare providers (HCPs) have undergone an accelerated digital transformation over the past three years. Telemedicine, which was once considered rare, has become the norm. For consumers, wearable technologies used to be considered a novelty. Now they’ve become commonplace, along with at-home medical devices that often include remote patient monitoring (RPM) capabilities.

Today, digital healthcare goes beyond patient portals and online screening. This technology is impacting diagnosis, treatment plans, and patient monitoring. The COVID pandemic accelerated institutional and consumer acceptance of digital healthcare and the use of at-home connected medical devices. 5G networks are powering much of the innovation in connected medical devices and RPM.

The accelerated adoption of telemedicine, medical devices connected to the internet, and RPM has a downside—an increase in cybersecurity threats to sensitive patient information. The danger may begin with the user and extend to HCP data centers. In these facilities, the network is the foundation for security, beginning with a modernized network that’s built on fiber connectivity. However, these threats also extend to medical devices that are beyond data centers and medical facilities that have become essential to patient care. Connectivity of these medical devices to the network means that security must be part of the strategy as these products are created and used.

Medical device cybersecurity safeguards are not keeping pace with the speed at which new medical devices are being introduced. This cybersecurity gap poses enormous risks not only to HCPs, but, most importantly, to patients as well.

Innovation for these devices continues to improve and be used in patient care. Along with that, network awareness—that is, the understanding of how reliable and secure your network is—is becoming more of a priority so that it can better support the devices. And then there's the security to protect the data they transmit. Cybersecurity measures against attacks and hackers must be part of the immediate and long-term plan to close any potential gaps. 

Let’s dive into some of the topline items you need to know.

Just like a hospital computer needs protection against digital attacks through a reliable, secure network and an established cybersecurity posture, so do digital-reliant medical devices. Increasingly, these devices are transmitting data to multiple endpoints that may also be vulnerable to cybercrime. Medical device security relies on a strategy that considers not only the devices and data centers, but other endpoints where the data they collect and transmit may be vulnerable. It also includes protecting device reliability and integrity so potentially critical information is secure and sent to medical care in a timely manner.

Where does a healthcare organization begin? It begins with the initial device design. HCPs should insist upon this so that privacy and security are already embedded into the device.. It’s important that strong medical device security is in place to protect the sensitive information gathered by these devices and to protect the patients themselves.

Cybersecurity responsibility for medical devices is expansive. HCPs have a primary responsibility for protecting their patients’ information. Healthcare IT teams work to secure and fortify HCPs’ devices, internet connectivity, and device touchpoints to ensure data is protected and that laws mandating the protection of patient information are followed.

Due to the opportunities for security gaps, medical devices present a host of new cybersecurity risks. Often, their development is outsourced to biomedical engineering companies. Since they’re not part of the healthcare system that will be using the devices, there may not only be critical gaps in awareness, but also gaps in medical device security between the manufacturers, the medical facility, and the patient. But how can a healthcare organization know where their security gaps are and how to make a plan to address them?

Cybersecurity starts with a comprehensive assessment. Healthcare organizations need to consult with experienced experts who can objectively review the overall cyber posture. This enables an organization to identify gaps and risk factors, especially those that are unique to the healthcare industry. For example, many medical devices do not have automatic updates and their processing capabilities are not nearly as robust, which can be an opening for cybercriminals.

There are a number of things to keep in mind to close security gaps:

• Patching limits. It may not be easy to upgrade the software in medical devices. HCPs need to communicate and work closely with the medical device manufacturer to ensure that cybersecurity updates and patches are provided to meet evolving cybersecurity threats.
• Longevity. Most computers last 5-8 years. A medical device may be designed to function for 20 years or more. HCPs must plan and provide for lengthy medical device security management policies and procedures.
• Deployment site. Mobile medical devices are often used in a patient’s home. This means the environment is another variable for medical device security.
• Internal threats. Cybersecurity specialists understand that internal, i.e., institutional cybersecurity breaches are often the most frequent. The adoption of Zero Trust—a principle that assumes all traffic can be a threat and evaluates risks from that perspective, can help to address this vulnerability.
• Off-site monitoring. Remote patient monitoring and other mobile uses of medical devices means that the healthcare organization has less control over the network the patent may connect to. Unfortunately, this also creates complications for cybersecurity.

The first step to improving medical device security is to understand the potential gaps of where security may fail. Next is to evaluate the reliability of the network and data centers that will house and transmit their data to the facilities and medical staff that needs to read it. But the steps to improve extend in-house as well. This means ensuring medical facilities are no longer on legacy or copper-based networks and are instead operating on a fiber internet network.

Then there are internal measures for how teams connect, communicate, and share information, not only through business structure but also through voice and collaboration solutions. Connecting your IT staff with other stakeholders, like your compliance department and other internal partners, is vital. Establishing a relationship of open communication, understanding of the overall business and patient goals, and building strong internal partnerships are essential to protecting the medical device security ecosystem.

Because there is such variety and scale in medical devices, it’s a challenge for an IT team to have all the expertise they need in-house. Businesses often need external technology experts to listen to an organization’s needs and goals. From there they'll evaluate where there may be gaps and other vulnerabilities and help make a plan and roadmap for how to address them. This take the pressure off of the business to have all of the answers so they gain an objective perspective on how to best implement comprehensive medical device security.

The key to providing medical device security is to identify infrastructure, network security, and cybersecurity risks before they impact your medical devices. Here are a few best practices that HCPs and their IT departments can follow.

• Protect your touchpoints. Medical devices often connect to different points in an ecosystem where their data is transmitted and analyzed. You’ll want to make sure every touchpoint is protected.
• Manage access. Ideally, each medical device has an authentication system— a way that anyone accessing the device is identified as an approved user. Work with the manufacturer to ensure that security is embedded in the device itself and on by default.
• Manage devices. It’s time to take inventory. Maintain a list of all the medical devices that details how long you’ve had them, vendor information, their function, their software, and update cycle (if any). Keeping an eye on these lists will help your IT team know when it’s time to replace or upgrade devices to ensure security.
• Vulnerability Monitoring. Your IT team must practice constant vigilance. Frequent scanning for vulnerabilities will help detect medical device security issues before they become liabilities. Getting your healthcare facility on SD-WAN will also help with long-term mentoring since every device will be connected to one central cloud.

The FDA offers guidance on communication approaches to discuss with patients medical device security risks¹:

“On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus² amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, "Ensuring Cybersecurity of Medical Devices."³

They’ve included a comprehensive resource to learn more about medical device security.

Medical devices offer exciting new opportunities to improve patient care and outcomes. They also pose enormous cybersecurity risks that require vigilance, agility, and trusted collaboration to overcome.

AT&T Business, the sponsor of this post, is working with its customers to ensure that cybersecurity is the best that it possibly can be to protect the medical device ecosystem— and the healthcare providers and patients who rely upon them.

Learn more about AT&T Business solutions for the healthcare industry or contact your AT&T Business representative.

About Glen Gilmore

For eight years, Glen Gilmore served on the board of directors of a university hospital. He was called a “man of action” by TIME magazine and a “national hero” by the New York Times for his leadership in creating an emergency medical response while serving as a mayor during America’s Anthrax Crisis. Gilmore, an attorney, also served as an adjunct faculty member at a university school of business executive program where he lectured on the subject of “Privacy and Security in Emerging Technologies”. Nothing in this post should be considered legal advice, but purely informational to assist in improving cybersecurity awareness relating to medical device security and the role of 5G network services. 

¹ “Best Practices for Communicating Cybersecurity Vulnerabilities to Patients,” FDA, October 2021, https://www.fda.gov/media/152608/download.

² “Consolidated Appropriations Act, 2023,” H.R. 2617, 117^th Cong. (2023). https://www.congress.gov/117/bills/hr2617/BILLS-117hr2617enr.pdf

³ “Cybersecurity,’ FDA, Accessed March 29, 2023, https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity