An Approach Paper on Cyber Risk Management in Healthcare: Part 1

Healthcare information technology is on the brink of a paradigm shift on account of an increase in media interest and public scrutiny and as a result cybersecurity recently has become source of a major concern in the healthcare industry. There is a push to implementing electronic medical records, and there are substantial risks associated with this critical initiative. These risks need to be identified and managed. This article is the first of the four series issue on cyber risk management in healthcare.

Medical device cybersecurity threats have the potential to jeopardize the integrity of hospital information technology (IT) networks and the operation of medical equipment. Medical device interoperability has been identified as a key way of decreasing healthcare costs while improving patient care. This has led to a shift toward placing more medical devices onto information technology (IT) networks. However, placing medical devices onto an IT network may lead to additional risks to safety, effectiveness and security of the devices, the network, and the data.

Thus, it has become imperative for healthcare facilities to detect and respond to the cybersecurity risks of their medical devices and IT infrastructure. In this paper, we will also explore the importance of medical device cybersecurity and the consequences of security breaches. We also will introduce a few key steps that a healthcare facility should consider when developing a cybersecurity risk management plan. The interoperability and interconnectivity of medical devices create cybersecurity issues that were previously unknown in the healthcare industry.

In the past, medical devices often were stand-alone devices that were not connected to the hospital network. Although they still were susceptible to infections through nonnetwork factors, the cybersecurity risks of these devices likely were less.

-Devices that rely on off-the-shelf software, particularly commercial operating systems (e.g., versions of Microsoft Windows), also are vulnerable to a large variety of threats, such as malware and viruses.

-With the increased emphasis of interconnectivity of medical devices, more ways exist for these devices to be exploited and attacked.

Today’s monitoring systems may be asked to transfer patient data to electronic medical records or even relay alarm information to personal mobile devices (e.g., cell phone). As modern healthcare organizations look for new ways to deliver patient care efficiently and effectively, medical devices are becoming increasingly interconnected.

Threats can infiltrate and infect medical devices through many different avenues; however, in our experience, these are primary ways in which cybersecurity threats can harm a healthcare facility: by disrupting

1) the operation of medical devices and 2) the integrity of information. Researchers have demonstrated that the operation of certain medical devices can be disrupted to the point that they no longer provide proper patient care. 3) As some medical devices may be life-critical systems, cybersecurity threats that may disrupt device operation can jeopardize patient safety considerably. 4) Because of the sensitivity of PHI (Patient health Information), hospitals are attractive targets for spyware and phishing attacks aimed at acquiring the information.

Healthcare facilities need to understand the importance of mitigating the risks described above. A detailed categorization of the kind of risks and management of the same will be published in the upcoming series.

The Article has been Written By Mr Sameer Mathur, SM Consulting