Study Finds Significant Lack of Regulation in Health Care Networked Medical Devices
In June of 2021, the U.S. Department of Health and Human Services (HHS) identified a significant concern regarding cybersecurity and information security in the health care field: the lack of oversight of cybersecurity for networked medical devices in hospitals. HHS found the Centers for Medicare and Medicaid (CMS) and Medicare accreditation organizations (AOs) do not impose requirements for networked medical device cybersecurity. These devices, including diagnostic imaging equipment, pacemakers, infusion pumps, etc., are connected to hospital networks and can be just as susceptible to cyberattacks as a phone or computer. Even more detrimental is the access to patient information on these networked medical devices.
Scope of the Issue
There can be up to tens of thousands of networked medical devices connected to a single hospital’s network, and although they may not be directly connected to an electronic health record (EHR) system, the devices still connect to the same network to which the EHR is connected. Since the system is only as strong as its weakest link, networked devices with no security are a vulnerability. The information stored in health care systems is particularly valuable to cyber criminals as it includes data such as credit card numbers, Social Security numbers and intellectual property in regard to medical research. Patient privacy is also at risk should protected health information (PHI) be unlawfully accessed. Furthermore, health care organizations that fail to protect PHI as a result of a cybersecurity attack may be subject to penalties under the Health Insurance Portability and Accountability Act (HIPAA).
Possible Cyberattack Outcomes
Cyberattacks on health care systems can be costly to resolve. Hospitals and health care systems also should consider the implications of ransomware lost time, lost data and HIPPA violation fines. Outside of financial and operational losses, one death has been definitively connected to a cyberattack at a hospital in Germany. The attack shut down the hospital’s systems, and it had to turn away a patient who then died in route to another hospital. The consequences of cyberattacks are thus not only financial, but very tangible in the way they affect data and even patients’ ability to be treated.
Fortunately, there are several basic steps that many health care systems can implement to be proactive in the fight against cyberattacks.
- Information security: can be prioritized as a risk-management issue. Committing to the creation of a committee or a team lead solely for the purpose of information and technology security is paramount.
- Employee education: recognizing the importance of employee education is beneficial. By educating health care employees to remain vigilant and suspicious of anything strange or out of the ordinary, health care systems can safeguard their information.
- Policies: health care systems can create a policy on technology and information security in addition to an incident response plan. By planning when a system might fail, how it might fail, what information could potentially be exposed, and how to resolve the breach, the system can be prepared.
HHS concluded its study of networked medical device cybersecurity with the recommendation that CMS “identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals.” Until those regulations are issued, however, hospitals can take proactive steps to address cybersecurity now. Unfortunately, it is often not a question of if a system will be breached, but when.
Should you have any questions regarding CMS’s cybersecurity recommendations, please contact Ms. Rubin.
Lauren A. Schaffer, a law clerk with Eastman & Smith and a third year law student at the University of Toledo School of Law, contributed to this article.
Disclaimer: The article in this publication has been prepared by Eastman & Smith Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.