Medical Device Cybersecurity
This month's Viewpoint was provided by Debby Shapero Propp and Anita Fineberg from the Health Lawyer Network. They can be contacted at www.healthlawyernetwork.ca
From lost laptops to hackers stealing data from millions of Target customers, 2013 saw an upswing in data breaches. For those in the healthcare sector charged with protecting patient health information, 2014 will bring additional concerns related to medical device cybersecurity.
The list of medical devices is almost endless – pacemakers, insulin pumps and networked systems are increasingly being used in the care of patients. Such devices are capable of storing and transmitting patient medical information.
Cybersecurity breaches pose risks to
· patients – demonstrations have illustrated how an insulin pump can be remotely reprogrammed to deliver lethal doses of insulin and an implantable defibrillator to withhold therapy or deliver shocks and
· healthcare institutions – unauthorized access to patient data; exposure if the device is connected to the facility network; compromised patient care and clinical productivity; class action lawsuits based on the compromise to patient health and the breach of patient privacy; complaints filed with regulators claiming that the institution did not have adequate security controls in place to protect patient data.
To get ahead of these cybersecurity exposures, we propose a two-pronged risk management strategy for healthcare institutions:
· address your security and privacy vulnerabilities and
· augment your procurement strategies
The security and privacy strategy is significant yet achievable within the healthcare sector. For example, medical devices must be identified and their personal health information holdings included in assessments conducted on the facility’s privacy and security risk exposure; and network connections should also be reviewed.
The procurement strategy involves using the RFP process to obtain and evaluate information about how the device addresses cybersecurity risk. Critical questions may be asked about how the device processes and protects patient data. Looking south of the border will provide some direction. Developing a procurement process that involves internal subject matter experts from different departments can provide the subject-matter expertise to ask relevant questions.
We predict that the vulnerability of medical devices and the potential for deadly consequences for patients and institutional legal exposure is an issue that will receive increased attention in 2014. Healthcare executives who wish to be proactive should consider implementing a risk management strategy addressing privacy and security vulnerabilities in medical devices and procuring new devices that manage these risks.