Healthcare organizations and hospital providers are progressively making changes to become more digitally interconnected and interoperable using networked clinical systems and cloud-based operations, but this progress has exponentially increased the available surface area and opportunity for cyber threats. To date, hospitals have experienced email attacks, ransomware, external viruses and data breaches that have wreaked havoc on their infrastructures. With the significant rise in the use of connected medical devices, despite their potential for impacting care, there is an additional, and growing risk that malicious threat actors could modify or control connected devices and patient data, and potentially create patient privacy risks. Medical device manufacturers like GE Healthcare are vigilant in understanding device risk factors and defining, developing and embedding risk-based security controls in these devices to help protect the security of hospitals and healthcare networks, patient privacy, patient health information and most importantly, patient care.
Making Security a Top Design Priority
From health apps that monitor pacemakers via Bluetooth® to smart drug delivery devices that send updates to healthcare providers, and medical devices that deliver radiation for imaging purposes or cancer treatments, connected medical devices are directly involved in delivering care to patients, often making it more personalized, responsive and effective.
At GE Healthcare, product design teams work with cybersecurity specialists to develop security controls to determine the appropriate set of security requirements to apply to any given medical device .
In light of this direct role, there is a coordinated effort to develop and strengthen security controls when designing new medical devices to protect patient health information and patient privacy, and to protect the proper functioning of the device. At GE Healthcare, product design teams work with cybersecurity specialists to develop security controls to determine the appropriate set of security requirements to apply to any given medical device.
Security in Deployment
Once a medical device is in operational use, it is typically integrated with a number of disparate technologies and services from different vendors, which can expose security flaws through their integration. This is the point at which medical device manufacturers need to also have controls in place to mitigate risks from outside sources. From security features embedded within the product specifications, to third party software that can be used with the device and routine security patches that are tested and deployed, GE Healthcare works to assess and mitigate risks in its operational devices in the field to help prevent connected devices from being breached. Each connected medical device should work in tandem with a healthcare organization’s own security plan and include security controls that are embedded at technical, operational and management levels to protect the device, the data and the network. Strong passwords and data encryption are examples of technical security controls that are often used with medical devices but may not be appropriate based on technical or operational risk. Standard operation practices and controls can be in place regarding who can access, manage and audit information from these devices as well. Organizational level security controls involve personnel, screening and training controls to protect the integrity of the data and privacy of patients in a healthcare facility or network. The roles and responsibilities in every organization should be well-designed with respect to practices for maintaining security and instances where a breach is suspected or has occurred.
GE Healthcare works to assess and mitigate risks in its operational devices in the field to help prevent connected devices from being breached.
Asset Management, Service and Planning
All too often, budget constraints, growth opportunities or healthcare consolidation or other projects redirect funding that would otherwise be utilized toward medical device upgrades. That said, many medical devices continue to be operational, despite outdated serviceability, which can create exploitable weaknesses for cyber attackers. Hospitals and healthcare networks should maintain updated inventory records on all operational devices and conduct security reporting to continually assess risk. Device manufacturers are on task as well to maintain data on their operational devices in the field and to support security risk management throughout the useful life of the device. GE Healthcare works with its customers to help maintain upgrade plans for each device or fleet of devices that not only allow providers to continue to offer high quality care to patients, but also to provide optimal protection from security threats. The end goal is to minimize the vulnerabilities in medical device connectivity with a system of security controls and risk management tools at each point in the life of its medical devices, from product design to operational use and support through end of product life to help ensure device security.
GE Healthcare works with its customers to help maintain upgrade plans for each device or fleet of devices that not only allow providers to continue to offer high quality care to patients, but also to provide optimal protection from security threats
Full Engagement, Full Benefit
Ensuring patient security in connected medical devices is really an area where full engagement should be seen across the industry. GE Healthcare relies on a high level of collaboration with its customers as well as other manufacturers on this topic to elevate the industry and its contribution to enabling healthcare providers’ progress in improving patient outcomes. Healthcare providers should never have to consider which manufacturer’s devices are more secure than others, and patients should be able to walk into any facility with a level of trust in the overall safety and security of that environment.
1 Applies only to medical devices covered by a GE Healthcare service contract.