by John R. Fischer
, Senior Reporter | October 13, 2021
From the October 2021 issue of HealthCare Business News magazine
A total of 239.4 million cyberattacks were attempted on healthcare institutions in 2020, according to security provider VMware. That research also found an average of 816 attempted attacks per endpoint — a 9,851% increase over 2019.
All of this has forced providers and their HTM teams to think seriously about unauthorized access to their most vulnerable systems. One specific type is legacy devices, which are no longer supported, serviced or patched by the manufacturer.
“It’s very hard to justify from an organizational perspective getting rid of something even if it still works just because it’s no longer supported,” said Samantha Jacques, VP of clinical engineering at McLaren Health Care, during a session at the virtual 2021 AAMI eXchange. “The problem with that is that we run into cybersecurity issues. Any device that isn’t being updated with patches is a target and has the opportunity to become a vector for cyber issues.”
The session, titled “Securing Legacy Devices — Healthcare Sector Coordinating Council Guidance,” was co-hosted by Jacques and Mike Powers, clinical engineering director for Intermountain Healthcare.
The two encouraged clinical engineering teams to take an active role in cybersecurity, as they often have a better understanding of security and FDA requirements and life cycle of devices than clinicians and IT departments. They also know how, when, and why to update equipment. Tackling this issue, according to Jacques, requires working with the finance department to understand the cost impact on organizations when an issue arises. The cybersecurity team should be supported, as it creates a more proactive method for addressing vulnerabilities before a breach takes place.
One way of doing this is by scanning legacy devices in the provider network, though the tools for doing so can be costly. There are also ways to set up networks in V LAN and other configurations to reduce present vulnerabilities.
A number of resources are available to providers, such as the Joint Security Plan, a very high-level document that discusses how they can keep their entire networks secure and includes a section for medical devices. The Joint Security Plan was developed by the Healthcare Sector Coordinating Council (HSCC), an advisory council of volunteers from healthcare delivery organizations and medical device manufacturers working to identify and mitigate cybersecurity threats that hinder delivery of healthcare services in the U.S.