Medical Devices: The Next Weak Link in Cyber Security

In the wake of the recent worldwide “WannaCry” ransomware attack, you may be thinking about how you can protect your practice’s data from invasion.

Or, maybe you breathed a sigh of relief that the United States wasn’t much affected, and didn’t think much more about it. But that’s not a good idea. “Ransomware has reached Texas,” Texas Medicine magazine reported in 2016. “Big practice, small practice, or in-between, the recent rise of ransomware poses a serious threat. When that threat becomes reality, it can leave physicians feeling helpless.”

The American Medical Association advised physicians on how to respond to WannaCry and other computer virus infections, and how to avoid infection by ransomware delivered via email attachments or links. AMA also has resources to help physicians conduct a checkup of their systems, and to secure their networks and office computers.

But complicating the cyber security risk in health care is a threat to medical devices, notes a law firm specializing in data security, because more and more these devices have internet connectivity for monitoring patients remotely.

“The risks created by that trend are poorly understood by manufacturers, designers, prescribers and end-users,” Baker Donelson law firm says. “Most notably, medical devices do not run antivirus software, are not easily patchable, and therefore are not generally updated timely.” In addition, often it’s easy to find passwords in the device documentation, the law firm says, while users commonly fail to wipe localized data from medical equipment. 

With this in mind, the Baker Donelson law firm offers these suggestions to “prepare for the worst:” 

  • Know where your data reside and how they are flow:Your data security program is only as good as your data map and information governance programs,” the law firm says. Follow a strict plan for destroying unneeded data.
  • Make sure your backup and disaster recovery plans and data security program (e.g., your HIPAA security plan) include up-to-date procedures relating to medical devices.
  • Have ready access to emergency contact information for your cyber liability attorney, and also for an outside consultant to respond to a data security incident, in case you need one. Be prepared to notify and work with device manufacturers and various governmental entities, when applicable.
  • Review your cyber liability insurance coverage to make sure it is adequate and allows you to work with attorneys and vendors you trust.
  • Run a simulation exercise on a ransomware attack. “Immediate response and strong downtime procedures are key to surviving any attack,” Baker Donelson says. Practice using backup systems, including paper-based procedures, during the exercise.
  • Factor medical devices into your risk assessment and risk management plans; they are risks you need to manage. 
  • Conduct due diligence on all device vendors and business associates. 
  • Keep your emergency communication systems separate from your daily work/production systems in case they are compromised by an attack.
  • Be sure to follow the most recent manufacturer guidelines for data security of medical devices and for wiping data from devices between users. 

Read the full article from Baker Donelson. For more information about ransomware, visit the TMA Ransomware and Cyber Security Resource Center

Published May 25, 2017

TMA Practice E-Tips main page

Last Updated On

April 19, 2018