ECRI Webinar Recap: Cybersecurity Incidents – A Threat to Patient Safety and Healthcare Delivery

Agilis would like to thank ECRI for putting together this informative webinar. Please note that this webinar is apart of an ECRI report: Top 10 Technology Hazards of 2022. Cybersecurity was one of the top 10 on the list.

ECRI Webinar Recap:
Cybersecurity Incidents – A Threat to Patient Safety and Healthcare Delivery

Agilis Takeaways:
Written by: Abby Pandey

Cybersecurity is the number one technological threat to healthcare systems in 2022 (and likely beyond), according to ECRI. During a recent webinar, ECRI brought together industry and government experts to discuss the current trends in cybersecurity and they all agreed: It’s no longer a matter of whether a given healthcare facility will be threatened by a cyberattack, but when. Given the stakes for patient care, the best defense against cybersecurity threats is a good offense. An effective offense is one where medical device manufacturers, healthcare delivery organizations (HDOs), and the FDA work together to promote patient safety.  

Device Manufacturers:  

• Understand the changing landscape of care: Understand the device’s use environment, especially given the changes brought on by COVID. Health care providers (HCPs) are treating patients in their cars and in tents. Staff interacting with medical devices may be tired or burnt out.    

• Plan early: Incorporate a cybersecurity plan in the device’s design phase so that HCPs using the device can identify and report a cybersecurity issue. Use processes like Threat Modeling to document a system’s intended use, justify trade-offs made in the design process, identify remining threats to the system, and explain what mitigations are in place against those threats. FDA hopes to see more of this information provided in premarket submission (Link to MITRE’s Playbook for Threat Modeling Medical Devices: https://www.mitre.org/sites/default/files/publications/Playbook-for-Threat-Modeling-Medical-Devices.pdf).  

HDOs:  

• Gone phishing: A cybersecurity breach is not just an IT department problem. An effective response plan is one that incorporates individuals in all levels of patient care. Hospitals should be prepared for failure and engage with their staff to create an effective recovery process. Leverage existing framework, such as annual trainings, to train clinical staff. Speak the language of clinical staff to help them understand how safety concerns, due to a cyberattack, can affect patient safety.  

• Know what you’re getting: Hospitals can request a Software Bill of Materials (SBoM) during the medical device procurement process to identify and address vulnerable device components. It is a good practice to involve the cybersecurity department in the procurement process.  

• Know what you have: Legacy medical devices operating systems are known to be particularly vulnerable to cyberattacks. 

• We’re all in the same cybersecurity boat: A cyberattack on a given facility has a ripple effects on the surrounding medical facilities and therefore the response needs to have an ecosystem perspective. If a given facility is attacked and no longer able to provide patient care, a regional response plan on how the surrounding facilities will take on those patients should be in place.  

FDA:  

• Who are the experts? FDA wants to see a more universal approach to building cybersecurity into a medical device and one of the ways to do this is to bridge the educational gap between the biomedical engineering and cybersecurity communities.  

• Need for easier reporting platform: Currently any cybersecurity threats can be reports to the FDA (via cybermed@fda.hhs.gov) or reported to Homeland Security (via cywatch@ic.fbi.gov). There is a need to create a VAERS-like database for medical devices to reduce the barriers to reporting potential cyberthreats and to provide much needed data to researchers looking into these threats. Studying this data can help the stakeholders understand the kinds of threats they face which can in-turn lead to more robust response plans.  

Conclusion:

Meaningful change requires meaningful action and to have an effective defense against cybersecurity threats, the FDA, HDOs, and device manufacturers should work in tandem to ensure they above all, do no harm.  

Contact Agilis to learn more>>