Healthcare Organizations – Protect Yourself from Cyber Threats When Purchasing Devices and Equipment.
The 2018 Verizon Data Breach Investigations Report indicates that healthcare operations are rife with error and misuse, with ransomware being endemic in the healthcare industry. Meanwhile, healthcare organizations of all types and sizes (from large hospital systems, laboratories and health plans to smaller organizations, such as billing services and physician practices) are purchasing products which are integrated into their operations. When buying these products is cybersecurity foremost in their mind?
With HIPAA regulated patient data (“PHI”) being stored on photocopiers, practice management systems, test instruments, medical devices, X-Ray machines and MRIs to name a few locations, the potential harm to a healthcare organization and its patients from a cybersecurity incident are very high. Even small medical practices can have many pieces of equipment and medical devices integrated into their information system infrastructure, and therefore potentially accessible to the Worldwide Web. With that accessibility comes the potential for malware to infiltrate a system. Some malware may just be a nuisance which slows things down, while others can capture patient information or shutdown operations. Cybersecurity vulnerabilities in these connected devices which are not addressed or remediated may serve as access points for malicious actors to enter into the healthcare organization’s system.
As noted in an article in HealthITSecurity.com, IBM Security Sr. Threat Researcher John Kuhn indicated “Every time a healthcare organization adds another device to its network, it is another potential point of attack.” Recent significant cybersecurity incidents include one against LabCorp, the nationwide clinical lab testing company. As a result of a “Samsam” ransomware attack, in July 2018, the LabCorp network had to temporarily go offline. Its been reported that this attack resulted in Samsam encrypting thousands of systems and several hundred production servers. Its quite clear that an incident of this nature has the potential to negatively impact the healthcare of millions of patients.
In light of malware risks, what should a healthcare organization be thinking about in evaluating new equipment or devices, as well as including in contracts for those purchases? For medical devices subject to FDA regulation, the FDA recently issued a new Medical Device Safety Action Plan. As stated in the action plan “Although medical devices provide great benefits to patients, they also present risks”. Part of the action plan addresses cybersecurity of the devices as a patient safety concern, and the FDA requires cybersecurity to be included in product design and development. That’s good to know for FDA regulated devices being purchased, though it’s not going to apply to the photocopier, fax machine or other non-regulated devices.
The Solution – Practical Steps To Minimize Cybersecurity Risk Associated with New Devices and Equipment
In light of the escalating nature of the inherent risk from third party attacks as well as insider mistakes, healthcare providers can and should be out in front of those risks when evaluating and purchasing new products. Due diligence is important in evaluating the seller and its commitment to cybersecurity protection elements in its products.
Vendor and Product Evaluation and the Purchase Process
- Cybersecurity Checklist Example Questions
- What steps have been taken in the product design to address cybersecurity risks, and what does the manufacturer see as the most significant cybersecurity risks to its product?
- What is the process and frequency of issuing firmware updates and patches to address newly identified vulnerability in their product?
- To the extent data is being transmitted via the product, is the transmitted data encrypted?
- What methods exist where malicious software could enter the product, such as USB ports and WIFI?
- For products requiring regular maintenance, does the maintenance include cybersecurity elements and what needs to be considered to address any end of life to operating systems (such as when Microsoft is no longer supporting Windows 10) which could impact the product’s performance and availability?
- What controls does the manufacturer recommend or require be in place to protect the product?
- What are the manufacturer’s obligations related to cybersecurity and what are the buyers?
- Team Members A multi-disciplinary approach should be used in addressing new purchases, getting input from operations, medical staff, information technology, purchasing and legal experts to come up with important cybersecurity areas of concern. These individuals should be involved prior to assessing vendors selling the product, including in developing a request for proposal (“RFP”) or other procurement process used in the organization.
- Research Become educated in the types of cyber threats that exist. Look to all available materials associated with the equipment to understand what the manufacturer is doing to protect against cybersecurity risks, on an ongoing basis.
- Contract Terms An exhaustive list of the right cybersecurity contract terms can’t be provided in this article, and what is appropriate will vary depending on the product in question. One standard provision is a requirement that the product has been designed and manufactured to prevent cybersecurity vulnerabilities and has been tested to detect them, adhering to NIST or other recognized security standards. Also, the supplier should have an obligation to promptly notify the buyer when it becomes aware of cybersecurity vulnerabilities in the product, with further obligations to promptly provide a patch or other remedy consistent with industry best practices.
Preventing a healthcare organization from suffering privacy breaches is an ongoing battle, which is not going away. Experts continually point out the fact that healthcare organizations are high priority targets of cyber thieves. By keeping up to date on cyber threats, and updating security, risks can be minimized, though unfortunately not eliminated. When it comes to equipment and devices connected to an information system or network, an adequate defense starts with engaging the appropriate subject matter experts in the procurement, evaluation and contracting process.
Notice: This article is for informational purposes only, and does not constitute legal advice. If you are purchasing new equipment or devices for your healthcare organization you should engage the services of qualified professionals to assist in helping protect your patients and business.
David Meinhard, Esq. is a licensed attorney, and Counsel with Harwood Lloyd, LLC. His legal concentration is in healthcare and data privacy law.
 The 11th annual Verizon report on data breaches, based on information gathered by Verizon and other contributors https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf
 The Privacy & Security regulations of the Health Insurance Portability & Accountability Act
 While pro-actively addressing cybersecurity in new purchases is important, don’t overlook proper maintenance of legacy devices which may have been designed and manufactured at a time when cybersecurity concerns were not as prevalent.
 National Institute of Standards and Technology