Gone are the days when clinicians could assume that cybersecurity was the IT department’s domain. With medical devices, sensors, wearables, implantables, robots and other connected digital technologies ubiquitous in medicine and cyberthreats increasing, clinicians should be aware that breaches and attacks can affect care on the frontline and potentially harm patients.
ECRI gave cybersecurity incidents top billing on its annual "top ten" list of technology hazards for 2022 and emphasized the risks they pose to patient safety. "[Cybersecurity] incidents don’t just interfere with business operations — they can disrupt patient care, posing a real threat of physical harm," says an ECRI press release.
Media coverage has primarily drawn attention to ransomware and denial-of-service attacks that disable information systems and websites, which can result in harmful delays in care. The impact on medical devices, which may be incidental, is less well known and understood.
Julian M. Goldman, M.D., anesthesiologist at Massachusetts General Hospital, Director of the MGH Medical Device Interoperability and Cybersecurity Program, and Medical Director of Biomedical Engineering at Mass General Brigham says, “For the most part, hospitals are not seeing direct attacks on medical devices, but that doesn't mean they won’t be affected, especially incidentally by malware that was not intended for medical devices.”
Device shutdown, inaccurate settings and silencing of alarms are among the possible effects of cyberattacks on medical devices, as highlighted by the American Society of Anesthesiologists’ Cybersecurity Task Force. Dr. Goldman notes, “You may not know how a medical device or system is going to be affected until you disconnect the network and see what fails. It is important to pre-determine what we can continue to do with a compromised network.”
All health care organizations should assume they will someday — perhaps soon — be targeted by cybercrime and plan accordingly. With the risk of harm from breaches and attacks spread throughout organizations, ECRI, the American Hospital Association, World Economic Forum and others believe the threat can be mitigated only with vigilance at all levels. Highly digitized health care systems have interoperable devices and interfaces extending from the executive offices through inpatient and outpatient facilities, to vendors and the homes of individual patients. Potential points of failure are innumerable and distributed in ways that defy control of the IT department.
With frontline staff already stretched thin by workforce shortages, illness, and other demands of an exhausting pandemic, it may seem unrealistic to add to their responsibilities. But with care increasingly dependent on computer-enabled technology, clinicians need more information to stay ahead of the risks to their patients.
Speaking during an ECRI webinar on cybersecurity, Christian Dameff, M.D., Medical Director of Cybersecurity at the University of California San Diego, suggests organizations add cybersecurity to existing clinician training sessions. High-fidelity clinical simulation is one technique UCSD uses to make the effects of cyberattacks real and relatable, using compromised medical devices to Illustrate the potential for patient harm.
Reporting is another way to mitigate harm to systems and patients. In addition to training all staff in safe cyber practices, such as protecting logins and passwords, and preparing for disruption and downtime, organizations should encourage clinicians to watch for and report anomalies that may be related to cyberattacks. "Practitioners need to develop a high level of suspicion," says Dr. Goldman. "When a device is not working correctly, it doesn’t necessarily mean it’s broken. You have to add malware cybersecurity to your differential diagnosis."