Last year's omnibus appropriation bill passed by Congress made a good start with cybersecurity standards for internet-connected medical devices. But it's only one tiny piece of a large and complex puzzle.
As online threats of various sorts, from malicious hacking to holding data hostage, continue to grow and evolve, the enhancement of cybersecurity has become critical – for industry, healthcare providers, regulators, and policymakers. Thanks to the $1.7 trillion omnibus appropriations bill passed by Congress and signed into law by President Biden late last year, additional cybersecurity requirements will become a key focus for an unobvious sector: medical device manufacturers.
As part of the omnibus bill, Congress authorized the FDA to establish cybersecurity requirements for manufacturers of internet-connected medical devices. This is critical to strengthening the cybersecurity of America’s healthcare system, particularly given the important role these medical devices play in monitoring and ensuring their users' health and collecting and storing highly sensitive patient data. However, it should be viewed as only the first step.
Although Congress and the FDA are right to hold medical device manufacturers to these new standards, there is still more that practitioners and hospitals must do to protect patient data and prevent bad actors from threatening the security of our healthcare system. But to do that, they will need additional resources from the federal government.
Cybersecurity must be a shared responsibility. Hackers can exploit vulnerabilities at many levels of the healthcare ecosystem, and due to various factors — from institutional neglect and insufficient funding to lack of cybersecurity expertise— large swaths of our healthcare system are at risk of cyber-attacks and other threats.
Healthcare organizations are particularly vulnerable and are considered prime targets for cyber-attacks because they're repositories of information of high monetary value to criminals. The targeted data include financial information such as credit card and bank account numbers, personal identifying information like Social Security numbers, and intellectual property related to medical research and innovation.
One of the common ways hackers target hospitals and healthcare systems is through ransomware attacks via phishing emails. From 2021 to 2022, ransomware attacks on healthcare organizations in the United States increased by a staggering 94 percent, according to a report by cybersecurity firm Sophos. Because so many hospitals nationwide operate on razor-thin margins — particularly after the COVID pandemic’s economic toll — many facilities rely on older legacy equipment, including servers and operating systems that are more vulnerable to such attacks.
These kinds of ransomware attacks — 90 percent of which are preventable when organizations follow basic security and risk-management measures — can wreak havoc on hospitals, putting patients and providers at risk. In one of the more egregious examples, an employee at the University of Vermont Medical Center opened a file emailed to her from her homeowners’ association, which hackers had targeted. As a result of this one action, the entire University of Vermont Health Network was forced to cancel surgical operations, reschedule mammogram appointments, and even delay treatments for cancer patients.
Such incidents underscore the need for hospitals and healthcare providers to enhance cybersecurity efforts across the board. According to Josh Corman, head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force: “Hospitals’ systems were already fragile before the pandemic. Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”
One of the ways many hospitals are working to strengthen their resistance to ransomware attacks is through the “3-2-1 backup approach” recommended by CISA. Essentially, this entails saving three copies of critical patient or other healthcare-related data in at least two different formats and storing one copy offline where it cannot be affected by ransomware or other malicious attempts by hackers.
In addition, dividing networks into smaller sections through a segmentation process can help to decrease the odds of a ransomware attack compromising an entire system, by allowing network administrators to isolate and quarantine specific segments corrupted by ransomware.
The Health Sector Coordinating Council, a public-private partnership, and the U.S. Department of Health and Human Services have outlined the five most relevant cyber threats to hospitals and health systems and 10 cybersecurity practices to address and mitigate them. Although this guidance is welcome and helpful, many cash-strapped hospitals are struggling to maintain even a minimum level of protection. As a report by the HHS Office of Inspector General points out, hospitals need additional support and incentives to implement cybersecurity solutions, including funding to train staff.
While the omnibus funding bill passed last year made a good start with cybersecurity standards for internet-connected medical devices, that is only one tiny piece of the puzzle. To better protect patient data and the integrity of our entire healthcare system, Congress must now provide direction and funding for more comprehensive cybersecurity.
CISA gets the last word:
Like combating a deadly virus, cybersecurity requires mobilization and coordination of resources across a myriad of public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments (state, local, tribal, territorial, and federal) to mitigate the risks and minimize the impacts of a cyber-attack. Most importantly, cybersecurity is a shared responsibility, a team effort.
Note: An abbreviated version of this article appeared in Real Clear Health in April 2023.
