por
Lauren Dubinsky, Senior Reporter | February 14, 2017
From the January 2017 issue of HealthCare Business News magazine
“It’s meant to help the hospital switch from a reactive stance to more of a proactive stance when it comes to cyber safety,” says Maliff. “They might have their server closet locked down and [train users] to not share passwords, but what else can they be doing to minimize their vulnerability and improve their cyber safety stance?” As part of the service, ECRI sends one of its experts to a hospital to conduct interviews and examine documentation. The expert discusses plans moving forward with key players at the hospital. “When a board member asks what [the hospital] has done to prevent ransomware, senior leaders [better] have an answer for them and the Gap Analysis Service can be part of that answer,” says Maliff.
Ad Statistics
Times Displayed: 19090
Times Visited: 362 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money
The deadly risk
In July 2015, Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. That means an unauthorized user could control the device and change the dosage that the pump delivers. No adverse events or unauthorized access to the infusion system were reported at that time, but Hospira decided to discontinue the development and distribution of it.
“The risk is that someone could gain access to a pacemaker and turn it off for that patient or gain access to the infusion pump and deliver a deadly dose of medication, but that’s awfully time-intensive and difficult,” says Maliff. “They have to target that device on that patient when they are using it.” However, there have been many cases in which a hospital’s EHR has been shut down until a ransom is paid in Bitcoin to establish access to operations. Maliff recommends that hospitals have a policy to care for patients if the EHR is compromised. “Up until this time, a lot of hospitals have focused on security of the network, which is great,” he says. “But now we are looking at the medical devices as a vector. A lot of hospitals and health systems haven’t figured out how to do this.”
Large health systems have deployed the resources to tackle this, including network medical device engineers and chief information security officers. But community hospitals usually outsource their biomedical engineering department and have a 5- to 10-person IT staff. “They are trying to tackle it, but it’s one of the many hats that they have to wear and they are struggling,” says Maliff.
Back to HCB News
