Contributed by Eddie Myers, Crothall Healthcare Program Manager for Cybersecurity Solutions
Medical devices are becoming more interconnected. These technological advances benefit patients since these devices can be safer and more efficient. Though these medical devices are a positive advancement for healthcare, the U.S. Food and Drug Administration (FDA) warns that when medical devices are connected to computers, hospital networks, and mobile devices, they become more vulnerable to security breaches, which can threaten the safety of patients. Learn how your facility can avoid these security breaches by controlling medical device access among your staff.
The Importance of Limiting Access to Medical Devices
Limiting your staff's access to medical assets such as nuclear medicine cameras, MRI machines, computers, and other medical equipment is one way to lower your risk of cybersecurity threats. Staff members who are unfamiliar with the equipment could do something incorrectly, which could lead to security breaches.
For example, if someone from a different department wants to view a USB flash drive on a computer, they could unknowingly install harmful malware onto the computer that is directly connected to a medical device. Since they are using a computer outside of their department - that does not have typical IT security controls installed - this person has no accountability in this security issue. It could be days before someone even notices a security concern.
Eddie Myers, a Program Manager Cybersecurity Solutions here at Crothall Healthcare, recommends that if a staff member doesn't need to use a piece of equipment, then they shouldn't have access to it. When fewer people are interacting with these devices, there is less of a chance for user error. He also says that when someone is using a piece of equipment, they should only be using the device for its intended purpose. Their supervisor should properly train them and be available to offer guidance as they are learning how to use the equipment.
Obstacles Facilities Face When Limiting Access to Medical Devices
Limiting access to medical assets and equipment may be a challenging task, but it is an integral part of patient safety. One obstacle you may experience is nonemployees accessing devices. For example, if a staff member is providing at-home care for a patient, they are likely to have medical equipment in that person's home.
Someone such as a family member or housekeeper could access the equipment. If they were to do something such as checking their email on a medical computer, they are increasing the risk of a security breach. Staff in these situations need to monitor their devices at all times and inform the patient that no one else is to use the device.
Another obstacle you may experience is that staff are unaware of proper security measures when it comes to medical assets. In fact Becker's Hospital Review says medical staff members are not always adequately trained in identifying phishing emails, which can put your devices at risk. Likewise, they may not know other security protocols like avoiding using medical computers for personal reasons or plugging USB devices into hospital computers.
What To Consider When Limiting Access to Medical Devices
If a piece of medical equipment has software and a wired or wireless connection, it's vulnerable to cyber attacks according to the FDA.
Implementing the appropriate security measures can be expensive. Make sure your healthcare facilities considers cybersecurity as part of its budget process. This may be more challenging for rural hospitals to handle these expenses and the planning that comes along with a comprehensive cybersecurity plan. However, these hospitals should still do everything possible to seek out resources for their security needs.
Another thing to consider is how your team will enforce these policies. It's essential that everyone follows the rules on limited access and understands the consequences of not following them. After an initial training session, send out regular reminders of your hospitals cybersecurity rules. Make sure every staff member understands their level of access to devices. Put these rules in your employee handbook so that staff can refer to them at any time.
Tips for Keeping Medical Devices Secure
Passwords and Tiered Access
One way to protect your devices is by creating passwords and access restrictions. Choose a password that is long and has a mix of numbers, letters, and symbols. Only give a select number of staff members access to the password, and change it periodically. Likewise, create different tiers of access to certain programs. For example, supervisors should be the only staff members who have administrative access. If an unauthorized user needs access, consider having their supervisor login for them rather than granting them access if it is a one-time situation.
Make Your Patients Part of Your Cybersecurity Plan
Along with training your staff on how to use medical equipment properly, the FDA suggests that patients also become a part of keeping their devices safe. Caregivers and patients should be aware that they may need to update the software on their devices periodically. The FDA also recommends that patients register their devices with the manufacturers. This way, the manufacturer can keep them informed of important information such as recalls or software updates. Patients should also have an understanding of how their device works and contact their medical provider if something is wrong with it.
Stay Closely Connected to the FDA
Patients, providers, and manufacturers need to stay updated with the FDA's latest "safety communications." These are messages the FDA releases if they even detect a weakness in software protection on a device. In this message, the FDA identifies what the vulnerability is and what patients, providers, and manufacturers should do to address these concerns. Make sure to take the necessary steps immediately to ensure the device is working correctly.
Human error is one of the main causes of cybersecurity threats, which is why your staff needs to be aware of ways they can help keep your devices and network secure. When you train your staff about preventive cybersecurity measures and create protocols for access to medical equipment, you can lower your healthcare facility's risk of security breaches. These precautions can ensure your patients' equipment is working correctly and their personal information is safe and secure.