Securing Anesthesia Devices From Cybercrime: What Can Anesthesia Providers Do?

Summary

Cyberattacks against medical devices, including anesthesia machines and other devices used in anesthesia, are a rapidly growing threat that could compromise privacy, interfere with care and endanger lives. We encourage anesthesia providers to work with their chief information officers and health IT security teams to ensure the appropriate steps are taken to protect medical devices from criminal intrusion.

As clinicians who rely increasingly on network-connected and interoperable medical devices—an anesthesia machine in the OR that is connected to an anesthesia information management system (AIMS) running on a PC, for example—anesthesiologists and nurse anesthetists should know that, as technology opens doors for information sharing to improve anesthesia safety, quality and learning, the devices they're using, and by extension, their patients, are at risk.

"Medical devices are no longer a stand-alone component of the clinical care process, and therefore are not afforded the protection against cybersecurity attack that was once provided by stand-alone segregation," wrote Patricia A.H. Williams of Perth, Australia's Edith Cowan University in Medical Devices. Web interfaces to infusion pumps, devices running on outdated legacy systems, default hard coded administration passwords and access to the internet through devices connected to internal networks are a few of the vulnerabilities.

Medical device cybersecurity risks have been number one on the ECRI Institute's Top 10 Health Technology Hazards list for the past two years. Consulting firm Gartner estimates that the number of medical devices requiring security hardening by a healthcare provider will increase by 45 percent by 2020.

And while many healthcare stakeholders applaud the proposed rule released in February by the Office of the National Coordinator for Health Information Technology (ONC) to clamp down on information blocking by healthcare providers and health IT developers and increase the exchange of electronic health information across the sector, greater data sharing also unleashes new security concerns.

"When it comes to interoperability, risks increase for hospitals without clear insight into which devices can and should be interacting with each other," said Medigate CEO Jonathan Langer in Health IT Security. Healthcare organizations often purchase smart devices without thought for the risks and without involving health IT security in the process. "Presently, there is a communication gap within the hospital between IT, security and biomed, and that gap widens at the manufacturer level," Mr. Langer said. "Each hospital differs; there is no clear industry role dedicated to medical device security."

We encourage anesthesia departments to take a leadership role in collaborating with their chief information officers or health IT directors to make sure the correct measures are being taken at their facilities to protect anesthesia machines and other medical devices from incidents that could threaten privacy, interfere with care and endanger lives.

That's not an easy task, but it's a necessary one. Cybersecurity experts urge a united effort among medical device manufacturers, health IT developers, regulators, healthcare organizations and clinicians to keep medical devices protected.

"Doctors have to learn to recognize that these devices can malfunction or be disrupted and to treat that possibility as a differential diagnosis," said medical informatics specialist and emergency room physician Christian Dameff, MD, of the University of California San Diego Medical Center, in AAMC News.

Dr. Dameff and his colleague, Jeffrey Tully, MD, an anesthesiologist and pediatrician at the University of California Davis, have led efforts to educate physicians about the risks inherent in network-connected medical devices. They helped develop the CyberMed Summit, an annual meeting held at the University of Arizona College of Medicine in Phoenix. The two have shown through simulated medical device hacks that physicians cannot tell when a device has been compromised, and that once cybercriminals enter a health system, they can intercept blood and urine test results, alter them and transmit the information via the EHR, possibly leading to incorrect or life-threatening treatments.

Though not anesthesia-related, a particularly chilling illustration of the vulnerability of medical devices to malicious interference comes from a team of cybersecurity researchers at Ben-Gurion University of the Negev who developed malware that could fake the presence of cancerous nodules on a CT scan as well as erase genuine malignancies on the images, the Washington Post reported earlier this month.

In a blind study of real CT lung scans, 70 percent of which were altered with the malware, radiologists diagnosed cancer 99 percent of the time from scans containing fabricated malignant lesions, and diagnosed healthy lungs in 94 percent of cases in which the malware was used to remove real cancerous nodules.

On its medical devices cybersecurity page, the Food and Drug Administration (FDA) states that both medical device manufacturers and healthcare organizations "are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance." The agency released a medical device safety action plan in 2018 that, among other things, outlines plans for the creation of a CyberMed Safety (Expert) Analysis Board of public and private stakeholders to serve as a resource for manufacturers and providers. The agency is also taking comments on draft guidance regarding premarket submissions for cybersecurity management in medical devices.

Late last year, the Department of Health and Human Services published an online manual, Health Industry Cybersecurity Best Practices: Managing Threats and Protecting Patients, and companion publications, all available here, offering actionable, practical advice for hospitals of all sizes on managing cyber threats. The publications zero in on the five top current cyber threats—attacks against connected medical devices among them—to help providers begin to move the needle on cybersecurity. The manuals outline suggested practices regarding medical devices, including, but not limited to:

• Establishing and maintaining communication with medical device manufacturers' product security teams
• Patching devices after patches have been validated, distributed by the manufacturer and tested
• Assessing current security controls on networked medical devices
• Implementing pre-procurement security requirements for vendors
• Implementing access controls for clinical and vendor support staff, including remote access, monitoring of vendor access and minimum necessary or least privilege

• Implementing security operations practices for devices, including hardening, patching, monitoring and threat detection capabilities

"It really comes down to patient safety," said Dr. Tully. "Addressing security risks is critical to the practice of medicine in the 21^st Century."

The summer issue of ABC's newsletter, Communiqué, will feature an article on medical device security as it pertains to HIPAA by Kathryn Hickner, Esq., of Kohrman, Jackson & Krantz LLP.

We want to hear from you. Do you have a topic you would like to see covered in an ABC eAlert? Please send your suggestions to info@anesthesiallc.com.