Across Providence thousands of medical devices connect to the internet. Each one is potentially a cybersecurity vulnerability. With the health industry increasingly a target for hackers, Providence is taking important steps to reduce the risks these devices can create if not managed correctly.
Medical Devices at Risk
The types of medical equipment and devices considered most at risk are those that are network-connected (both wired and wireless), have old operating systems (like Windows XP or Windows 7), and includes their associated workstations. This potentially impacts devices at the bedside (such as ultrasound, and infusion pumps) and integrated devices such as servers located in a data center, as well as other devices in the clinical space such as medication dispensing systems.
One reason medical devices are often at higher risk than caregiver computers are their lifecycles – most are designed to be used for far longer than our workstations before they are replaced. This can lead to outdated, un-updated or patched software and firmware.
Cybersecurity Steps
Providence has implemented two new policies to improve the cybersecurity of internet-connected medical equipment. As part of this effort, we are establishing a formal Medical Device Security Program (MDSP) to detect, assess and mitigate security vulnerabilities associated with network-enabled medical devices. This includes developing an inventory of our medical devices across Providence and collaborating with system owners to establish and implement security risk remediation, mitigations, and segmentation strategies.
This follows recent efforts by the Cybersecurity team to improve our response ability when a medical device is compromised. Previously, it could take a day or more to track down the device and isolate or fix it. Now, we can track it within minutes of its last location and send someone to take care of the issue.
What You Can Do
- Even if a medical device, or its workstation, can connect to the internet, do not use it to check email or surf the web.
- Only connect medical devices to the network/internet if needed and always operate them within their scope and scale.
- If a networked medical device is not acting right, ask questions. And if you suspect something, contact your local clinical technical team, the IS Service Desk or the Cybersecurity team.
- If you are responsible for acquiring or managing medical devices, please ensure vendor contracts include proper requirements for cybersecurity maintenance levels.
Network-enabled medical devices provide us the ability to deliver higher-quality care, improve the patient experience, and offer caregivers greater capabilities than ever before. But with that promise comes the responsibility that we manage these devices correctly and ensure they do not become liabilities. Please help our Cybersecurity team keep these medical devices secure.