Understanding cybersecurity risks from medical devices

Most health systems and hospitals have older medical devices that they have used for years, and some of those devices can pose risks to their cybersecurity.

ECRI, a non-profit organization focused on patient safety, listed the risks of cyberattacks and breaches tied to medical devices as one of the 10 leading threats to patient safety. ECRI produces an annual list each year.

Dr. Marcus Schabacker, president and CEO of ECRI, talked with Chief Healthcare Executive® about this year’s list and the problems arising from legacy medical devices.

“It’s becoming a bigger problem,” Schabacker says.

“If you don't understand the risk appropriately, they become that chink in the armor you might not even think about,” he says. “And so that's where the entry into your system can happen, not necessarily that they impact that particular device, but that's where the malware can be introduced, and then lead to ransom attacks and all those things.”

ECRI defines legacy devices as “software-based devices and systems that are no longer being updated with sufficient cybersecurity protections, as well as those that are not practical to secure within the environment or with available controls.”

Some older devices were put together without cybersecurity protections. Other devices built within the last 10-15 years were designed with some protections, and Schabacker notes that manufacturers don’t necessarily want to update software for those tools and would rather see health systems buy newer devices.

Schabacker says that some health systems may not have the funds to necessarily replace older devices. Health systems can also think about different ways to bolster protection for those devices.

And he suggests that health systems can reach out to the manufacturers of devices to see if they can offer specific developments.

While some frontline staff may know there’s no updates available any longer on certain devices, Schabacker says that isn’t always known to those who have to think about the enterprise risk.

Hundreds of hospitals and health systems have been impacted by cyberattacks in recent years, and many breaches have come from the vendors hospitals rely on everyday. Attackers are also using AI to create more sophisticated attacks, as well as crafting more polished emails.

But Schabacker says other health systems need to be mindful of problems tied to older devices.

“We just think it's something which is easily overlooked, because it's not on somebody in the administration's mind all the time,” he says.

• Read more: Chatbots rank as most dangerous healthcare hazard