Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Aug 22, 2019 More on Quality and Safety

Hospitals are demanding secure medical devices before they buy

The IoT: "Every something that comes on the market is in essence its own small computer with an ability to find its way into something."

Susan Morse, Executive Editor

Medical devices such as pacemakers and infusion pumps are increasingly coming under scrutiny for being susceptible to cybersecurity attacks.

But how does a hospital know if it is buying a device at risk of being hacked?

Even if the device is approved by the Food and Drug Administration, it's just about impossible for a hospital to be certain that it is secure, according to Mike Kijewski, CEO of MedCrypt, a company that builds security features into medical devices.

Because of this, more hospitals are demanding that devices include security requirements upfront, he said.

"We really see this becoming part of decision-making criteria," he said. "Sales are being made or lost based on security."

Case in point is a security researcher who in 2016 found vulnerabilities in St. Jude Medical pacemakers. A year later, the FDA and Homeland Security issued an alert for about 465,000 pacemakers from St. Jude, owned by Abbott, and a firmware update to close the security flaw of the radio frequency communication devices.

The company's stock value dropped.

"The most interesting thing, this was a great demonstration of how a company can suffer financially," Kijewski said.

Also in 2017, the FDA issued a recall of the St. Jude implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators due to premature battery depletion.

Lawsuits included one from Humana to recoup payments it made for the devices.

There have been a couple of cases of ransomware in which imaging equipment was the entry point, according to Kijewski. And then there the attack on a casino in which hackers got in by manipulating a fish tank thermometer.

"The biggest areas now of concern are medical devices," said Cheryl Martin, chief knowledge officer for the American Health Information Management Association. "The medical device industry is well aware, there is a good coordinated effort. Everything is just a small computer now."

The next target is just about anything that plugs in and is wireless, including smart fridges, printers, phones and, yes, Alexa, Siri and Google Assistant, all of the latter already under scrutiny for privacy concerns.

"With the IoT [internet of things], it's anybody's guess. Every something that comes on the market is in essence its own small computer with an ability to find its way into something," Martin said. "I guaranteed Alexa and Siri is on the horizon."

WHY THIS MATTERS

While there is no known case of a medical device being hacked to intentionally harm patients, HIPAA compliance mandates hospitals secure protected health information.

A hospital contains numerous connected devices, and interoperability demands the secure sharing of health information.

Breaches result in fines and other regulatory enforcement. This year has been a record breaker for the Office of Civil Rights of the Department of Health and Human Services HIPAA enforcement.

"Medical device security is a big, important problem," Kijewski said.

THE LARGER TREND

Medical device security became a much larger issue after October 2018 when the FDA issued guidelines on strengthening the agency's medical device program to protect patients, according to Kijewski.

Before then, MedCrypt did a lot of client education, Kijewski said. After that, sales climbed.

Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted, former FDA Commissioner Scott Gottlieb said in the release.

In coordination with the MITRE Corporation, the FDA announced the launch of a cybersecurity "playbook" for healthcare delivery organizations promoting cybersecurity readiness. Gottlieb also announced two significant memoranda of understanding to bring together stakeholders to allow for increased information sharing and transparency around cybersecurity risks.

The agency issued premarket guidance that manufacturers should consider in the design and development of their medical device to ensure their product adequately addresses cybersecurity vulnerabilities. Its postmarket guidance outlined a risk-based framework for manufacturers to use to ensure they could quickly and adequately respond to new cybersecurity threats once a device is in use.

Twitter: @SusanJMorse
Email the writer: susan.morse@himssmedia.com

Focus on Securing Healthcare

In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.