On Cyber Security & Medical Device Servicing

  • by: Peter Pitts |
  • 07/19/2021
The other week, the HHS Inspector General released a report about just how little oversight the Medicare program has over medical device cybersecurity (and what little discretion is does have, it rarely uses).

If you’ve been following the news lately, you’ll know that cybersecurity in the healthcare space is a big problem. Hospitals and health systems large and small have increasingly been on the receiving end of hacks, cyber-attacks and ransomware intrusions. Not to mention that an estimated 275 million medical images are currently vulnerable due to unsecured picture archiving communication systems.  HHS just released another alert about that just days after the Inspector General report came out.

The report focused on the role of Medicare accrediting organizations’ failure to keep proper tabs on whether hospitals were maintaining proper cybersecurity of their networked devices. According to the report: 

CMS’s survey protocol does not include requirements for networked device cybersecurity, and the AOs [accrediting organizations] do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity.

For example, two AOs have equipment maintenance requirements that may yield limited insight into device cybersecurity.  If hospitals identify networked device cybersecurity as part of their emergency-preparedness risk assessments, AOs will review the mitigation plans. AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often

But most importantly, the OIG’s report underscored the lopsided cybersecurity expectations in the healthcare industry. Cybersecurity is supposed to be a shared responsibility between device manufacturers and providers. For their part, the manufacturers are tightly regulated by the FDA and are required ensure their products are secure through a carefully designed protocols subject to frequent updates. Alas, the best-designed devices in the world can’t compensate for negligence or poor practices on the part of the end-user.

Which brings me to the point I raised in The Hill recently about how unregulated medical device servicing poses serious risks for cybersecurity. Original equipment manufacturers and their servicers are regulated by the FDA. Third party servicers – who could really be anyone since there are no universal training and licensing requirements to service these devices either – are not. Third-party servicers claim they’re held to the same standards as OEMs due to hospital accreditation. The OIG report flies in the face of that claim.

If the goal is to get rid of the “blind spots” that lead to cybersecurity incidents, ensuring that those who control repairs and maintenance of these highly sophisticated pieces of health care technology are FDA-regulated makes the most sense to me. Hiding behind accreditations that Medicare isn’t watching doesn’t. It’s clear no one is watching the proverbial coup on the hospitals’ end.

If hospitals and imaging providers can’t keep tabs on their own cyber security, how can we expect them to handle the servicing of highly sophisticated medical devices?

Center for Medicine in the Public Interest is a nonprofit, non-partisan organization promoting innovative solutions that advance medical progress, reduce health disparities, extend life and make health care more affordable, preventive and patient-centered. CMPI also provides the public, policymakers and the media a reliable source of independent scientific analysis on issues ranging from personalized medicine, food and drug safety, health care reform and comparative effectiveness.

Blog Roll

Alliance for Patient Access Alternative Health Practice
Better Health
Biotech Blog
CA Medicine man
Cafe Pharma
Campaign for Modern Medicines
Carlat Psychiatry Blog
Clinical Psychology and Psychiatry: A Closer Look
Conservative's Forum
Club For Growth
Diabetes Mine
Disruptive Women
Doctors For Patient Care
Dr. Gov
Drug Channels
DTC Perspectives
Envisioning 2.0
FDA Law Blog
Fierce Pharma
Fresh Air Fund
Furious Seasons
Gel Health News
Hands Off My Health
Health Business Blog
Health Care BS
Health Care for All
Healthy Skepticism
Hooked: Ethics, Medicine, and Pharma
Hugh Hewitt
In the Pipeline
In Vivo
Internet Drug News
Jaz'd Healthcare
Jaz'd Pharmaceutical Industry
Jim Edwards' NRx
Kaus Files
Laffer Health Care Report
Little Green Footballs
Med Buzz
Media Research Center
More than Medicine
National Review
Neuroethics & Law
Nurses For Reform
Nurses For Reform Blog
Opinion Journal
Orange Book
Peter Rost
Pharm Aid
Pharma Blog Review
Pharma Blogsphere
Pharma Marketing Blog
Pharmacology Corner
Pharmaceutical Business Review
Piper Report
Prescription for a Cure
Public Plan Facts
Real Clear Politics
Shark Report
Shearlings Got Plowed
Taking Back America
Terra Sigillata
The Cycle
The Catalyst
The Lonely Conservative
Town Hall
Washington Monthly
World of DTC Marketing
WSJ Health Blog