Some manufacturers even claim that the FDA itself is responsible for outdated security, since they say patch updates would require 510k re-certification of the device.

"We need to debunk the myth that FDA won't let us apply a patch. We're looking to hospitals to be proactive," said Schwartz, who said the device industry must do their part by building security into device design, while heath care facilities need to perform impact analyses and risk assessments.


"I've spoken to the FDA about this issue and they have advised me that device manufacturers have a responsibility to secure their products and there is no 510k re-certification needed when security patches are added," John Halamka, CIO of Beth Israel Deaconess Medical Center, wrote in a blog post this February.

Regardless of who's at fault, one thing is clear: all parties in the health care chain need to be active participants in maintaining cybersecurity.

Silos

Even within hospitals, cybersecurity will require a greater degree of cross-departmental teamwork and cooperation than ever before.

Because responsibility for device cybersecurity straddles the line between biomedical engineers and health IT, both departments must work together to ensure that hospital devices are adequately protected against cyber threats.

But challenges abound when securing medical devices in hospitals. "Many legacy operating devices could be all over the board in terms of systems — some are still on Windows 95," said Anthony Coronado, biomedical engineering manager at Methodist Hospital of Southern California, which recently won an award from the ECRI Institute for its cybersecurity program.

The first step toward device cybersecurity is performing a comprehensive risk assessment to define security vulnerabilities, according to Coronado.

Coronado and his team then tried to assess whether these devices could be included in the hospital's IT domain to take advantage of its safeguards. Since certain IT domains require Windows 7 or higher, outdated devices may need to be upgraded to join the network.

Ultimately, implementing such a program requires the cooperation of more than just the hospital's biomed and IT team — hospital administrators and purchasers also need to buy in to the program and make room for operation system updates in their budgets, consult with the IT and biomed staff when purchasing devices, and craft IT system management policies for all departments.

New territory

More Industry Headlines