IFMBE Clinical Engineering Division Collaborators Axel Wirth and Priyanka Upendra provided two 1-hour webinars on cybersecurity fundamentals for Global Clinical Engineers, including Hospital-Based Professionals.
(The International Federation for Medical and Biological Engineering (IFMBE) is primarily a federation of national and transnational societies. These professional organizations represent interests in medical and biological engineering. The IFMBE is also a Non-Governmental Organization (NGO) for the United Nations and the World Health Organization (WHO), where we are uniquely positioned to influence the delivery of health care to the world through Biomedical and Clinical Engineering.)
I missed the first 10 minutes of this first and very, very good webinar given by Axel Wirth and I hope to obtain a link to Axel’s slides. The medical devices that clinical engineers design, service, implement and audit are increasingly data and internet dependant as more care takes place in the home and as more service providers and citizens and their devices are connected together.
Here are my notes:
Cybersecurity has been cited as the top risk to health service provision in some analyses – perhaps as telemedicine, remote non face to face medicine, digital health, e-health and m-health expand. Newly planned or commissioned systems of health care need to include cybersecurity in their portfolio in a world of increasing cyber risks where there is far more talk of attacking health systems on the dark web.
However cybersecurity may interfere with care delivery and the complexity of service provision – see below -may hamper the implementation of cybersecurity within a health system commission.
Complexity issues:
- Institutional decision making is slow, complex, conservative erring on the side of safety and political
- Disparate platforms of system provision due to clinical preferences, vendor mandates and regulatory mandates, which latter can slow change.
- History and culture can prevent or reduce compliance or compliance to old systems can trump cybersecurity.
Traditionally health services have underinvested in cybersecurity and there has been a lack of Board and Executive leadership around cybersecurity.
This is recently changing in response to covid measures.
How cyber experts analyse security:
VULNERABILITY
ASSETS to be protected – tangible, computers etc, data, money, reputation, trust, safety, confidentiality
The THREATS
Using risk controls the risks can be reduced to “residual risk” through mitigation, contingency, transfer of risk (through insurance) and acceptance (probability and severity low enough to accept and expense of
doing more reduces value of assets.)
The cyber professionals examine the system of healthcare, the devices and the networks and check them against the “attack vectors” and threats that are known in the “threat landscape” creating a estimated risk – a product
of probability and impact severity. (Axel prefers the word “exploitability” to “probability” as unknown threats cannot be measured to give a real probability.)
The risk estimate covers patient safety, care delivery, privacy, business and finance of the service provider, indirect risks and the “attack vectors”. A balance of the business critical, mission critical and life critical is aimed for, covering confidentiality, availability and integrity and staff and patient experience – the trust zone.
Many factors in today’s health systems drive cyber care- ageing population, patient preference, new digital patients, commercial consumerization of health technology, health delivery cost reduction, regulatory relaxation,
reimbursement equivalence (staff being paid equal fees for face to face and non-face to face interventions) and covid19.
Axel referred to Securing Telehealth Remote Patient Monitoring Ecosystem (nist.gov)
<https://www.nccoe.nist.gov/sites/default/files/legacy-files/rpm-nist-sp1...
guidelines here. The key findings were that cybersecurity can enhance safety, telehealth clinical standards are the same as non-telehealth clinical standards, emerging AI is assisting cybersecurity checks, the
implementation of telemedicine has not resulted in excess costs except in telehealth for “behavioural” health which has increased in response to increases in menal health problems during covid.
The report suggests removing geographical restrictions to allow telehealth.
Common security controls involve people, process and technology. – protect the device, protect the ecosystem, manage devices and respond to incidents.
Finally! Responding to incidents:
- Prepare and train staff to be ready to manage incidents
- Have training and a system to detect incidents
- Have a plan of how to contain incidents
- Eradicate the “attack vector”
- Complete the recovery
- Follow up and learn
5G networks are facilitating health work in rural areas. Hackers can use 5G doorways to attack health data.
HIFA profile: Richard Fitton is a retired family doctor - GP. Professional interests: Health literacy, patient partnership of trust and implementation of healthcare with professionals, family and public involvement in the prevention of modern lifestyle diseases, patients using access to professional records to overcome confidentiality barriers to care, patients as part of the policing of the use of their patient data
Email address: richardpeterfitton7 AT gmail.com
