Five Tips for Protecting Devices against Cyberattacks

Posted June 9, 2017

Benjamin G. Esslinger
Benjamin Esslinger

Last month’s WannaCry ransomware attack, considered among the largest cyberattacks in history, shook many in the healthcare technology industry. While these cyberattacks are a cause for concern, they also are a call to action for increased education, preparation, and collaboration, according to Benjamin Esslinger, a clinical engineering manager at Eskenazi Health in Indianapolis, IN.

Esslinger presented during the 33rd Annual Conference on Clinical Engineering Productivity and Cost Effectiveness held on Friday. The conference, better known as the “Manny Meeting,” was held in conjunction with the AAMI 2017 Conference & Expo in Austin, TX.

“WannaCry has knocked out CTs, entire imaging departments, and put organizations on diversion. They’re quickly pushed into the cyber realm,” said Esslinger, a past president of the Indiana Biomedical Society. “It’s not the ‘if,’ it’s the ‘when.’”

Esslinger, who spent the past year educating staff and beginning to secure Eskenazi Health’s 4,000 network-connected devices, called on all healthcare delivery organizations (HDOs) to develop a medical device cybersecurity program.

“There are very easy ways to at least get in front of this so that when the tidal wave comes, we can be prepared to go make those approaches towards mitigation,” Esslinger told the group.

He provided five tips to help HDOs develop a cybersecurity program and secure their medical devices against future cyberattacks:

  1. Determine how many connected devices you have.
  2. Know which manufacturers and models are represented.
  3. Determine how many devices use legacy software.
  4. Leverage a system to assess risks, vulnerabilities, and threats, such as the Medical Device Risk Assessment Platform (MDRAP), a free assessment tool and online community developed by the Medical Device Innovation, Safety and Security Consortium (MDISS) that helps healthcare systems and device manufacturers better understand, analyze, and mitigate medical device security risks.
  5. Organize a committee that brings together departments such as healthcare technology management, information technology/security, supply chain, and the C-suite.

Esslinger also pleaded with HDOs to sign up for cybersecurity flash reports from the United States Computer Emergency Readiness Team (US-CERT) and InfraGard, a partnership between the FBI and members of the private sector. Those reports typically go to information technology (IT) professionals to help guide mitigating systems and may be missed by healthcare technology management (HTM) professionals.

Finally, he encouraged collaboration by joining online communities so HDOs can share information and work together. In Indiana, several organizations participate in a community of practice, the Indiana Cybersecurity Safety Network, using the MDRAP platform.

“When you start bringing up cybersecurity, you don’t just get HTM professionals,” Esslinger said. “We get public health, IT, information security—they’re all interested because they feel the same pain that we do. It’s all about leveraging that pain in the correct direction so we can all grow.”

Because of the growing importance of preventing cyberattacks and mitigating vulnerabilities in healthcare, a number of sessions at AAMI 2017 will focus on cybersecurity, including a keynote presentation by Kevin Fu, CEO and chief scientist of Virta Labs, Inc. and director of the Archimedes Center for Medical Device Security and the Security and Privacy Research Group at the University of Michigan. Fu will speak Sunday, June 11 at 10:45 a.m. in Ballroom A of the Austin Convention Center.