Hospitals are pushing medical- device makers to improve cyber defenses of their internet- connected infusion pumps, biopsy imaging tables and other health-care products as reports of attacks rise.
Rattled by recent global cyberattacks, U.S. hospitals are conducting tests to detect weaknesses in specific devices, and asking manufacturers to reveal the proprietary software running the products in order to identify vulnerabilities. In some cases, hospitals have canceled orders and rejected bids for devices that lacked safety features.
Hospitals, after a decade of racing to wire up their medical records and an explosion of internet- connected medical devices, are growing more aggressive with technology suppliers amid pressure to better defend against incursions that could threaten patients and cause costly disruptions. Credit-rating agency Moody's Investors Service in February ranked hospitals as one of the sectors most vulnerable to cyberattacks.
In stepping up their efforts, hospitals have gone beyond building firewalls and taking other actions to shield their own networks—they have moved into demanding information like the software running devices that manufacturers have long considered proprietary. The requests have generated tensions between the sides.
“There are struggles right now about who owns which piece of cybersecurity,” said Stephanie Domas, vice president of research and development at cybersecurity consultant MedSec. Hospitals don't know enough about the security of devices on their networks, and manufacturers don't always provide software updates to fix vulnerabilities quickly, she said.
Medical-device manufacturers including Royal Philips NV and Boston Scientific Corp. have begun adding new features and disclosing more about products—such as which third-party software they contain—to help hospitals protect devices against attacks, health-care and security experts said.
Device makers say hospitals' cybersecurity demands can be complicated and bog down sales negotiations. “These contracts are taking more time to negotiate,” said James Kinkela, corporate counsel at Boston Scientific.
“The contracting has definitely gotten more complex.” The attention to cybersecurity follows health care's embrace in recent years of digital technologies, from electronic medical records to mobile lab tests. For hospitals, internet connected devices offer the potential to monitor patients more continuously and closely, and use the data to guide— and improve—care.
The interconnectivity has given rise to new headaches for hospital executives, worried about the consequences of a hack. Their fears were brought home two years ago, when the WannaCry and Not- Petya cyberattacks disrupted operations at some hospitals, forcing the cancellation of some surgeries.
Health-care companies, including hospitals, reported 148 hacks exposing personal health information last year, up from five hacks in 2009. The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.
Hospital-technology officials say gaining access to the software running inside devices— and knowledge of its vulnerabilities—would help them build firewalls and other defenses against attacks. The Food and Drug Administration recommended in guidance proposed last October that manufacturers provide software disclosures to hospitals. Partners HealthCare this year required for the first time that an unnamed device maker reveal its device software as part of a contract, said Julian Goldman, Partners' medical director of biomedical engineering.
Vizient Inc., which negotiates contracts for products and services on behalf of 3,100 health systems in the U.S., added cybersecurity questions to requests now under consideration for bids across 10 medical-device categories, said Ross Carevic, Vizient's director of technology sourcing. The questions included whether device data are encrypted and what password procedures are used. Vizient plans to factor the answers into contract-award decisions.
Philips, a supplier of imaging, respiratory and other gear to hospitals, often receives such cybersecurity questionnaires, said Michael McNeil, the company's global product security officer. He said it would be helpful if the requests were standardized.
Medical Data at Risk
More than 150 million personal records have been breached in health-care company hacks since 2009.
|Health Network Sets Tight Standard|
|NewYork-Presbyterian is seeking contracts with device makers that allow independent tests of device cybersecurity, called “penetration tests,” said Jennings Aske, the hospital network's chief information security officer.
Last year, NewYork-Presbyterian began working with outside consultants to assess the cyber defenses of the corporate networks of suppliers, including medical-device makers, Mr. Aske said. In 2017, the hospital dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security warned that hackers could take control of the pumps.
Smiths said it released a fix in 2017. “While we were disappointed with the NYP decision to purchase another system, we are confident in the firmware update and that the pump is safe for patients,” a company spokesman said.
BY MELANIE EVANS AND PETER LOFTUS