Survey Suggests Disconnect with Preparedness, Awareness (AAMI)

Wednesday, January 18, 2017

Source: The AAMI Pulse: Cybersecurity

Three-quarters of respondents to an AAMI survey on hospital cybersecurity said their healthcare delivery organization is prepared to handle a cyberattack. However, nearly half did not know if their organization’s information technology (IT) network had been compromised in 2016, and 60% were unsure if any attacks had been attempted during the last two years.

These results, which were based on responses from IT and healthcare technology management (HTM) professionals involved with cybersecurity from 118 healthcare delivery organizations and systems, suggest that for many, “preparedness” is based on relatively low levels of awareness about the frequency, nature, and consequences of cyberattacks.

In addition to preparedness, the AAMI Pulse survey—the first in what is planned to be an annual in-depth survey about a specific healthcare technology issue—also explored the prioritization of cybersecurity by upper management, the use of existing tools to protect against cyberattacks, and other areas of concern.

AAMI launched this major cybersecurity survey in an effort to obtain actionable data to help the healthcare technology field after a string of high-profile cyberattacks. For example, last year, a large mid-Atlantic healthcare system suffered a computer virus that paralyzed some of its operations, forcing the system to resort to using paper records and turning some patients away.

That event came on the heels of a Los Angeles hospital being forced to pay a ransom to a hacker who seized control of its computer systems. Other hospitals have been victimized as well, as the use of “ransomware”—a type of malicious software designed to block access to a computer system until a certain amount of money is paid—has become more common.

“Every year at the AAMI Annual Conference & Expo, there’s an issue or buzzword that keeps coming up among attendees,” said Patrick Bernat, AAMI’s director of healthcare technology management. “In 2016, the theme of cybersecurity came up over and over. The concern was palpable, and there’s no doubt that the troubling stories in the news played a part.”

Although the survey found cybersecurity to be a relatively high priority among the C-suite in healthcare delivery organizations, 9% of respondents indicated that their organization’s upper management placed “low” or “no” priority on cybersecurity.

Those results correspond with what various experts have been saying for a long time. In fact, Mike Ahmadi, global director of critical systems security for the Synopsys Software Integrity Group in Saratoga, CA, and a member of AAMI’s Wireless Strategy Task Force, told AAMI in an interview that “inaction” by hospitals was the single biggest cybersecurity threat.

“Despite the advice given to many organizations, their own internal processes are not geared toward addressing dynamic security issues,” he said. (See related story.)

Not surprisingly, respondents who said their upper level management placed a high priority on cybersecurity also showed the highest levels of perceived preparation.

The survey was completed by relatively similar numbers of urban, suburban, and rural hospitals. When comparing perceived preparedness across these regions, suburban hospital respondents felt the most prepared. Respondents in rural settings reported that their upper management prioritized cybersecurity at the lowest rate, potentially due to staffing and resource constraints.

The survey also asked respondents about their level of familiarity with the following resources for managing the security of medical devices:

  • Mobile device management (MDM) software
  • MDS2 (Manufacturers Disclosure Statement for Medical Device Security)
  • ANSI/AAMI/IEC 80001, Application of risk management for IT networks incorporating medical devices
  • Medical Device Risk Assessment Platform (MDRAP) Tool

While respondents’ familiarity with these resources was fairly low across the board, they had little knowledge of the MDRAP tool, with 28% completely unfamiliar with it.

According to Stephen Grimes, managing partner and principal consultant with Strategic Healthcare Technology Associates, LLC, the MDRAP tool “provides a risk score by category and allows comparative studies across several different devices, is useful in pre-purchase assessment of security risks, and helps hospitals better understand the security profile of their devices.”

“Healthcare organizations should learn to use these tools, as they are designed to help identify and mitigate security risks,” Grimes added.

In terms of working with manufacturers on cybersecurity-related issues, only a slight majority (56%) reported collaborating with manufacturers “often” or “sometimes” to evaluate the security of installed systems, while 3 out of 10 did not know if their organization did this. The same percentage (56%) said that they asked vendors for security results at least “sometimes,” although 2 out of 10 did not know how often their organization reviewed vendor security testing.

“The FDA recommends that hospitals and healthcare providers work with manufacturers to evaluate their network security and protect their installed systems,” Grimes noted. He urged hospitals to close the gaps between IT and medical processes by “educating all stakeholders regarding risks, employing technology acquisition processes with security in mind, and engaging appropriate stakeholders to determine the criticality of a system and data and the probability of failure.”

“It’s also critical to establish and implement a mitigation plan to identify, prioritize, and address risks using administrative, technical, and physical safeguards, and to monitor effects,” he said.

Experts warned that these processes are not just “nice to haves” but absolute necessities in today’s interconnected world.

“The legal definition of negligence is failure to use reasonable care, resulting in damage or injury to another,” said Steve Baker, senior principal engineer at Welch Allyn and a member of AAMI’s Wireless Strategy Task Force. “If a healthcare delivery organization uses an easily-hacked or deprecated encryption solution and electronic patient health information is compromised as a result, the question ‘Was the healthcare delivery organization negligent?’ will likely be asked.”

- See more at:

View All News »