More than 150 million personal health records have been breached in health-care company hacks since 2009.
In stepping up their efforts, hospitals have gone beyond building firewalls and taking other actions to shield their own networks—they have moved into demanding information like the software running devices that manufacturers have long considered proprietary. The requests have generated tensions between the sides.
Medical-device manufacturers including Royal Philips NV and Boston Scientific Corp. have begun adding new features and disclosing more about products—such as which third-party software they contain—to help hospitals protect devices against attacks, health-care and security experts said.
The interconnectivity has given rise to new headaches for hospital executives, worried about the consequences of a hack. Their fears were brought home two years ago, when the WannaCry and NotPetya cyberattacks disrupted operations at some hospitals, forcing the cancellation of some surgeries.
Hospital-technology officials say gaining access to the software running inside devices—and knowledge of its vulnerabilities—would help them build firewalls and other defenses against attacks. The Food and Drug Administration recommended in guidance proposed last October that manufacturers provide software disclosures to hospitals. Partners HealthCare, based in Boston, this year required for the first time that an unnamed device maker reveal its device software as part of their contract, said Julian Goldman, Partners’ medical director of biomedical engineering.
NewYork-Presbyterian, meanwhile, is seeking contracts with device makers that allow independent tests of device cybersecurity, called “penetration tests,” said Jennings Aske, the hospital network’s chief information security officer.
Last year, NewYork-Presbyterian began working with outside consultants to assess the cyberdefenses of the corporate networks of suppliers, including medical-device makers, Mr. Aske said. In 2017, the hospital dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security warned that hackers could take control of the pumps,
Smiths said it released a fix in 2017. “While we were disappointed with the NYP decision to purchase another system, we are confident in the firmware update and that the pump is safe for patients,” the spokesman said.
Vizient Inc., which negotiates contracts for products and services on behalf of 3,100 health systems in the U.S., added cybersecurity questions for the first time to requests now under consideration for bids across 10 medical-device categories, said Ross Carevic, Vizient’s director of technology sourcing. The questions included whether device data are encrypted and what password procedures are used. Vizient plans to factor the answers into contract-award decisions.
Philips, a major supplier of imaging, respiratory and other gear to hospitals, often receives such cybersecurity questionnaires, said Michael McNeil, the company’s global product security officer. He said it would be helpful if the requests were standardized in order to make answering them more routine.
Boston Scientific, which supplies products like lasers and catheters used by hospitals in surgeries and heart procedures, said it is facing requests for more stringent password features like automatic time-outs, said Ken Hoyme, director of product security. But password timeouts could interfere during time-sensitive surgical procedures, he said.
The health-care companies, including hospitals, reported 148 hacks exposing personal-health information last year, up from five hacks in 2009. The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.
Device makers say hospitals’ cybersecurity demands can be complicated and bog down sales negotiations. “These contracts are taking more time to negotiate,” said James Kinkela, corporate counsel at Boston Scientific. “The contracting has definitely gotten more complex.”
The attention to cybersecurity follows health-care’s embrace in recent years of digital technologies, from electronic medical records to mobile lab tests. For hospitals, internet-connected devices offer the potential to monitor patients more continuously and closely, and use the data to guide—and improve—care.
“There are struggles right now about who owns which piece of cybersecurity,” said Stephanie Domas, vice president of research and development at cybersecurity consultant MedSec. Hospitals don’t know enough about the security of devices on their networks, and manufacturers don’t always provide software updates to fix vulnerabilities quickly, she said.
Hospitals are pushing medical-device makers to improve cyber defenses of their internet-connected infusion pumps, biopsy imaging tables and other health-care products as reports of attacks rise.
Rattled by recent global cyberattacks, U.S. hospitals are conducting tests to detect weaknesses in specific devices, and asking manufacturers to reveal the proprietary software running the products in order to identify vulnerabilities. In some cases, hospitals have canceled orders and rejected bids for devices that lacked safety features.
Hospitals, after a decade of racing to wire up their medical records and an explosion of internet-connected medical devices, are growing more aggressive with technology suppliers amid pressure to better defend against incursions that could threaten patients and cause costly disruptions. Credit-rating agency Moody’s Investors Service in February ranked hospitals as one of the sectors most vulnerable to cyberattacks.