When it comes to medical device cybersecurity, healthcare technology management (HTM) departments are often a hospital’s first line of defense. That’s why the Association for the Advancement of Medical Instrumentation (AAMI) will be offering a new training course: “Medical Cybersecurity 101 for HTM Professionals.” The first of three 3-hour training sessions begins on September 21.
During three sessions spread out over three days, the course will provide healthcare technology management and clinical engineering professionals with the knowledge and skills to effectively plan for, implement, and manage a medical device security program for their organization's needs.
“We will consider this course a success when those who attend develop a heightened awareness of the cyber vulnerabilities that exist in medical device environment,” said Stephen Grimes, AAMIF, the managing partner and principal consultant at Strategic Healthcare Technology Associates.
Grimes, who penned a first-of-its-kind guide for healthcare cybersecurity in 2019, unites with coauthor Axel Wirth once again to lead this “crucial course.”
HTM pros will learn what can happen “to operations, patient care, and safety if those vulnerabilities are exploited, and the basic steps they can take to help eliminate or reduce those vulnerabilities,” said Grimes.
Wirth, chief security strategist at MedCrypt, an AAMI Fellow, and CyberInsights columnist, notes that some HTM professionals might question whether cybersecurity is really their responsibility. After all, in this digital age, healthcare systems are also staffed by proficient information technology (IT) departments.
However, this mentality is exactly the kind of thinking that can put healthcare providers at risk. Wirth points to the 2017 WannaCry ransomware attacks, which affected computerized devices in more than 150 countries. One of the attack’s most notable victims was the National Health Service of England and Scotland. According to an audit of NHS England, the ransomware affected devices from at least 80 of the region's hospital trusts. A additional 603 primary care and other NHS organizations were infected, crippling the healthcare system’s ability to help patients.
Pictured: The message victims of the WannaCry ransomware attack received on May 12th, 2017.
"This wasn't a surprise attack for which we were not prepared,” Wirth explained. “The postmortem report revealed that the main cause for this was the general lack of preparedness as well as the lack of defined responsibility and security accountability.”
“Today, we’ve been forced to recognize that cybersecurity and the practice of effective cyber hygiene has become the businesses of anyone who operates or services computer-based equipment, including the operation or service of most of the medical equipment in current use,” said Grimes.
“Clinical Engineering, IT, and IT Security, as well as clinical and administrative stakeholders all need to understand cybersecurity and speak the same language so they can understand each other,” added Wirth. “Cyberrisks of medical devices are not just another cybersecurity problem; they are more complex.”
But they are also not like other medical device risks, he concluded. “Cybersecurity is a very different animal. We hope that this course helps to bridge the gap between stakeholders.”
AAMI (www.aami.org) is a nonprofit organization founded in 1967. It is a diverse community of more than 9,000 healthcare technology professionals united by one important mission—supporting the healthcare community in the development, management, and use of safe and effective health technology. AAMI is the primary source of consensus standards, both national and international, for the medical device industry, as well as practical information, support, and guidance for health technology and sterilization professionals.