Put down the disinfectant! The killer viruses in your hospital could be coming from within your hospital network or the medical devices you're using to treat your patients. This week the FDA issued a Safety Communication regarding the use of medical devices with hospitals and health systems identifying cybersecurity as a major issue for medical device and hospital networks and recommending that certain steps be taken to assure that the appropriate safeguards are in place to reduce the risk of failure due to cyberattacks and computer viruses.
In response to this communication, the following is a Top 10 List of action items organizational decision makers, law department leaders and risk management leaders should consider:
- Establish a formal governance structure to address and oversee issues related to information security and the use of medical devices and the security of hospital networking infrastructure.
- Engage qualified professionals to conduct a full risk assessment and provide specific recommendations in light of the risk present in the assessed environment.
- Engage qualified counsel to lead and manage any remediation efforts so that identified vulnerabilities be subject to the attorney client privilege and can be adequately protected from potential legal and regulatory risk
- Conduct a complete review of existing information security policies and adopt new policies where gaps exist as identified by a risk assessment.
- Adopt a defensible and sustainable security controls framework that is scaled to the size and risk profile of the organization.
- Determine if full time employees should be engaged to managing information security risk in the organization. If these individuals already exist in the organization, increase their authority and visibility as necessary to accomplish security objectives.
- Partner with internal IT, Legal, Audit and Risk Management to establish an internal working group to assist the organization in adopting best practices in the areas of information security.
- Create a culture of vigilance in the area of cyber security from the top tier management through to the rest of the workforce.
- Train all employees on the risk and vulnerabilities that exist in the environment.
- Establish a comprehensive vendor management program that identifies when third parties maybe introducing risk into the environment.