Difference between revisions of "Journal:Information technology and medical technology personnel’s perception regarding segmentation of medical devices: A focus group study"

From LIMSWiki
Jump to navigationJump to search
(Created stub. Saving and adding more.)
 
(Saving and adding more.)
Line 38: Line 38:


==Introduction==
==Introduction==
Medical technology (MT) devices—as defined by the European Union's directive on medical devices<ref name="EUCouncil93">{{cite web |url=https://eur-lex.europa.eu/eli/dir/1993/42/2007-10-11 |title=Council Directive 93/42/EEC of 14 June 1993 concerning medical devices |work=EUR-Lex |author=European Commission |date=14 June 1993 |accessdate=20 January 2020}}</ref> and information technology (IT) and device developers—serve an increasingly central role in clinical practice, improving patient health, safety, and quality of life. And the number of such [[medical device]]s that are connected to a network continues to grow.<ref name="AbernathyDevelop11">{{cite journal |title=Development of a health information technology-based data system in community-based hospice and palliative care |journal=American Journal of Preventative Medicine |author=Abernethy, A.P.; Wheeler, J.L.; Bull, J. |volume=40 |issue=5 Suppl. 2 |pages=S217–24 |year=2011 |doi=10.1016/j.amepre.2011.01.012 |pmid=21521597}}</ref> [3–4]
Medical technology (MT) devices—as defined by the European Union's directive on medical devices<ref name="EUCouncil93">{{cite web |url=https://eur-lex.europa.eu/eli/dir/1993/42/2007-10-11 |title=Council Directive 93/42/EEC of 14 June 1993 concerning medical devices |work=EUR-Lex |author=European Commission |date=14 June 1993 |accessdate=20 January 2020}}</ref> and information technology (IT) and device developers—serve an increasingly central role in clinical practice, improving patient health, safety, and quality of life. And the number of such [[medical device]]s that are connected to a network continues to grow.<ref name="AbernathyDevelop11">{{cite journal |title=Development of a health information technology-based data system in community-based hospice and palliative care |journal=American Journal of Preventative Medicine |author=Abernethy, A.P.; Wheeler, J.L.; Bull, J. |volume=40 |issue=5 Suppl. 2 |pages=S217–24 |year=2011 |doi=10.1016/j.amepre.2011.01.012 |pmid=21521597}}</ref><ref name="McCafferyRisk10">{{cite journal |title=Risk management capability model for the development of medical device software |journal=Software Quality Journal |author=McCaffery, F.; Burton, J.; Richardson, I. |volume=18 |at=18 |year=2010 |doi=10.1007/s11219-009-9086-7}}</ref><ref name="TulasidasProcess13">{{cite journal |title=Process of Designing Robust, Dependable, Safe and Secure Software for Medical Devices: Point of Care Testing Device as a Case Study |journal=Journal of Software Engineering and Applications |author=Tulasidas, S.; Mackay, R.; Craw, P. et al. |volume=6 |issue=9A |pages=1–13 |year=2013 |doi=10.4236/jsea.2013.69A001}}</ref>
 
[[Medical device connectivity|Networked medical devices]] can also cause substantial harm since they have not historically been designed with a focus on [[cybersecurity]].<ref name="ArneyBiomedical11">{{cite journal |title=Biomedical devices and systems security |journal=Conference Proceedings of the IEEE Engineering in Medicine and Biology Society |author=Arney, D.; Venkatasubramanian, K.K.; Sokolsky, O.; Lee, I.|volume=2011 |pages=2376-9 |year=2011 |doi=10.1109/IEMBS.2011.6090663 |pmid=22254819}}</ref> Errors that underlie device-related injuries are often categorized into three types: manufacturer-related errors, use or design errors, and user errors.<ref name="JhaPatient10">{{cite journal |title=Patient safety research: an overview of the global evidence |journal=Quality and Safety in Health Care |author=Jha, A.K.; Prasopa-Plaizier, N.; Larizgoitia, I. et al. |volume=19 |issue=1 |pages=42–7 |year=2010 |doi=10.1136/qshc.2008.029165 |pmid=20172882}}</ref> It has been said that the weakest link in the process is the user, who must understand how to configure and use medical technology products correctly to achieve a high level of security in computing infrastructure.<ref name="IvarssonInfo16">{{cite journal |title=Information and/or medical technology staff experience with regulations for medical information systems and medical devices |journal=Health Policy and Technology |author=Ivarsson, B.; Wiinberg, S.; Svensson, M. et al. |volume=5 |issue=4 |pages=383–88 |year=2016 |doi=10.1016/j.hlpt.2016.07.008}}</ref><ref name="NurseUnder14">{{cite journal |title=Understanding Insider Threat: A Framework for Characterising Attacks |journal=2014 IEEE Security and Privacy Workshops |author=Nurse, J.R.C.; Buckley, O.; Legg, P.A. et al. |pages=214-228 |year=2014 |doi=10.1109/SPW.2014.38}}</ref>
 
Cybersecurity is today one of the most important security-related challenges for all countries, but its visibility and awareness are still limited to the public, although almost everyone has heard something about it.<ref name="deBrujinBuild17">{{cite journal |title=Building Cybersecurity Awareness: The need for evidence-based framing strategies |journal=Government Information Quarterly |author=de Brujin, H.; Janssen, M. |volume=34 |issue=1 |pages=1–7 |year=2017 |doi=10.1016/j.giq.2017.02.007}}</ref> There is a substantial security risk posed by outsiders identifying potential interactions between the interconnected elements in [[Hospital information system|hospital systems]] and computing infrastructures, and then taking advantage of poor cybersecurity to steal [[Electronic health record|medical health records]], deny access to health services, or cause intentional harm with these.<ref name="Fischbacher-SmithTheVuln13">{{cite journal |title=The Vulnerability of Public Spaces: Challenges for UK hospitals under the ‘new’ terrorist threat |journal=Public Management Review |author=Fischbacher-Smith, D.; Fischbacher-Smith, M. |volume=15 |issue=3 |pages=330–43 |year=2013 |doi=10.1080/14719037.2013.769851}}</ref><ref name="CoventryCyber18">{{cite journal |title=Cybersecurity in healthcare: A narrative review of trends, threats and ways forward |journal=Maturitas |author=Coventry, L.; Branley, D. et al. |volume=113 |pages=48–52 |year=2018 |doi=10.1016/j.maturitas.2018.04.008 |pmid=29903648}}</ref> For medical devices specifically, it may be possible for hackers to use them in order to gain access to confidential patient data and to reprogram them to send harmful commands.<ref name="LeavittResearch10">{{cite journal |title=Researchers Fight to Keep Implanted Medical Devices Safe from Hackers |journal=Computer |author=Leavitt, N. |volume=43 |issue=8 |pages=11–14 |year=2010 |doi=10.1109/MC.2010.237}}</ref> This could mean, for example, altering blood groups or test results, or taking control of pumps that regulate the administration of potent drugs.<ref name="MartinCyber17">{{cite journal |title=Cybersecurity and healthcare: How safe are we? |journal=BMJ |author=Martin, G.; Martin, P.; Hankin, C. et al. |volume=358 |at=j3179 |year=2017 |doi=10.1136/bmj.j3179}}</ref> Other harmful activities that could be enacted include disrupting the parameter values used in the scanning protocols, tampering with the radiation exposure levels, causing mechanical disruption, and creating denial-of-service attacks.<ref name="MahlerKnow18">{{cite journal |title=Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices |journal=arXiv |author=Mahler, T.; Nissim, N.; Shalom, E. et al. |url=https://arxiv.org/abs/1801.05583}}</ref>
 


==References==
==References==

Revision as of 17:44, 24 February 2020

Full article title Information technology and medical technology personnel’s perception regarding segmentation of medical devices: A focus group study
Journal Healthcare
Author(s) Johansson, David; Jönsson, Patrik; Ivarsson, Bodil; Christiansson, Maria
Author affiliation(s) Edith Cowan University, Embry-Riddle Aeronautical University
Primary contact Email: david dot a dot johansson at skane dot se
Year published 2020
Volume and issue 8(1)
Article # 23
DOI 10.3390/healthcare8010023
ISSN 2227-9032
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/2227-9032/8/1/23
Download https://www.mdpi.com/2227-9032/8/1/23/pdf (PDF)

Abstract

Objective: Segmentation is one way of improving data protection. The aim of this study was to investigate information technology (IT) and medical technology (MT) personnel’s perception in relation to ongoing segmentation of medical devices and IT infrastructure in the healthcare sector.

Methods: Focus group interviews with nine IT and nine MT personnel in a county council in southern Sweden were conducted. The interviews focused on two areas: positive expectations and misgivings. Digital recordings were transcribed verbatim and analyzed using qualitative content analysis.

Results: Responses related to two main areas: information security and implementation of segmentation. Informants stated that network segmentation would increase the overall level of cybersecurity for medical devices, addressing both insider and outsider threats. However, it would also increase the need for administration and the need for knowledge of the communication patterns of medical devices from the manufacturer’s perspective.

Conclusion: IT and MT personnel in a county council in southern Sweden believed that segmentation would increase cybersecurity but also increase administration and resource needs, which are important opinions to take into consideration. The present study can be used as a model for others to increase awareness of opinions of healthcare organizations.

Keywords: cybersecurity, healthcare technology, patient safety, staff attitudes

Introduction

Medical technology (MT) devices—as defined by the European Union's directive on medical devices[1] and information technology (IT) and device developers—serve an increasingly central role in clinical practice, improving patient health, safety, and quality of life. And the number of such medical devices that are connected to a network continues to grow.[2][3][4]

Networked medical devices can also cause substantial harm since they have not historically been designed with a focus on cybersecurity.[5] Errors that underlie device-related injuries are often categorized into three types: manufacturer-related errors, use or design errors, and user errors.[6] It has been said that the weakest link in the process is the user, who must understand how to configure and use medical technology products correctly to achieve a high level of security in computing infrastructure.[7][8]

Cybersecurity is today one of the most important security-related challenges for all countries, but its visibility and awareness are still limited to the public, although almost everyone has heard something about it.[9] There is a substantial security risk posed by outsiders identifying potential interactions between the interconnected elements in hospital systems and computing infrastructures, and then taking advantage of poor cybersecurity to steal medical health records, deny access to health services, or cause intentional harm with these.[10][11] For medical devices specifically, it may be possible for hackers to use them in order to gain access to confidential patient data and to reprogram them to send harmful commands.[12] This could mean, for example, altering blood groups or test results, or taking control of pumps that regulate the administration of potent drugs.[13] Other harmful activities that could be enacted include disrupting the parameter values used in the scanning protocols, tampering with the radiation exposure levels, causing mechanical disruption, and creating denial-of-service attacks.[14]


References

  1. European Commission (14 June 1993). "Council Directive 93/42/EEC of 14 June 1993 concerning medical devices". EUR-Lex. https://eur-lex.europa.eu/eli/dir/1993/42/2007-10-11. Retrieved 20 January 2020. 
  2. Abernethy, A.P.; Wheeler, J.L.; Bull, J. (2011). "Development of a health information technology-based data system in community-based hospice and palliative care". American Journal of Preventative Medicine 40 (5 Suppl. 2): S217–24. doi:10.1016/j.amepre.2011.01.012. PMID 21521597. 
  3. McCaffery, F.; Burton, J.; Richardson, I. (2010). "Risk management capability model for the development of medical device software". Software Quality Journal 18: 18. doi:10.1007/s11219-009-9086-7. 
  4. Tulasidas, S.; Mackay, R.; Craw, P. et al. (2013). "Process of Designing Robust, Dependable, Safe and Secure Software for Medical Devices: Point of Care Testing Device as a Case Study". Journal of Software Engineering and Applications 6 (9A): 1–13. doi:10.4236/jsea.2013.69A001. 
  5. Arney, D.; Venkatasubramanian, K.K.; Sokolsky, O.; Lee, I. (2011). "Biomedical devices and systems security". Conference Proceedings of the IEEE Engineering in Medicine and Biology Society 2011: 2376-9. doi:10.1109/IEMBS.2011.6090663. PMID 22254819. 
  6. Jha, A.K.; Prasopa-Plaizier, N.; Larizgoitia, I. et al. (2010). "Patient safety research: an overview of the global evidence". Quality and Safety in Health Care 19 (1): 42–7. doi:10.1136/qshc.2008.029165. PMID 20172882. 
  7. Ivarsson, B.; Wiinberg, S.; Svensson, M. et al. (2016). "Information and/or medical technology staff experience with regulations for medical information systems and medical devices". Health Policy and Technology 5 (4): 383–88. doi:10.1016/j.hlpt.2016.07.008. 
  8. Nurse, J.R.C.; Buckley, O.; Legg, P.A. et al. (2014). "Understanding Insider Threat: A Framework for Characterising Attacks". 2014 IEEE Security and Privacy Workshops: 214-228. doi:10.1109/SPW.2014.38. 
  9. de Brujin, H.; Janssen, M. (2017). "Building Cybersecurity Awareness: The need for evidence-based framing strategies". Government Information Quarterly 34 (1): 1–7. doi:10.1016/j.giq.2017.02.007. 
  10. Fischbacher-Smith, D.; Fischbacher-Smith, M. (2013). "The Vulnerability of Public Spaces: Challenges for UK hospitals under the ‘new’ terrorist threat". Public Management Review 15 (3): 330–43. doi:10.1080/14719037.2013.769851. 
  11. Coventry, L.; Branley, D. et al. (2018). "Cybersecurity in healthcare: A narrative review of trends, threats and ways forward". Maturitas 113: 48–52. doi:10.1016/j.maturitas.2018.04.008. PMID 29903648. 
  12. Leavitt, N. (2010). "Researchers Fight to Keep Implanted Medical Devices Safe from Hackers". Computer 43 (8): 11–14. doi:10.1109/MC.2010.237. 
  13. Martin, G.; Martin, P.; Hankin, C. et al. (2017). "Cybersecurity and healthcare: How safe are we?". BMJ 358: j3179. doi:10.1136/bmj.j3179. 
  14. Mahler, T.; Nissim, N.; Shalom, E. et al.. "Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices". arXiv. https://arxiv.org/abs/1801.05583. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.