The APSF Issues Preliminary Guidance on Cybersecurity Threats to U.S. Health Care Systems

November 2, 2020

Healthcare Cybersecurity

▶ MedWatch Voluntary Reporting Form

On October 28th the US department of Health and Human Services (HHS), the FBI, and CISA (DHS Cybersecurity & Infrastructure Security Agency) jointly announced that they had credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. {Link: https://us-cert.cisa.gov/ncas/alerts/aa20-302a}

To date, at least 3 US hospitals have been targeted and driven to use EHR “downtime procedures.” Although for most healthcare systems the primary response is in the hands of information services leadership, the APSF Committee on Technology recommends that all anesthesia professionals take the following actions.

STRENGTHEN DOWN-TIME PROCEDURES

  • Review existing down-time procedures, insure they are current and that processes are in place to implement them quickly
  • Engage other perioperative leaders from nursing, surgery, intensive care, clinical engineering, and emergency departments in planning
  • Inform all providers about how to continue patient care using down-time procedures
  • If possible, simulate a down-time event. Even a limited simulation with a small group of individuals can be informative.

INCREASE VIGILANCE

  • Manage your email carefully and DO NOT ENTER YOUR SYSTEM PASSWORD OR ID in response to any request by email. All suspicious emails should be reported to IS services through phishing reports, SPAM folders or similar established reporting process.
  • While recent attacks have involved ransomware which paralyzes information systems until a ransom is paid, cybersecurity attacks can also affect any network-dependent medical devices. These systems can include:
    • IV pump server connections
    • Remote data and alarm systems
    • Clinical communication platforms

REVIEW REPORTING

  • Report medical device and system performance issues ASAP to appropriate hospital personnel (e.g. biomedical engineering or perioperative IT depts.)
  • Medical device performance issues, including anomalous behavior, should be reported the device manufacturer without delay, as well as notifying FDA at [email protected] of a cyber-related urgent concern affecting device functionality and safety.
  • In general , if you think you had a problem with your device or a device your patient uses, the FDA encourages you to report the problem through the MedWatch Voluntary Reporting Form https://www.fda.gov/safety/medical-product-safety-information/medwatch-forms-fda-safety-reporting

ADDITIONAL RESOURCES