Background/Case Studies: Hospitals across the country, including their laboratories, have been compromised due to cyberattacks (CBA) in recent years. These attacks not only result in economic loss but also jeopardize patient care as well as the reputations of the affected facilities. Manufacturers of automated immunohematology instruments (AIHI) must comply with ever changing and more stringent IT requirements from blood establishments to help safeguard against CBA.
Study
Design/Methods: .A manufacturer of AIHI evaluated performance of their systems at sixteen facilities which suffered CBA that drastically affected laboratory and hospital operations. These were the only reported events to the manufacturer. A post-mortem analysis was conducted to assess instrument vulnerability and cybersecurity (CS) features of their instruments in these challenging situations.
Results/Findings: Across five separate CBA, a total of 24 blood bank instruments (including 2 models) were connected and operational with a direct LIS interface at the time of the attacks (Table 1). As required by the manufacturer, instrument security features for network connectivity include a firewall device between the instrument and the hospital network. Analysis revealed that due to the instrument security features in place at the time, zero AIHA were affected by the CBA. Patient data and results present on the instruments were not compromised or made accessible to unauthorized entities by the breach. In each case, the CBA did not infiltrate the facility through the instrument’s network connectivity. Conclusions: Instrument 510k submissions to the FDA now require a CS section. As part of the CS posture in these instances, the security device and security features in place on each of the instruments acted to control incoming and outgoing traffic based on an advanced, defined set of security rules which prevented unauthorized access to the instruments. In some cases, while other laboratory instruments were vulnerable to the attack and had to be taken offline, the immunohematology instruments studied were able to remain operational and continue to support patient care. No instrument will ever be 100% secure but adding security controls such as a firewall device and limiting network access to a defined set of locations helps to minimize the risk of CBA. In addition, performing CS and vulnerability assessments as part of product software releases, conducting privacy audits, and routine vulnerability assessments aid in maintaining security on instrumentation. Facilities who remained compliant with implementing required security features provided by the manufacturer further contributed to the positive outcomes regarding their blood bank instruments.
Importance of research: A growing number of facilities (both manufacturers and blood establishments) are working to address cybersecurity attacks. It is even now an FDA requirement during 510k submissions to address cybersecurity concerns for automated immunohematology instrumentation. This paper documents the impact of previous attacks and the outcome on the facilities. Emphasis is included on various ways that manufacturers try to decrease the risk.
