your medical devices under attack by …...cybersecurity threats topped the ecri institute’s 2019...

Your Medical Devices Under Attack by Cybercriminals –

Can You Stop Them?

INTRODUCTION In a recent survey, 67 percent of medical device manufacturers believe it’s likely a device they have built will be attacked within the next 12 months, while 56 percent of healthcare delivery organizations (HDO) believe such an attack is likely.1 How safe are the medical devices in your healthcare organizationand are your patients at risk?

We live in a highly connected world where individuals expectreal-time access to data and information anywhere and everywhere both in their personal and professional lives. Healthcare is no different. Clinicians want faster access to accurate data on which to make meaningful decisions about patient care. This includes not only access to electronic health records (EHR), but also access to dynamic data generated by diagnostic and therapeutic devices.

This demand for connectivity is increasing as the continuum of care expands beyond the four walls of a hospital. Today, 95 percent of patient visits take place in non-acute care

“We should never forget there is a clinical side to this. Medical devices are

some of the most intimate devices we have. There aren’t really many other devices that can touch a patient and

then literally have the ability to hurt or kill them. Because of this responsibility we need to up the game from a cyberse-

curity standpoint. At the end of the day these devices interact with patients and patients are people.”

- Billy Rios, medical device cybersecurity expert and founder of Whitescope Security

What you need to know, what you need to do and why you need to act now to protect your patients

facilities, from the physicians’ offices to patients’ homes.2 In order to take a holistic approach to patient care, clinicians need access to data generated throughout the patient experience.This has resulted in the development of remote patient

monitoring devices that can transmit data to clinicians for chronicdisease management (e.g. heart disease, diabetes), as well as implantable devices (e.g. pacemakers) equipped with wireless connectivity that enable clinicians to make adjustments to their functionality without touching the device or the patient.

To enable this data-driven healthcare environment, healthcare information technology (HIT) professionals must connect the previously unconnected, working to overcome interoperability challenges posed by legacy devices and systems. As connec-tions are made through the so-called “Internet of Things (IoT)”, with multiple devices “talking to each other,” vulnerabilities increase, as does the risk for healthcare cyberattacks. In a 2018 survey of healthcare IT executives, respondents reported havingaround 10,000 connected medical devices per bed in their organizations, of which approximately one-third were unpatched.3

In this paper, we explore the current cybersecurity risks tohospitals through the medical devices they employ, the factorsthat increase a device’s vulnerability to a cyberattack, five questions that hospitals must ask their suppliers about device security in order to protect their patients; and five tips for making cybersecurity a priority in healthcare organizations.

It includes insights and commentary from leading medical device cybersecurity expert Billy Rios, Kaleida Health vice president/chief information officer (CIO) Cletis Earle, and Dräger senior staff network engineer George Cragg.

“There has been a misrepresented sense of security around medical devices so I would encourage

healthcare IT executives to really push back on manufacturers and demand a high level of

security attention to detail because there’s no question that there are significant holes.”

-- Cletis Earle, SVP/CIO, Kaleida Health

“Look for manufacturers who are open and honest about their device security, including both their cybersecurity features and potential vulnerabilities, because that will really help you in the long run.”- George Cragg, Dräger senior staff network engineer

THE PROBLEM: YOUR DEVICES ARE AT RISK Cybersecurity threats topped the ECRI Institute’s 2019 Top 10 Health Technology Hazards, which emphasized the threat of hackers exploiting remote access to systems in order to disrupt healthcare operations.4 As HIT teams increasingly open up medical devices to the sharing of data within networks and with each other, they also opening patients up to risk from cyber-criminals.

DATA ACCESS AND THEFT

The most recognized cybercrime in healthcare is the theft of patient data, when hackers get into healthcare IT systems, many of which are connected to medical devices, and take data out. Healthcare organizations experienced more than 2,149 data breaches from 2010 to 2017, according to an analysis publishedin the Journal of the American Medical Association (JAMA).5 Between January and July 2018 alone, there were more than 220 healthcare data breaches impacting 6.1 million patient records.6

These breaches cost the healthcare industry an estimated $5.6 billion each year. 7

Healthcare organizations are responsible for protecting patients and their information. Regulations, including the Health Insur-ance Portability and Accountability Act (HIPAA), and widely publicized patient data breaches have prompted the majority of health systems and hospitals to put into place people, processes and technologies designed to safeguard electronic protected

“When evaluating devices I have seen two extremes – those that either have or don’t have cybersecurity built into them.”- Billy Rios, medical device cybersecurity expert and founder of Whitescope Security

02 | YOUR MEDICAL DEVICES UNDER ATTACK BY CYBERCRIMINALS

health information (e-PHI).8 HIPAA violations result in healthcareorganizations paying significant fines to the U.S. Department of Health and Human Services (HHS), as evidenced by a recent $5.5 million settlement paid by a Florida health system.9

RANSOMWARE

A growing threat has been the use of ransomware, where cybercriminals infect a system to prevent a healthcare organizationfrom accessing it until the organization pays the criminals the requested ransom. The healthcare industry’s increased use of interconnected devices and remote access points has escalated the risk for hackers to take systems hostage in this way. The May 2017 WannaCry ransomware attack exposed healthcare’s vulnerability, taking down the National Health Service‘s (NHS) systems in the U.K. and forcing NHS facilities to cancel patientappointments and procedures until the ransom was paid.

A GREATER DANGER: THE DEVICES THEMSELVES

What is less commonly known but far more dangerous than IT system access is the risk for hackers to gain access to and manipulate the functionality of medical devices in order to

03 |YOUR MEDICAL DEVICES UNDER ATTACK BY CYBERCRIMINALS

“Hospitals need to understand their device security features – including what they have, what they don’t have, and the cost to secure unsecure devices. All of this must be calculated into the device’s total cost of ownership.”- George Cragg, Dräger senior staff network engineer

cause patient harm. While most healthcare organizations are focused on securing their networks and data, less attention has been paid to securing the medical devices themselves.

In a 2018 survey of healthcare IT executives, more than 60 percent said they lack confidence that their current medical device security strategy protects patient safety and prevents disruptions in care.Furthermore, about 18 percent reported having medical devices infected by ransomware or other malware in the last 18 months.10

“As the healthcare industry turns to the Internet of Things, including wearable devices and other telehealth solutions, I don’t think many healthcare organizations are making an effort to bring all of those different technologies into the mix when considering cybersecurity. It is essential for organizations to take a more assertive approach to biomedical security and establishing it as its own vertical within overall healthcare security.”- Cletis Earle, SVP/CIO, Kaleida Health

“Cybercriminals today are focused on the IT component – using ransomware and other techniques to gain access to IT systems and data,” said Billy Rios, medical device cybersecurity expert and founder of Whitescope Security. “But a much more sinister element is growing where attackers are shifting their focus to controlling the functionality of therapeutic devices and manipu-lating data generated by diagnostic devices. When addressing cybersecurity we can’t forget the clinical aspect of these devices and must be prepared to deal with these types of scenarios.”

Rios is well known in the healthcare industry for demonstrating cyberattacks on medical devices. In 2017, Rios showed how cybercriminals could use a laptop to hack into an infusion pump via a “backdoor pass code” and administer a lethal dose medicine to a patient.11 Rios and Jonathan Butts of QED Secure Solutions have also identified vulnerabilities in software delivery networks that clinicians use to adjust the function of implanted pacemakers, which hackers could exploit to cause patient harm.12

“As the number of cyber attacks has increased, we‘ve heard concerns about the potential for cyber criminals to attack patient medical devices,” said U.S. Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D. in an October 2018 state-ment on the agency’s efforts to strengthen its medical device cybersecurity program.13 He added: “Cybersecurity researchers, often referred to as ‘white hat hackers’ have identified device vulnerabilities in non-clinical, research-based settings. They‘ve shown how bad actors could gain the capability to exploit thesesame weaknesses, thereby acquiring access and control of medical devices.”

Cletis Earle, senior vice president and chief information officer (CIO) for Kaleida Health, the largest non-profit healthcare providerin Western New York, has been working to establish medical device cybersecurity as a priority among his health system’s leadership. He points to others risks facing clinicians and patients in today’s connected healthcare environment: The risk for cybercriminals to hack into medical devices making them unusable to clinicians, or for them to manipulate data generatedby diagnostic devices to interfere with patient diagnosis and treatment.

“Cybercriminals are typically not interested in hacking into a medical device to find out a patient’s blood pressure or heart rate. It’s far more dangerous than that,” said Earle. “The bigger concern is someone hacking into a device in order to change the values of the data generated by diagnostic devices, resulting in clinical decisions based on erroneous data. For the health and safety of patients, we need to put safeguards in place to ensure the data coming from these devices has not been modified.”

“When putting cybersecurity measures into place, we need to think about the clinical aspects of devices and ensure those functionalities are secure. For example if you have a device that can directly impact patient therapy you want to make that delivery as secure as possible. If your device primarily deals with patient data you want to make sure that data is stored and transmitted in a very secure way.” - Billy Rios, medical device cybersecurity expert and founder of Whitescope Security


“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation.”- Suzanne Schwartz, M.D., M.B.A., FDA’s Center for Devices and Radiological Health**

The U.S. Food and Drug Administration (FDA) acknow-ledges the risks of connected devices in its 2018 Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health, outlining the agency’s “multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices,” including:

— Premarket: Device manufacturers must include cybersecurity in product design and development, including timely device patching and updating capabilities. They must also conduct appropriate threat modeling and premarket testing to assess the adequacy of security for the device’s use environment.

— Post-market: After the device is on the market, the manufacturer should take a “proactive, risk-based approach to cybersecurity throughout a device’s life cycle, including a combination of monitoring, maintenance, identification of potential issues, and action to address cybersecurity vulnerabilities and exploits.”14


While medical device manufacturers may be taking cyber-security into account when designing new devices, there are countless legacy devices in healthcare facilities today that were developed prior to the advent of the Internet with no safeguards against hacking.

“The healthcare industry typically has aged and outdated legacy medical devices and securing that is a herculean effort,” said Earle. “It comes down to who is responsible to get it done – is it the device manufacturer or the health-care organizations that purchase the devices? It’s a huge issue that needs to be remediated but it’s very elusive. In the end it is something that must be tackled as a collective industry.”

“Over the next few years, most machinery and technology involved in patient care will connect to the Internet; however, a majority of this equipment was not originally intended to be Internet accessible, nor designed to resist cyber attacks.”- June 2017 Health Care Industry Cybersecurity Task Force Report*

WHO IS RESPONSIBLE FOR MEDICAL DEVICE CYBERSECURITY?

“I am very concerned about the depth of penetration these kinds of threats can have to our existing society. We must have discussions with medical device manufacturers and regulators in order to move the dial in the right direction.”- Cletis Earle, SVP/CIO, Kaleida Health


TOP 5 QUESTIONS TO ASK MEDICAL DEVICE MANUFACTURERS In today’s connected world, healthcare organizations can’t take device security for granted. Whereas in the past a health system or hospital focused on the clinical functionalities of a device, today they must also take into consideration whether that device is vulnerable to attack. Below are five questions to ask medical device manufacturers when procuring a new device or evaluating the cybersecurity of existing technologies.

1. DO YOU HAVE A DEDICATED CYBERSECURITY TEAM? IF SO, HOW DO

I CONTACT THEM?

Medical device manufacturers should develop a coordinateddisclosure statement to act as a single point of contact for security issues. This allows the healthcare organization to bypass other stakeholders (e.g. sales team, customer service) and get to the right people when they have a cybersecurity concern.

2. WILL YOU WORK WITH ME TO IDENTIFY AND ADDRESS SECURITY

THREATS?

When asking a manufacturer if it will work to identify and address security threats related to its product, do not accept the answer “it doesn‘t apply to our device.” Take the stance that all devices are at risk when developing a cybersecurity strategy.

Healthcare providers are required by the U.S. Department of Homeland Security to have in place a cybersecurity disasterplan based on risk management, just as they would plan to address a natural disaster. In order to do so, they must understand the security risks of the devices in their facilities.

3. HOW DO YOU RESPOND TO EMERGING THREATS?

As cybercriminals hone their skills and develop new ways to disrupt healthcare, cyberattacks will continue to grow in scope and intensity in the years ahead. Healthcare organizations must be proactive in identifying and addressing emerging threats, including device-related attacks, but they can only do so in partnership with the manufacturers of devices.

A manufacturer should have in place a rapid response plan to assess emerging threats and the potential impact on their devices so that they can collaborate with their customers – health-care organizations – on security measures to protect patients.

4. DO YOU HAVE A SECURE DEVELOPMENT LIFECYCLE?

From research and development (R&D) through to manufact-uring, the device manufacturer should provide security trainingto all levels of employees involved in the product development lifecycle. This helps the company identify vulnerabilities at

“Dräger understands the cybersecurity threats facing healthcare organizations and their patients and we are working to make things better. We are taking steps to secure our legacy devices, and at the same time, building cybersecurity into our new devices from the ground up – taking into account security capabilities from day one of their development.” - George Cragg, Dräger senior staff network engineer


each stage of development, and effectively address them long before the device reaches the patient’s bedside.

The following are industry standards that healthcare organizations can use to evaluate a medical device manufacturer’s productlifecycle from a cybersecurity perspective. Manufacturers that have met these standards have demonstrated a meaningful commitment to the security of their devices:

— National Institute of Standards and Technology (NIST): The U.S. Department of Commerce issued what is now widely known simply as the “NIST Cybersecurity Framework” in 2014 and released Version 1.1 on April 16, 201814. Many private sector healthcare organizations are voluntarily utilizing the NIST Cybersecurity Framework to help ensure the security of their networked systems, but it was actually mandated for all Federal agencies by Executive Order in 2017. 15

— The Department of Defense (DoD) Risk Management Framework (RMF): A unified framework for assessing organizational risk posed by information technology (IT) systems, and for selecting the appropriate security controls to manage that risk. RMF is an even more stringent standard than the NIST Cybersecurity Framework upon which it is based and has replaced the DoD‘s Defense Information Assurance Certification and Accreditation Process (DIACAP). While DIACAP facilitated a compliance-driven, checklist based approach to cybersecurity, the RMF is far more comprehensive with its broader focus on risk-based decision making. The six-step RMF process is designed to help IT system owners, operators and defenders better understand, assess and prioritize specific risks to their systems, as opposed to checking a “one size fits all” compliance box.

— The Federal Information Processing Standard 140-2 (FIPS 140-2): This is a security standard developed by the National Institute of Standards and Technology (NIST) for testing and validating the cryptographic capabilities of systems used with government networks inside in the United States and Canada. FIPS validation demonstrates that the cryptographic module built into the system can help maintain the confidentiality and integrity of electronic data.

“One of the more general security recommendations that we make for device vendors is digital code signing for devices,” said Rios. “Code signing certificates are a way for manufacturers to digitally sign their device’s software so that end-users can verify that it has not been altered or otherwise compromised by a third party. All manufacturers should be doing this.”

Rios also recommends that manufacturers have in place a robust update mechanism so that they can quickly and securely make

updates to their devices to address emerging cybersecurity threats. Security of this update mechanism is paramount because software vulnerabilities are one way that hackers can assume control of devices.

5. DO YOU PARTNER WITH INDUSTRY EXPERTS TO SECURE YOUR

DEVICES?

While it is critical for medical device manufacturers to have their own in-house teams to evaluate the security of their devices, the rigorous, non-partial evaluation of a third party cybersecurity expert takes device security to an entirely different level.

These experts evaluate security not just from the standpoint of the manufacturer, but also perspective of the end user – the healthcare organization and its clinicians – assessing how the device stands up to threats during real-world conditions and use. This includes the potential ways the healthcare organization could interface the device with its IT systems in order to draw data out of it, or remotely control its functionality.

“In speaking with healthcare stakeholders about device cybersecurity we’ve learned that it is not a black and white measurement. Rather it touches many different roles. The manufacturer has a role in engineering of the device, the healthcare delivery organization (HDO) has a role in making sure the device is deployed in a secure environment, and the regulator is responsible for overall monitoring and establishing quality bars for the devices in the field,” says Rios.

According to Rios, the various stakeholders in medical device cybersecurity – manufacturers, healthcare organizations and regulators – have incentives to push responsibility onto the others. Therefore, a third party expert can bring an objective view to the situation and help determine where the responsibility lies.

“For example, it may be tempting for a manufacturer to say it has developed some security engineering into its devices to protect against specific scenarios; therefore, it is up to the healthcare delivery organization (HDO) to secure the devices against other threats,” said Rios. “On the flipside the HDO could say it doesn‘t want to spend too much money on its network security operations so it will push responsibility for this onto the device manufacturers. A third party is not interested in transferring responsibility, rather they are interested in understanding risk from a technical perspective in order to help these different parties determine how and where to best address threats.”

Rios adds that third party researchers can also help identify cybersecurity trends, such as emerging threats impacting specific device verticals (e.g. implants, patient monitors), and bring these to the attention of regulators so that they can address them from an industry-wide perspective.


5 TIPS FOR MAKING CYBERSECURITY A PRIORITY IN HEALTHCARE ORGANIZATIONSWhile media reports on healthcare data breaches and other attacks have raised awareness for cybersecurity risks facing healthcare, many health systems and hospitals still have not prioritized medical device cybersecurity. In many cases it is simply lack of awareness for the risks that unsecure devices pose to patient safety.

Earle and his team have made cybersecurity a priority at Kaleida Health. Kaleida Health and Great Lakes Health of Western New York has 11 hospitals, two long-term care facilities and over 80 outpatient clinics across the eight counties of Western New York. Earle shares these five tips for raising the bar on device cybersecurity within healthcare organizations.

1. ENGAGE AND EDUCATE ALL STAKEHOLDERS ON CYBERSECURITY:

Earle says healthcare IT executives must educate business and clinical stakeholders, including administrators, board members, physicians and nurses, on how the devices within their four walls – and beyond - put the organization and its patients at significant risk. In order to do so, Earle recommends leveraging high profilecyberincidents in the news to demonstrate the dangers and explain how the same type of attacks could happen to them.

“Many people think cybersecurity events are just isolated scenarios that don’t impact care. We need them to know that this is truly a dangerous element that can hit us,” said Earle. “Every major cyberincident can be a learning experience. Incorporate events that are occurring into your communications efforts with stakeholders and show how they impact healthcare in order to bring the message home to them. We need healthcare leadersand clinical staff to see we are not just IT geeks speaking rhetoric, but rather educated experts presenting very real risks to the organization.”

2. TREAT MEDICAL DEVICES LIKE IT EQUIPMENT:

Earle points out how healthcare organizations have historically managed medical devices outside of IT software and equipment. But today as medical devices become more connected to IT

“We need for cybersecurity not to be an IT thing.”- Cletis Earle, SVP/CIO, Kaleida Health

There shouldn’t be a divide between medical devices and the rest of healthcare IT because of the risks that devices pose as potential entry points for cyberthreats to healthcare organizations, and more importantly, the patients they serve.”- Cletis Earle, VP/CIO, Kaleida Health


networks and other devices within the infrastructure, health systems and hospitals must integrate IT functions into those that procure, manage and maintain medical devices (e.g. supply chain, bio-medical or clinical engineering).

“Whereas in the past there was a disconnect between these functions, there has been a huge wave and trend of biomedical equipment engineering falling under information technology,” said Earle. “Healthcare systems need to treat medical deviceslike any other computers since many of them use as their foundations operating systems that are very computer-like, such as Windows XP or Windows 10.”

3. PERFORM DUE DILIGENCE DURING THE PROCUREMENT PROCESS:

Health systems and hospitals can’t assume that all new devices coming through their doors have been designed to withstand attacks. Earle recommends treating medical device procurement no different from any other type of technology, which includes asking the right questions and getting answers in writing within managed services agreements and statements of work (SOWs).

“It is imperative that you press manufacturers to answer your questions about the security of their devices,” said Earle. “It’s no different than when you are trying to purchase a network device or some type of server. It’s imperative that you get that informationup front before making a decision.”

4. PRACTICE PHYSICIAN CHANGE MANAGEMENT:

Earle points out how many of the devices at greatest risk – the legacy devices – are ones that clinicians have been using for many years; therefore, clinicians may push back on proposedchanges required to secure them if these changes could impact their methodology or the way they operate. He recom-mends healthcare IT executives practice change management with clinicians to overcome this issue. This includes explaining to

clinicians why change is needed, preparing them for the change and then supporting them during the transition.

“We must communicate with our providers to let them know that we are mindful with device remediation and understand their concerns, but we also need them to understand that if we don’t intervene there will be unfortunate disaster down the road,” said Earle. “We don’t want that and they don’t want that either because at the end of the day we are all here for the care of our patients.”

With regards to legacy medical devices, Earle points out how most healthcare organizations don‘t have the sheer financial or labor capacity to replace them with newer, more secure devices, noting how they could have over 100,000 of these legacy pro-ducts in their coffers. Additionally, many healthcare organizations don‘t have the resources to individually secure each device that may present risks.

To overcome these challenges, Earle recommends segregatingmedical devices by potential risk and then finding security models that can wrap around these device groupings in order to protect them. For example, if a group of devices poses risks for hacking via a network then work to secure that network.

“I would suggest that you track devices from an asset manage-ment perspective to determine what risks can be remediated in the short-term. For those devices where you cannot address their vulnerabilities, work to alienate those as much as possible without impacting patient care so you can at least mitigate the risks.”

5. ENLIST HELP FROM REGULATORS AND INDUSTRY ASSOCIATIONS

While the device manufacturer should be a healthcare organization’s partner and serve as a first line of defense against cyberattacks, Earle acknowledges that this is not always the case. He encourages healthcare IT executives and other stakeholders to engage with regulators, including the FDA, and groups aimed at promoting medical device security, such as the College ofHealthcare Information Management Executives (CHIME), in order to drive medical device cybersecurity efforts industry-wide.

“Unfortunately we get a significant amount of push back from some manufacturers at times telling us that the FDA only requires them to secure new medical devices and it is our responsibility as healthcare provider organizations to address the security risks of legacy devices,” said Earle. “But in speaking with the FDA we’ve found the agency wants to hear

“During the procurement process a hospital needs to evaluate the manufacturer’scybersecurity posture, its cybersecurity team’s structure and response time, and how well the manufacturer understands its devices so the hospital knows it has the necessary support after the medical device has been purchased and deployed.” - George Cragg, Dräger senior staff network engineer


from healthcare organizations on the challenges we face with devices already in our facilities so that they can take action on them with the manufacturers. I have heard the same thing from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service that they are here to help when they can. So I encourage healthcare IT executives to gather that information and reach out to these agencies, or to associations like CHIME who serve as a voice for our industry.”

Medical device connectivity offers significant benefits to clinicians and patients alike, enabling educated decision-making based on real-time information, monitoring and treatment of patients where they work and live, and the ability to electronically store and share data for use throughout the continuum of care for a more holistic, patient-centered approach to medicine. But unfortunately this connected care environment comes with significant risks, as cybercriminals use device vulnerability as an entry point to data access and manipulation, disruptions to patient care, and even as a way to inflict bodily harm.

In order to protect patients, hospitals and health systemsmust keep one step ahead of cybercriminals and work to secure the devices in their facilities. But they can’t do it alone. Healthcare organizations and device manufac-turers must collaborate to continuously identify potential threats and secure the devices. In addition, regulators, industry associations and healthcare cybersecurity experts are key to enacting broader regulations and initiatives aimed at securing devices and protecting patients from harm.

While the problem of medical device cybersecurity can appear to be overwhelming, there are steps that a healthcare organization can take to address the issue, as outlined in this paper. This includes reaching out to the manufacturers of the devices in facilities today to understand the risks and what can be done to address them, and using this information to gain support inter-nally for protocols, processes and technologies to both address current threats and avoid future vulnerabilities.

CONCLUSION


FOOTNOTES

1. https://www.securityweek.com/fact-check-medical-device-security2. TheAdvisoryBoardCompanyHealthCareIndustryTrends,2017.3. https://healthitsecurity.com/news/healthcare-it-execs-lack-confidence-in-medical-device-security?eid=CXTEL000000294056&elqCampaignId=7038&elqTrackId=04614a030af641bfa 247d90a05c2b34a&elq=2b7a193ba8e747518a6894557ba9e723&elqaid=7455&elqat=1&elqCampaignId=70384. https://www.ecri.org/Resources/Whitepapers_and_reports/Haz_19.pdf5. http://www.modernhealthcare.com/article/20180925/NEWS/1809299266. http://www.modernhealthcare.com/article/20180925/NEWS/1809299267. https://www.beckershospitalreview.com/healthcare-information-technology/the-top-5-cybersecurity-threats-hospitals-need-to-watch-for.html8. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html9. https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html10.https://healthitsecurity.com/news/healthcare-it-execs-lack-confidence-in-medical-device-security?eid=CXTEL000000294056&elqCampaignId=7038&elqTrackId=04614a030af641b 247d90a05c2b34a&elq=2b7a193ba8e747518a6894557ba9e723&elqaid=7455&elqat=1&elqCampaignId=703811. https://www.dailymail.co.uk/news/article-4743010/How-hackers-hijack-drug-pumps-kill-patients.html12.https://www.wired.com/story/pacemaker-hack-malware-black-hat/13.https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/UCM622074.htm14.https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/15.https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework* https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf** https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/UCM622074.htm

CANADA Draeger Safety Canada, Ltd2425 Skymark Ave, Unit 1Mississauga, Ontario, L4W 4Y6Canada +1 905-212-6600Toll-free +1 877-372-4371

+1 905-212-6602Toll-free Fax +1 877-651-0902

91 0

6 17

2 |

19.0

1-1

| N

W |

LL

| S

ubje

ct t

o m

odifi

catio

ns |

© 2

019

Drä

gerw

erk

AG

& C

o. K

GaA

CORPORATE HEADQUARTERSDrägerwerk AG & Co. KGaAMoislinger Allee 53–5523558 Lübeck, Germany

www.draeger.com

USADraeger, Inc.3135 Quarry Road Telford, PA 18969-1042 Tel +1 800 4DRAGER(+1 800 437 2437)Fax 1 215 723 [email protected]

Locate your Regional Sales Representative at: www.draeger.com/contact
