Provincial Health Services Authority lacking cybersecurity controls for medical devices: Auditor General

THE Office of the Auditor General of British Columbia has released a new audit report, Management of Medical Device Cybersecurity at the Provincial Health Services Authority, and says that it concluded that the PHSA is not effectively managing cybersecurity risk around its medical devices.

The audit examined whether the Provincial Health Services Authority (PHSA) is effectively managing cybersecurity for medical devices by implementing basic controls. It covered the more than 18,000 medical devices located in the Lower Mainland, as well as the system infrastructure that supports their operation.

“We found that the PHSA has not evaluated cybersecurity threats and their potential harm to patients, and that it lacks many cybersecurity controls for its medical devices,” said Michael Pickup, Auditor General. “This is troubling as it could result in the PHSA’s inability to detect cyberattacks, possibly putting patients at risk.”

The report contains four recommendations focused on improving the PHSA’s management of cybersecurity risk around its medical devices. The recommendations include evaluating cybersecurity threats and their potential harm to patients, as well as monitoring all systems and devices on its medical device networks.

The PHSA has accepted the recommendations and is committed to improving its cybersecurity.

Medical devices are essential to health care. They range from infusion pumps to MRI systems, and they are vital to delivering health care and meeting patient needs. In British Columbia, medical devices in the Lower Mainland are managed by the PHSA in collaboration with other health organizations.

Networking medical devices can maximize patient benefit. But this also creates the potential for cyberattack, which could disrupt health-care delivery. Most cybersecurity risk can be reduced with an effective program that balances security with patient needs, according to the Auditor General.