To paraphrase Johnny Cochran, “If it connects, you must protect.”
Medical devices are increasingly becoming connected to healthcare system networks, allowing for improved productivity and timeliness when alerting caregivers. While there are numerous benefits such as patient data and results flowing automatically between various biomedical devices without errors and delay caused by retyping information, this connectivity also creates the potential for the medical device to fall victim to malware or hackers. Hackers could steal Protected Health Information (PHI) from these devices or cause deadly malfunctions.
We are all familiar with how often Microsoft issues security updates to their operating systems, but device manufactures are impeded in providing a quick response to security vulnerabilities largely because of the long FDA certification process. This means your network has many devices running older, unpatched versions of Windows XP and Windows 7 and you can’t fix them.
To address this issue, the Center for Internet Security (CIS) and Medical Device Innovation, Safety and Security Consortium (MDISS) have issued configuration guides for network-connected medical devices. These guides are based on CIS best practices and the International Electrotechnical Commission (IEC) 80001-1, an international standard for performing risk management of IT networks that include medical devices.
Proper configuration is only the first step. The configuration changes will not stop all attacks and unfortunately, not all of your medical devices will allow you to change the configurations to better protect them. The next step of protection is using network controls to protect the device. Medical devices should be on their own network, separated from the normal business network by a firewall that limits what data can cross over. This separation also applies to wirelessly connected devices.
Your internet firewalls should also be configured to not allow traffic from or to medical devices. Medical devices should not be connecting to the internet. If you are using an internet based application, limit the device’s access to only allow access to the required server on the internet. Patches and software updates should be downloaded on a regular desktop computer and tested on a test device before it is installed on any medical devices.
Medical devices should also be part of your Information Security audits. Once protection is applied with configurations and firewalls, you must periodically verify the protections are still in place and have not been by-passed. It’s common for security features to become disabled in the field by staff looking for shortcuts and workarounds to make their jobs easier. The audit process will discover these issues and allow you to correct them.
Once the medical devices you have are protected, turn your attention to how you purchase devices. Add security features to your list of required features on your next request. Read the device’s Manufacturer Disclosure Statement for Medical Device Security (MDS2). Look for systems that use passwords and encrypt hard drives. Ask how patches and updates are handled. Plan for how you will mitigate any issues.
Medical devices are a major part of your health information system and must be protected with the same level of security minded rigor as any other system. Medical device security is important because these devices expose your organization to HIPAA security issues and health risks. Because these devices are not normal workstations, extra care must be taken to protect them. They must be configured securely, separated and isolated on the network, and then audited on a regular basis. When purchasing medical devices, security should be part of the selection process.
Have Information Security related questions? Contact Rob Faix at firstname.lastname@example.org.