These connected medical devices require a more comprehensive strategy if we are to protect patients.
In some cases, medical device security is far more complex than many healthcare providers understand.
Security certainly has more than its share of headlines today, particularly in healthcare. Unfortunately, this has shifted our concern and the risks we try to address from the core business of healthcare to security for the sake of security. The No. 1 focus we should have in healthcare technology is patient safety. Technical vulnerabilities and risk to the device are still important, as they are whenever you connect something to your production network. Our intense focus on security, though, seems to have diverted us from the real risk and the serious impacts to patient care and safety with devices that may be used to conduct diagnostic tests or procedures directly on a patient or deliver therapeutic treatment.
While the needs from a security management perspective are pretty similar to the needs around personal computers, servers and even printers, biomedical devices require a different approach. Biomedical devices are rarely handled in the provider space like those other devices. They are different in how they are deployed and the fact that the purchasing, deployment, maintenance and security crosses lines in terms of management and risk management, and that requires a multidimensional approach.
Like any other technical security risk assessment, it all starts with inventory. You can’t protect what you don’t know is there — hardware or software — and if you don’t know where it is and how it is used, you may well under- or over-protect it. This is where the differences start in how medical device security risk is assessed. Few providers have a good idea of what devices they have or where they are on the network (let alone a physical location, which can be a risk mitigation component). They can’t tell which devices store electronic protected health (ePHI) information, which other devices they are communicating with and whether that communication is necessary or appropriate.
The disconnect in assessing risk only grows and becomes more complicated from there.
Understanding the IT parameters is one thing, but many medical devices can’t be actively scanned, like a desktop or server. The device can literally be knocked off the network. The medical device-specific parameters are as important as the IT and security parameters, but few organizations collect or maintain them over time as firmware is upgraded, patches are made or even utilities (like the browser on your MRI) are changed or updated. Additionally, it is typical for medical devices to come on and off the network (for required preventive maintenance, for example) or be moved around the facility. Here’s an example: Patient A (200-pound man) has been discharged, but the bedside sonogram now needs to go to the pediatric floor.
Assuming you have all the necessary inventory information, you also need to understand device relationships. The desktop in the radiology department might be just a desktop until a radiologist uses it to connect to the MRI to view studies. Now it is a “medical device.” This interconnectedness makes understanding data flows: A) more critical, and; B) more difficult.
In the case of a traditional endpoint such as a laptop or server, when you find an issue, you simply push a patch or upgrade the anti-virus on the device, which is not always a good idea with patient-touching devices. Several years ago, a fetal monitor received a Windows update push during a delivery, and the update window appeared on the monitor and requested input. Unfortunately, a fetal monitor in use has neither a mouse nor a keyboard, so input was not possible. While the input window obliterated most of the monitoring screen, the episode ended happily. An interesting complication for IT and fortunately, not the patient.
In some situations, patching is impossible. However, if you understand your device and device relationships, you may be able to mitigate the risk without patching the device itself through a patch mitigation strategy. This can be done by changing device relationships, changing its location on the network, updating computers it “talks” with or other alternatives. Again, more complicated for IT and clinical engineering but business as usual for the patient.
Even governance of medical devices is more complicated. Things like access management, encryption and change management are common issues but must cut across many more lines than traditional IT devices. Medical devices require participation not only from executive leadership, IT/security and procurement, but also clinicians/operators, healthcare technology management (who might include third parties), device manufacturers, risk management and business associates with access to the devices and ePHI. Then there is the U.S. Food and Drug Administration, as many of these devices are regulated.
When you start looking at medical device risk, you must understand that cybersecurity-related risks will vary from one device to another, even for the same type of device. While functions of different models may be similar, their design and particular deployment in the organization’s network/compute environment vary widely. Design and environmental issues can have significant impacts on the device’s security risk, which is a level of complexity that most IT or security groups are ill-equipped to deal with. A clinical engineering approach will not focus on cybersecurity at all. Their primary concern, as it should be, is on the device, clinical operations impacts and patient care.
So, what happens to medical devices if security is not addressed around medical devices? Just this past summer, a neurosurgery center in Russia was hacked and all the medical equipment related to surgery was disabled during a surgery. We have seen medication cabinets impacted and heart catheterization labs shut down due to malware or other attacks. It was only the flaws in the design of WannaCry that limited its effectiveness and kept it from having even more severe impacts on computer and network connected medical devices.
And that leads, really, to the more important question: What happens to patients? To clinical operations? To the ability to continue to see and care for patients?
David Finn is the executive vice president of strategic innovation at CynergisTek.
Get the best insights in healthcare analytics directly to your inbox.