How VA Keeps Medical Devices 'Clean'CIO Offers Best Practices for Securing Devices
The recent warnings from the U.S. government about security vulnerabilities in certain infusion pumps will likely be followed up by more alerts about products from other vendors. But in the meantime, now's a good time for all healthcare organizations to reassess their practices for keeping medical devices secure and safe.
Hospitals and clinics should consider borrowing some of the best practices used by the Department of Veterans Affairs, which, as the largest provider of healthcare in the U.S., likely has more medical devices running in its facilities than any other organization.
At last count in April, the VA had about 65,000 medical devices on its network, CIO Steph Warren told reporters during a May 26 media briefing. And how many of those devices are infected with malware and currently undergoing remediation? Only two, according to Warren. That's down from nine in March, and 13 in December and January. Those are small numbers, considering how many medical devices the VA has in place.
"It's important ... to make sure that people don't do silly things that end up causing significant damage to medical devices."
So, how does VA accomplish that feat? The VA has a "defense in depth" strategy to protect all its systems, including its networked medical devices that are used for patient diagnosis and treatment. The medical device security strategy, in particular, contains two key components, Warren explains.
The first component involves the VA making sure there are no gaps between the two groups responsible for medical devices - the biomedical staff and Warren's information systems team.
Warren's team is responsible for protecting medical devices "at the boundaries, making sure that data is flowing to the right places, in the right way," he says. The biomedical staff helps safeguard the devices in use at facilities. The duty to protect medical devices "is not something where we say, 'we thought you had that [responsibility]' ... 'no, we thought you were [responsible]," he says. "We've knitted that together pretty tightly, and it's something I talk about at every site visit with medical facility leadership - making sure they have a focus on that," he says.
But just as important as that top-level organizational focus on medical device security is the second key component VA's strategy for safeguarding medical devices: "Identifying the human factor, the pathways for infection [of the devices] and locking those suckers down by putting processes and controls in place," Warren says.
The "primary failure mode" for medical devices at the VA has involved the use of USB drives. In some cases, for example, technicians from device vendors have used USB drives to install updated software or to service a device, circumventing the laptops that the VA has set up to scan all USB drives for malware infections before they're put to use.
Also, the VA keeps an eye on those technicians to make sure they're "not surfing the Internet" through the medical devices' network connectivity, potentially exposing the devices to malware, he says. But just as important, VA staff also are not allowed to use medical devices to surf the Internet either, he says. "It's important to put the discipline and controls in place to make sure that people don't do silly things that end up causing significant damage to those medical devices."
Outdated Operating System
Like many other organizations, the VA also is dealing with the issue of so many devices still running on the no longer supported Microsoft Windows XP operating system, Warren says.
Microsoft last year stopped offering software updates for XP, including new features, patches and security updates (see Dealing With End To XP Support ).
"We have a lot of protections in place - the amount of scanning we do, that amount of controls we put in place - such that even if they are an XP device, we can still use them," Warren says. But the VA has set a goal of eventually phasing out devices that run XP. "The focus on that has helped - because the liability goes down - but it's something the whole industry is wrestling with," he says. "The majority of medical devices used in America today are XP-based."
So while some medical devices manufacturers struggle to make their products more secure, what is your organization doing to get a better handle on device security? Please share your ideas in the space below.