Medical Device Security: 2 Key StepsTips for Addressing the Risks
Biomedical devices are ubiquitous at contemporary hospitals and other care delivery environments. They are instrumental for delivering excellent healthcare.
While conducting a security risk assessment at a 400-bed hospital, we found more than 5,000 such medical devices, many of which required network connectivity to report results to a downstream piece of software, or for remote IT management.
We must consider biomedical devices to be an integral part of our information infrastructures and nurture their security.
We also found a staggering variety of device types, ranging from cytometers and infusion pumps to heart rate monitors and resuscitators.
For IT security practitioners, such devices are often a bane. For various reasons, including unclear regulatory direction, many biomedical devices use outdated operating systems that run applications built with inadequate software security. As a result, these devices are ripe for attacks by malware.
Perhaps most disturbingly, most of these connected devices in hospitals are linked to the core IT network. We find in most hospitals we assess that rarely are these devices segregated into "Virtual LANs" that provide an added measure of safety. Instead, in most hospitals, a virus infiltrating, say, an old infusion pump running an unpatched version of Windows 2000, can propagate like wildfire, bringing the main hospital network to a crawl or even fully disabling it.
Another example of a security hole is the use of an unsecured or poorly secured wireless connection that is easily exploitable by an attacker with rudimentary wireless hacking equipment.
Obviously, the ramifications for a hospital are significant. Information is the lifeblood of modern hospitals, which cannot function without reliable information technology.
So with such massive risks posed by medical devices, what should security practitioners do? We suggest two key steps:
First, create a cross-disciplinary team of biomedical engineers and IT experts to manage all devices.
Clinical engineering departments historically have been responsible for biomedical device management. Usually this function is kept quite separate from the IT experts responsible for overall hospital IT. As a result, very little knowledge is shared, and these two groups have built their own "islands of expertise." Coordination between these two typically disparate groups will allow proper design of IT networks, segregation requirements, wireless frequency management and the like.
It is much harder to fix a technology problem in the production phase than in the design phase, and these two groups should meet often to discuss how to resolve their problems. For example, IT experts might recommend that all biomedical devices have their own private Virtual LANs so as to not share the same core network as, for example, the core revenue cycle application.
The second essential step is to conduct an extensive inventory of all biomedical devices. Understand which operating systems are in use, how wireless frequencies are used, what applications run on top of any embedded OS, and then note any protective measures used to protect the device or other downstream devices.
These two steps are essential for improving the data hygiene problems posed by biomedical devices that need to be networked. Through these two formative tasks, any problem areas (i.e. opportunities for remediation) will surface and can be resolved by simple triage - reduce the riskiest, least costly to fix, and most dangerous problems first.
Subsequently, the security officers of a hospital should then supervise how biomedical devices should be designed, managed, serviced and monitored to ensure the overall sanctity of the hospital's information infrastructure.
Risk Management Approach
We recommend that hospitals integrate the American National Standards Institute's approach described in: ANSI 80001: "Application of risk management for IT networks incorporating medical devices, Part 1: Roles, responsibilities and activities." This document provides a clear, concise and reasonable template that most hospitals can follow.
Biomedical devices, especially those connected to IT networks, are not going away. We live in a networked world, where one application or device needs to communicate with many upstream or downstream devices and applications to deliver safe care. We must consider biomedical devices to be an integral part of our information infrastructures and nurture their security. Doing this in a clear, uncluttered and stepwise fashion is the right start. We cannot ignore this threat to patient safety.
Feisal Nanji is executive director of Techumen, an information security firm focusing exclusively on securing healthcare information.