Medical Device Security in SpotlightAgencies Call Attention to Issue; Best Practices Are Available
It's great to see that the important issue of medical device security is getting a lot of fresh attention. It's been ignored by many for far too long.
Recent moves by government agencies help put the spotlight on the issue.
The VA has been a national leader in helping to mobilize the healthcare system on medical device issues.
That includes a June 13 alert from the Department of Homeland Security. The notice reminds healthcare providers and medical device makers about the need to focus on cybersecurity after two researchers provided DHS with a list of 300 medical devices with hard-coded password vulnerabilities. Those vulnerabilities could potentially allow someone to tamper with the device and, for example, alter a drug dose.
On the same day that DHS issued its alert, the Food and Drug Administration released draft guidance for device manufacturers, urging them to keep a number of cybersecurity issues in mind during the design phase of their products.
In addition, the FDA issued a "safety communication" reminding healthcare providers and others of steps they can take to defend against cybersecurity threats to medical devices. Those steps include keeping up with operating system software patches.
The government agencies' actions should prompt manufacturers to begin addressing cybersecurity risks head-on, even before their products hit the market. And for healthcare providers, they're an important wakeup call to be on the lookout for security-related medical device dangers.
But where can providers go for insights on medical device security best practices right now? Well, the Department of Veterans Affairs has been a true leader in this arena.
With recent headlines about the VA's problems with nation-state-sponsored hackers accessing its systems, it's easy to forget that the VA has, for years, been at forefront on medical device safety. In fact, it was co-founder of the non-profit Medical Device Innovation, Safety and Security Consortium, which collaborates on and shares best practices.
"The VA has been a national leader in helping to mobilize the healthcare system on medical device issues," says Dale Nordenberg, M.D., the consortium's executive director.
As the largest provider of healthcare in the U.S., the VA has instituted an array of best practices that other health organizations should consider borrowing. Here are a few top suggestions for keeping better tabs on medical devices that several VA security specialists shared with me:
- Whenever possible, run medical devices on isolated networks not connected to other systems or to the Internet.
- Restrict Internet access of devices unless there's a clinical need.
- Limit open ports on devices to only those needed to communicate. Work with manufacturers to enforce that policy.
- Scan all media, including CDs and USB thumb drives, for malware before the media is used by service technicians or others to update medical device software or perform other maintenance.
- Consult with manufacturers on how authentication can be implemented on devices so that users have to securely log in.
- Find out where device manufacturers keep their approved lists of software patches, and create a link for quick access to information about what devices can be patched.
- If a security issue, such as malware, is discovered on any device, immediately pull the equipment from the network. Coordinate efforts to track and mitigate the virus as soon as possible.
- Be sure that an infected device is re-imaged to its "original state" before being returned for patient care. "When a virus hits machines, anti-viral software can stop it from spreading, but it doesn't return the device to a safe state. That's why it needs to be re-imaged," explains Lynette Sherrill, deputy director of the health information security division of the VA's office of information and technology.
Since 2009, the VA has identified 327 device infections, Sherrill says. "As soon as we find a cybersecurity threat on a medical device, it's labeled critical," she explains. Then the VA responds with immediate attention.
While large organizations, such as the VA, can afford to dedicate resources to finding and addressing medical device security issues, that's tougher for many smaller hospitals and clinics.
That's why device manufacturers need to do a better job of identifying and mitigating security vulnerabilities with their products throughout the lifecycle. That includes rigorous scrutiny before these products are marketed. In addition, vendors should regularly communicate with their customers - large and small - about the steps they should take to ensure safety of all patients.