Medical Device Security: More ScrutinyWatchdog Agency Outlines 2015 Audit Plans
A watchdog agency of the Department of Health and Human Services has a number of information security-related reviews planned for 2015. Those include examining whether federal oversight of hospitals' medical device cybersecurity steps is sufficient and sizing up whether hospitals are complying with HIPAA requirements for electronic health records contingency planning.
The newly released 2015 work plan of HHS' Office of Inspector General outlines new and ongoing reviews and activities for the current federal fiscal year, which kicked off Oct. 1, and beyond.
Of the many security-related audits and activities that are summarized in the 76-page plan is a review to determine if HHS' Centers for Medicare and Medicaid Services' oversight of hospitals' cybersecurity of networked medical devices is adequate.
"We will examine whether CMS oversight of hospitals' security controls over networked medical devices is sufficient to effectively protect associated electronic protected health information - ePHI - and ensure beneficiary safety," OIG writes. "Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records and the larger health network, pose a growing threat to the security and privacy of personal health information."
To participate in Medicare, hospitals and other provider organizations are required to secure medical records and patient information, including ePHI, OIG notes. Additionally, "medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security - or MDS2 forms - to assist healthcare providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device," OIG writes.
The OIG review of medical device cybersecurity comes as other federal agencies, including the Food and Drug Administration, are also intensifying their scrutiny in this arena. Just last month, FDA hosted a two-day workshop on ways to strengthen medical device cybersecurity (see Medical Device Security: A Higher Profile).
FDA also recently issued voluntary guidance calling for manufacturers to address cybersecurity risks in the design and development of their products.
"We're pleased to see that OIG is also looking at the security of medical devices," says Dan Berger, CEO of Redspin, a data security services firm. "They are of increasing concern to CIOs and CISOs. The public concern is that hacking of medical devices will result in adverse healthcare events. While this is a concern to all, the CISOs, like OIG, are worried that the vulnerabilities in these devices will provide an attack vector to compromise PHI on the EHR systems and networks."
Berger also notes that, complicating matters, "generally medical devices are in the domain of biomedical engineering over which the CISO has no organizational control."
Another review OIG plans in 2015 is a look at hospitals' EHR system contingency plans. "We will determine the extent to which hospitals comply with contingency planning requirements of HIPAA," OIG says. "We will also compare hospitals' contingency plans with government- and industry-recommended practices."
OIG notes that the HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain PHI.
An intensified focus by OIG on EHR contingency planning is welcome, Berger says, because this is an area where many organizations often fall short.
"Other than lack of encryption, insufficient business continuity and disaster recovery plans have been Redspin's most critical finding in the vast majority of hospital security risk assessments that we've conducted," he says.
"Many [organizations] are so focused on the confidentiality of PHI that they neglect ... the integrity and availability of PHI," he says.
Reflecting growing hacker threats, OIG also plans to conduct penetration testing of HHS networks.
"We will conduct network and Web application penetration testing to determine HHS's and its operating divisions' network security posture and determine whether these networks and applications are susceptible to hackers," OIG writes. "There has been an increase in activity from computer hacker groups compromising government systems and releasing sensitive data to the public or using such data to commit fraud," the report notes.
Among other OIG activities are:
"We will determine whether information security controls for additional state-based marketplaces have been implemented in accordance with federal requirements and recognized industry best practices," OIG says. "We will conduct vulnerability scans of Web-based systems using automated tools that seek to identify known security vulnerabilities and discover possible methods of attack that can lead to unauthorized access or the exfiltration of data. We will also review any reports related to prior vulnerability assessments of state-based marketplace systems and determine whether the vulnerabilities identified were remediated in a timely manner."
Reviewing the security of Obamacare marketplaces is not new for OIG. In September, OIG released a report giving the security of the HealthCare.gov site and systems a mixed review. In that examination, which took place from February to June 2014, federal auditors found one "critical vulnerability" when they tested the security of the Obamacare website (see OIG Finds HealthCare.gov Vulnerability).
Also, CMS in September confirmed that on August 25, a HealthCare.gov test server was hacked, although data was not exfiltrated (see HealthCare.gov Server Hacked).
The second annual open enrollment season on the Obamacare health insurance marketplaces starts on Nov. 15.
"Audits can have a positive influence on the tone, priorities and culture of an organization, says Brian Evans, senior managing consultant at IBM Security Services. "If issues arise during an audit, then remediation plans are typically the result, which is what's needed to increase the level of security maturity in healthcare."