VA's Medical Device Defense StrategyIsolation Architecture Plays Key Risk Management Role
Looking to improve risk management, the architecture relies on virtual local area networks to help isolate the devices from the rest of the VA network. "Across a large enterprise like we have, it was a quick way to reduce threats to these devices," says Randy Ledsome, the VA's acting director of field security operations (see: Medical Device Security Raises Concerns).
The VLANs, paired with access control lists, help prevent, for example, linking a device to the Internet, where it could become infected with malware. "Removing access to the Internet was important because it was one of our biggest sources of infections," Ledsome says in an interview with HealthcareInfoSecurity.com's Howard Anderson (transcript below).
Setting up this architecture was a quick way to reduce threats to medical devices, Ledsome says. All VA devices are now protected by this architecture, which required the implementation of 3,270 ACLs.
In the interview, Ledsome also:
- Explains the creation of a centralized patch management system. The VA is in the early stages of building a central repository of virus patches that have been approved by various medical device manufacturers. Once the repository is complete, the VA will use it to securely deliver patches to appropriate devices, such as heart monitors and infusion pumps.
- Describes why the VA joined the new Medical Device Innovation, Safety and Security Consortium. "It's a great opportunity for providers and medical device vendors to work together to look at common solutions and best practices," he says.
- Advises other organizations to take a team approach to medical device safety.
At the VA, Ledsome oversees a team of more than 400 information security officers whose primary role is to ensure end-users at the VA are protecting sensitive data. His organization provides information security expertise at more than 300 VA facilities serving 300,000 employees and using 333,000 computers. He is a Certified Information System Security Professional (CISSP) and Information Systems Security Management Professional (ISSMP).
Securing Medical DevicesHOWARD ANDERSON: I understand that the VA is in the process of implementing a detailed strategy for ensuring the security of medical devices. What was the original catalyst for that effort?
RANDY LEDSOME: Let me tell you about the history, and then I'll talk about the catalyst. We initiated, in 2004, an isolation strategy and it worked well for us. But we found in 2008-2009, the various viruses ... really posed us a threat that was identified. And we initiated a program called the Medical Device Protection Program, which included the MDIA, Medical Device Isolation Architecture. The catalyst was that we saw medical devices getting infected at a high rate.
Malware InfectionsANDERSON: So how common are malware infections of medical devices at the VA, and have any of these infections or other security threats affected patients' treatment or resulted in any harm so far, that you know of?
LEDSOME: The VA NSOC, the Network and Security Operations Center, began tracking medical device infections in January of 2009. Since that date, the VA has identified about 181 medical device infections. These infections have not resulted in any major harm to our patient population to our knowledge. But they did result in a lot of rescheduling of patient appointments because the device was taken out of service because it wasn't available until we had it cleaned up.
Medical Device Isolation ArchitectureANDERSON: As you mentioned, the VA has created what it calls a Medical Device Isolation Architecture. Can you explain that architecture and why it relies on virtual local area networks and ACLs, or access control lists?
LEDSOME: The idea behind this was that the architecture relies on the access control list and an isolated virtual local area network. The idea with this is it was an easy and quick solution without having to buy a lot of hardware. Across a large enterprise like we have, it was a quick way to reduce threats to these devices. With the implementation of these isolated VLANs, with ACLs that are configured to only allow traffic that is required between the device and other devices ... we found that removing access to the Internet was important because it was one of our biggest sources of infections. Folks would go out on a medical device surfing the Internet, and it would allow them to then bring back into that protected boundary an infection. We worked hard to recognize this, and we've been working hard to also look at mobile media because we also saw that as a major threat - the human factor of trying to maintain these ACLs.
... The isolation of medical devices is one portion of the overall program. We have a medical device protection program ... with multiple pieces. This is one piece to make a program work. It requires a lot of collaboration and a lot of hard work with our other business partners, especially with the medical device industry, getting information from them on the proper protocols that are required for communication. We also have a pre-assessment we do to make sure that these VLANs and ACLs can be maintained.
ANDERSON: How many medical devices are protected using this new architecture that you described?
LEDSOME: Right now we believe that all medical devices in the department are protected by MDIA, and this includes around 3,270 ACLs. To have those implemented, it was an estimated 16,431 man hours to complete. ... When new products come in ... we put them behind a protected boundary also.
Patch Management SystemANDERSON: You mentioned at a recent conference that the VA is also working on a patch management system that will bring together all vendor-approved virus protection patches on one server, then schedule pushing patches out to appropriate devices at various facilities. Why are you taking that approach, and what's the status of that project?
LEDSOME: The biggest thing we've been working on is finding out the best solution. In the past, we've had to rely on each of our internal customers to go and look at websites and do lookups to see if patches and virus updates were available. This was one of our initiatives of the medical device protection program for patching. As we know, with medical devices, you just can't put in any patch. It has to be tested and approved by the vendor. We have to get the approved patches and put them out on a repository that can be pushed out to the device. Of course, the patch has already been tested.
All of these projects are currently in their infancy, but we're brainstorming new ideas. We've really seen some promising things with this and how it's being implemented right now with our biomedical community. There is a shared risk and responsibility between the providers and the vendors, so this is a process to help us secure the device. The patching systems we put in place right now [require that you] have to go in and select the various patches that you would want to push out. And of course, they would be the approved ones that would be put on the solution to begin with. We have assurance that they're approved, and we also then have a mechanism to deliver those securely.
Best PracticesANDERSON: Why did the VA get involved in the newly-formed Medical Device Innovation, Safety and Security Consortium? Will this offer you a way to share some best practices and lessons learned with others?
LEDSOME: You've got to look at the history, that the VA and Defense Department have collaborated for some time now. About a year and a half ago, the VA, DOD, FDA and many of the medical device vendors met to talk about medical device security and what we can do to best protect our systems. And at the time the VA and DOD didn't represent a significant portion of the market. The vendors, of course, were focused on the functionality. And security was something they worked on, but it was not in their primary focus.
So the consortium is really going to bring together many of the healthcare providers and vendors from around the nation to take a look at best practices. We also want to look at standardization and awareness. Our involvement was just a natural evolution because we already started this process working with DOD, and we also understood the vendors' frustrations about the various requirements from the various agencies and the various hospital systems. I think it's a great opportunity for the providers and the medical device vendors to work together and take a look at common solutions and best practices.
Team Approach RequiredANDERSON: Finally, what advice would you give to others about medical device security, based on what you've learned so far? Are there one or two tips you can offer?
LEDSOME: The most important thing that we've found is that the securing of medical devices is not an IT issue and it's not a medical issue. It's not a security issue, it's not a clinical issue and it's just not a vendor issue. It's all about working together in collaboration. The advice that I mostly would provide to you is that everybody has to remember that security is a team event. All the parties involved in this must work together to make sure they understand the requirements and they understand the security side of it. And we do the best we can to provide the best service we can for our clinicians that are using these products. And as Roger Baker, the VA's CIO, stated last week - and he really hit home with me on this - in our job, being in customer service, "Saying no is easy; figuring out how to say yes is where the ISOs earn their pay."
I think that the advice I'd give is to bring in all your stakeholders. Make it a team event and work with all your stakeholders to understand their points of view so that they understand your points of view, and you work together on a common solution.