- Medical device security is critical for hospitals and healthcare providers, and cannot be overlooked as covered entities work to create a comprehensive data security plan, according to Beth Israel Deaconess Medical Center (BIDMC) CIO John Halamka, MD, MS.
Halamka explained in a recent blog post that “in the short term, hospitals must do their best to isolate medical devices from the internet and from other computing devices that could infect them.” It is also necessary for CIOs to build “zero day” defenses in the short term. Essentially, CIOs need to create an electronic fence around vulnerable devices.
From there, manufacturers must update their products for the “medium term,” according to Halamka. In the long term, security needs to be a foundational component as medical devices are designed from the ground up, he added.
However, it is important for hospitals to understand how medical device security is monitored by the US Food and Drug Administration (FDA).
“Some manufacturers have claimed that adding operating system patches, intrusion detection/prevention and other cybersecurity defenses will require them to re-certify their devices with the FDA,” Halamka wrote. “That is simply not true. “The FDA has issued guidance declaring it the responsibility of the manufacturers to secure their devices. No re-certification will ever be needed for adding new protections.”
Halamka explained how BIDMC uses three separate wireless networks, with one devoted to medical devices. There is also a wireless network for patients and families and a third secure network that is for clinicians and staff.
BIDMC medical devices also have firewalls to further ensure that they do not communicate with outside parties, he said.
The issue of medical device security is especially important to Halamka as BIDMC experienced a breach a few years back with a medical device manufacturer. The third-party removed the BIDMC security protections that are necessary to update a device from the internet. According to Halamka, It took only 30 seconds for the unprotected device to become infected and transmit data over the internet.
“The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach,” Halamka explained. “We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.”
In general, Halamka advised hospital leaders to secure their own perimeter and then speak with medical device manufacturing CTOs to find out what their security roadmap entails. If a vendor does not have a security roadmap, change vendors, according to Halamka. BIDMC has already been making such changes because manufacturers have not been paying the issue of medical device security proper attention, he said.
Medical device security is not a new issue, and the FDA recently issued a warning over potential cybersecurity vulnerabilities in The Hospira Symbiq Infusion System.
“Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network,” the FDA said in its report. “This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
While there are currently not any reports of adverse events or unauthorized access through that particular medical device, the FDA urged healthcare organizations to consider transitioning to another transfusion system.