- Dale Nordenberg, moderator of the medical device security panel discussion at this year’s HIMSS Privacy and Security Forum, made an interesting point in saying that medical devices fit somewhere between BioMed, IT and security. Given the likelihood that they fall through the cracks, what are are the best ways for healthcare organizations to monitor the risks associated with these devices?
Nordenberg, a medical device expert, discussed security experiences and safeguard tactics with panelists Kristopher Kusche, VP of Information Services, Technology Services at Albany Medical Center, and Darren Lacey, Chief Information Security Officer (CISO) of Johns Hopkins University and Johns Hopkins Medicine.
The first major topic of conversation was the manner in which Kusche approaches risk assessments for medical devices. Kusche said he had 20,000 medical devices across two hospitals, which outnumbers the 18,000 managed IT products, such as computers, the organization has on the network. As a Joint Commission accredited hospital, he said that Albany Medical Center has been assessing every device for risk for a long time because it was a Joint Commission requirement. The only major difference now is the addition of cybersecurity to that risk assessment.
“When the FDA released its cybersecurity recommendations in June 2013, we took them to heart,” he said. “After having done full cybersecurity assessments for our IT components and systems for HIPAA, the next logical step was to perform assessments on medical devices.”
Soon after the FDA released its recommendations, Albany Medical Center had to perform the cybersecurity assessments no later than Q1 2014. Kusche said that the newest assessments were natural extensions of what it had already done for years. “You have to ask what the risks – to patient care and confidentiality and the hospital’s PR – are that you’re trying to mitigate,” he said. “Once those are identified, they drive the areas where you’re trying to reduce risk. Because clinical engineering and Information Services are merged at Albany, so the risks assessments were conducted jointly.”
Lacy reviews all the new contracts for new IT systems and applications at Johns Hopkins and said that he reviewed 114 contracts last year, 63 of which were for medical devices. Lacy guessed that about half of those devices were purchased by the organization’s clinical engineering team and most of the others were from departments such as radiology. He acknowledged that despite not having a traditional background on medical devices, he wants the departments with medical devices to collaborate more on potential risks.
The level of risk analysis quality goes down with each step. The clinical engineering team does a pretty good job with it, but the individual departments are uniformly lousy at assessing the cyber risk when they buy the product. There are some things that they can do to mitigate the risks, but it’s very hard to communicate those tactics to the departments. The IT department needs to do a better job of bringing the departments together to understand security risks.
Medical device malware
Lacy explained to the audience that he’s spent a lot of time researching and analyzing medical device security ever since he recognized that he underestimated device infection rates in comparison to other types of devices.
I brought some tools in [to check devices for malware] and the infection rates were lower [than some other devices]. But I realized that there were a lot more infections than I thought before. We have 15,000-17,000 network medical devices and the infection rate is lower than the standard rate, but we’re still talking about dozens of devices that are infected. But after the risks have been remediated, the re-infection rates two or three months later are astonishing and it’s an issue I’m still struggling with.