- Medical device security has quickly evolved into a top area of concern for covered entities.
With more healthcare organizations connecting to HIEs, implementing BYOD strategies, and simply adopting more connected devices than before, it is critical that covered entities take the necessary security precautions. Otherwise, a data breach could not only compromise sensitive information, but it could actually bring physical harm to patients.
By having a comprehensive understanding of medical device security, organizations will better be able to adopt measures that are applicable to their daily operations.
HealthITSecurity.com will discuss the basics of medical device security - what it is, why is it important - and review what regulations are currently in place and how they potentially apply to covered entities. As the healthcare industry increases its connectivity, data security measures must also evolve as needed.
What constitutes a medical device?
The US Food and Drug Administration defines a medical device as "an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article.” For example, this could include medical infusion pumps or pacemakers.
Essentially, medical devices are used in diagnoses, treating or preventing certain diseases.
It is also important to note that FDA regulates various types of medical devices, including both high-risk and low-risk medical devices. FDA also has the authority to regulate devices before and after they go on the marketplace.
What medical device security regulations are in place?
One of the latest medical device security regulations happened in January 2016. Released by FDA and titled Postmarket Management of Cybersecurity in Medical Devices, the draft guidance is meant to “inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices.”
“For the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered ‘cybersecurity routine updates or patches,’ for which the FDA does not require advance notification or reporting under 21 CFR part 806,” states the draft.
Manufacturers must also monitor the risk to the medical device’s essential clinical performance, according to FDA. This includes the exploitability of the cybersecurity vulnerability as well as the severity of the health impact to patients if the vulnerability were to be exploited.
“Cybersecurity risk management is a shared responsibility among stakeholders including, the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA. FDA seeks to encourage collaboration among stakeholders by clarifying, for those stakeholders it regulates, recommendations associated with mitigating cybersecurity threats to device functionality and device users.”
The FDA guidance also recommends that regulated devices manufacturers develop, document and implement a structured and systematic comprehensive cybersecurity risk management program that follows the 2014 NIST Voluntary Framework for Improving Critical Infrastructure Cybersecurity.
NIST also recently called for public comment on its cybersecurity framework, explaining that it is looking for suggestions for improvement, but to also see how the framework has functioned since its implementation.
“Since releasing the Framework in February 2014, NIST has been educating a broad audience about the Framework's use and value,” NIST states on its website. “The NIST Cybersecurity Framework is being employed across the country, in a host of sectors, and by organizations ranging from multinationals to small businesses. The proposed value of Framework has been validated through a large volume and breadth of interactions between NIST and industry.”
Medical device security is also discussed in Internet of Things - Privacy and Security in a Connected World, a report by the Federal Trade Commission.
In that report, FTC recommends best practices when it comes to cybersecurity, including how security should be built into devices from the outset rather than as an afterthought in the design process. Connected devices should also be monitored throughout their expected life cycle. Where feasible, security patches should also be provided to cover known risks.
The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said in a statement. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The Office of Inspector General (OIG) also discussed medical device security in its 2016 Work Plan. Specifically, OIG said it would add medical device security in its FDA oversight.
Connected medical devices can connect to EMRs, and in doing so they could potentially jeopardize individuals’ personal health information privacy and security.
“Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications,” OIG said. “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.”
Connected devices and the healthcare industry
As previously mentioned, connected devices are becoming more prevalent in healthcare, and as such, covered entities need to understand this to keep patient data secure.
In an earlier interview with HealthITSecurity.com, Institute for Critical Infrastructure Technology (ICIT) fellow Michael McNeil explained that connected devices have affected healthcare privacy and security from an awareness perspective.
“Prior to having closed systems, a lot of the reliance from the manufacturing standpoint was really relegated to the hospital delivery organization or network,” he said. “But with the connectivity, and the sharing of information among the entire ecosystem, it has definitely accelerated the risk and overall threat vectors from a cybersecurity perspective that now forces the entire ecosystem to have to step up and to try to manage effectively.”
It is also no longer acceptable for manufacturers not to consider the total environment that their products will be in when it comes to their risk assessments and overall processing, McNeil cautioned. Organizations have to think beyond the “normal walls” based on the current situation with medical device security.
“When devices are not on the most current operating systems or are not upgraded to device levels where we can provide appropriate patching and update support systems, that also increases potential risk and exposure in environments,” McNeil stated.
From a legal perspective, medical device security is also essential, according to Daniel Gottlieb, a partner at McDermott Will & Emery LLP. Furthermore, patients’ physical safety could be at risk, he explained, along with the security of their PHI.
“In the most dire cases, a hacker could change a patient’s therapy by connecting to a medical device and changing how it functions either within a health care facility, at a patient’s home or any other location where the device is connected to the Internet,” he told HealthITSecurity.com toward the end of last year.
Medical device developers and manufacturers need to consider security during the device and equipment design process, Gottlieb said. Healthcare providers also must consider security before implementing those devices in their IT environments.
How are covered entities adopting medical device security?
Even with the changing regulations, some healthcare organizations are taking the necessary steps to securely implement connected medical devices.
For example, South Texas-based Methodist Healthcare Ministries (MHM) implemented SecurityCenter Continuous View from Tenable Network Security last year to improve its network security.
MHM network administrator James Kahl explained to HealthITSecurity.com that it was important to track and notify as much as possible if there were any indicators that something was compromised on the MHM systems.
“We use it to scan for vulnerabilities and look for any connections that are out of the ordinary,” said Kahl. “In addition we’ve been able to identify some devices on our network that were unknown, and had kind of fallen off the radar.”
MHM can also see if a particular work station is connecting to a server that it should not be connecting to, or perhaps connecting to another work station, according to Kahl. It is essential to guarantee that devices are only communicating with the specific places they need to, he added.
“We have a new dental sterilization tool that’s about to come out, it doesn’t need to talk to anything other than the PCs it needs to connect to,” Kahl said. “So any other communication beside that is an indicator that there’s a good chance that somebody is either inside our network trying to hammer on it or they’re trying to connect from the outside.”
Regardless of the type of medical device that a covered entity plans to potentially implement, it is critical to regularly monitor federal regulations, and ensure that it is adopting secure measures.