A report released in January by the Healthcare & Public Health Sector Coordinating Councils details the need for better security for medical devices, a topic infrequently discussed in healthcare until recently. Successful cyber incidents that have used medical devices as the attack vector have brought the reality home. In one instance in the US, a network-connected portable X-ray machine was infected and spread through the entire corporate network. It took about 16 months to completely eradicate the malware.
While medical device security is a vital segment of overall security, it’s often relegated to the bottom of the action plan. Historically, securing medical devices was in the hands of the manufacturers who often stood by the claim that they could not update their software without violating FDA regulations or going through arduous approvals. While that was true, recent efforts between regulators, manufacturers and healthcare leaders are beginning to show signs of progress on this front.
In the meantime, what can healthcare IT leaders do to secure medical devices? Here are three basic steps every healthcare organization should take immediately.
1. Connect information technology and clinical engineering.
In some healthcare organizations, leadership of IT and clinical engineering (CE) reside in one role. That may be a VP or a director, but at some point in the hierarchy, these two departments need unified leadership to ensure they are working in a coordinated manner. Connect and cross-train. While IT and CE aims are different, they are well-aligned. IT knows systems and security; CE knows medical devices and associated regulatory requirements. CE is a foreign world to most IT people, but it’s knowable. When you have an IT VP or director facilitating discussions about medical device network segmentation, for example, both IT and CE have to figure out the details together. While an IT leader might struggle at first to understand the world of medical devices, it’s an interesting and worthwhile endeavor that will pay dividends in streamlined communication and more effective security risk management.
2. Inventory network connected devices.
Your CE leadership should have an accurate inventory of the medical devices in the organization and that data should include whether or not the device is network-connected. If that data doesn’t exist, that should be your priority. It’s relatively easy to discover based on the class of medical device. For example, your CE leader will know whether your medication pumps are on the network (likely yes) or your intra-aortic balloon pumps are network-enabled (it depends) or your CT or MRI machines are connected (likely yes). With that data, you can begin developing your security plan. Start with the easiest ones (stationary devices like CT and MRI) and work your way down the list. Or, start with the devices you deem to be highest risk. The point is to make a plan and get to work.
3. Segment medical devices on isolated networks.
Since you are unlikely to be able to run any sort of protective software (anti-virus, anti-malware, etc.) on most of your medical devices, you have to protect them via firewalls, network segmentation, white lists, network monitoring, etc. There are many things you CAN do that are non-invasive, but don’t take any action until you’ve thoroughly vetted it with your CE leaders and done tests at a time when patients won’t be impacted by any glitches. For example, you want to protect your X-ray and CT machines. Test your solution at 1 a.m. on a Sunday after you’ve notified X-ray and CT leaders of the test. It may sound extraordinarily cautious, but you can’t introduce issues that might impact patient care. If a case is underway and a network change causes the machine to reboot, you could cause problems that delay patient care. It’s important to remember that things taken for granted in IT must be done with much more care in the medical environment. Ensure you plan and test in advance of making any changes that could impact patient care.
While the FDA and manufacturers continue to work out the kinks in the process, there are proactive steps you can take to improve medical device security. It may not be perfect, but information security is an always-evolving field and there is no perfect state – only improvements along the way.