healthcaretechoutlook

Medical Device Security and Governance

By Asadullah Khan, Clinical Engineering Director, Aramark Healthcare

Asadullah Khan, Clinical Engineering Director, Aramark Healthcare

Cybersecurity is an emerging field in healthcare technology management and it is also one of the top most concern for healthcare organizations. In the last decade, healthcare technology has transformed from mostly discrete medical devices to integrated medical systems, and the industry has experienced an exponential growth of medical system integration with IT infrastructure. This technology transformation exposes these systems to cyber threats mainly due to the lack of adequate security protocols on medical devices. Additionally, poor planning on security adoption, inadequate risk assessment (due to lack of knowledge) and system design.

Although the medical device technology has revolutionized, but there are still some fundamental problems with security and interoperability. Most medical devices are unique in their design and they are specific to the manufacturer. Large number of medical devices are based on proprietary operating systems (OS), non-standard connection methods and outdated security protocols. There are several challenges associated with security during life-cycle management of medical devices but this article will only highlight a few major issues.

One of the top challenges for healthcare technology managers is the management of IT attributes (Network and Software) and security configurations for medical devices. These attributes were never collected or maintained in the past by Clinical Engineering (CE), neither by IT. Due to this problem, most healthcare organizations struggle to keep an accurate inventory of networked medical devices, cannot fully identify their vulnerabilities, and lack comprehensive security risk assessments. IT and Clinical Engineering should collaborate to identify and document relevant IT attributes based on their organization’s security requirements. CE should also invest in the CMMS system with the ability to maintain IT attributes with relevant processes, start documenting IT attributes as new medical devices are being added, and develop a standard practice to document and verify relevant IT attributes during scheduled maintenance.

"The first step towards creating a robust cybersecurity program for medical devices is to identify medical devices with network capability and document all relevant IT attributes and security configuration"

Most of the time, medical devices are ignored or discussed briefly when healthcare organizations develop a cybersecurity plan. It is important to include medical devices, especially mission critical devices and align Medical Equipment Management Program (MEMP) to organization’s cybersecurity plan, to develop and adopt a consistent strategy to address life-cycle management and cyber related activities on medical devices and their associated systems.

There is still a gap in information sharing related to security updates for medical devices. There is no information sharing mechanism for medical devices to report availability or status of cybersecurity patches for COTS including standard OS. FDA shares alerts and recalls on medical devices related to patient safety, while ICS-Cert and other organizations shares cybersecurity alerts which are specific to exploits found in medical device design or in proprietary OS. Unlike IT industry that has established protocols to report a security patch, medical devices are not part of the same ecosystem due to the regulatory requirements. According to FDA Postmarket Cybersecurity Guidance, medical devices are excluded from pre-market review of software changes related to cybersecurity patches and updates, however OEMs still have to validate a patch before it can be released to the owner of a medical device. Therefore, medical device owners must reach out proactively to medical device manufacturers on a periodic basis to get an update on security patches for affected medical devices.

Healthcare organizations should adopt relevant policies and procedures based on their business model to address cyber related activities on medical devices. A few of the most common ones that every healthcare organization should adopt are; a pre-procurement approval process or policy for new medical devices which are ePHI and/or network capable, disposal policy for medical devices with ePHI, off-site repair policy for medical devices with ePHI, removable media policy for medical devices, change management policy to address implementation of security patches, software updates and changes to network configuration, and password management policy to address hard-coded and default passwords on medical devices.

Healthcare organizations were the prime victims of WannaCry and Notpetya ransomware, and almost all medical devices with Windows OS were affected. Most healthcare technology managers were caught off-guard as they were not prepared to address this challenge and were unable to identify affected medical systems within their organization. Even to this date, healthcare organizations are still discovering medical devices with this vulnerability. The first step towards creating a robust cybersecurity program for medical devices is to identify medical devices with network capability and document all relevant IT attributes and security configuration. Identification of medical devices would streamline the risk assessment process and improve the response time for security related incidents.

In summary, healthcare organizations are facing a difficult problem and struggling to address cyber threats related to medical devices. As medical devices continue to converge to IT infrastructure, Clinical Engineering and IT needs to work collaboratively and leverage each other’s expertise to develop a robust cybersecurity program for medical devices.