By Joseph Goedert
Do you know how many medical devices are in your hospital or group practice? Do you know where they are? Do you know if they have embedded encryption and if it is turned on? Do you know these aren’t just devices, but often are mini-computers linked to the corporate network?
Do you know the last time a risk assessment was conducted on all network-connected medical devices? Do you know that hackers find medical devices are an easy way to get to the core network and then to other networks throughout the organization, including the electronic health record?
Maybe it’s time to have a meeting.
Hackers generally have one of two motives for what they do, says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a research and development firm. She gets paid to hack organizations without causing damage and show where improvements are needed.
Some devices hold a sizable amount of data that can be hacked; others don’t contain much data, but are a gateway to the network for hackers. “Infusion pumps have become the poster child for medical device security gone wrong,” she adds.
Medical devices can include fetal monitors and other monitoring machines, ventilators, anesthesia machines, bypass machines, electrocardiographs, lasers, gamma cameras, medical apps, diagnostic imaging systems, powered wheelchairs, and implantable defibrillators and pacemakers, to name just a few.
Better defenses needed
Derek Jones, a senior security advisor at the consulting firm Impact Advisors, says many hospitals only use a perimeter firewall to provide protection for moving in and out of the core network, with no other firewalls protecting internal systems. Multiple firewalls across the organization—to the greatest extent possible, given available resources—represents a good start toward improving device security.
“Layered security is important because we can’t trust the Internet of Things,” he explains. “All these devices that get plugged into the network, like security cameras, cash registers and biomedical devices, are a risk to our security. Network access makes it easier to use the devices, but we often forget they are mini-computers and must be protected.”
Too often, Jones adds, the built-in firewall that comes with Microsoft Windows is seen as adequate, and as a result, more advanced software with better scanning and reporting features is not deployed. A more sophisticated firewall will remove the Windows firewall, which does not have the capacity that enables a network administrator to know that security holes have been opened by malware on a computer or a device.
Another core protection Jones recommends using is Cisco software that automates anti-virus and system updates, including all the personal firewalls that are part of the computers that all employees use. These “inside protection” firewalls can separate areas of the business from each other and keep problems in one area from spreading throughout the organization.
The biggest hole
Those suggestions for improving the security of medical devices and overall corporate security are a good place to start a program to examine and strengthen devices, particularly those that are older and may not have much embedded security.
That’s just the beginning, however, because newer medical devices may be just as vulnerable, even though they have more advanced security that can include embedded encryption.
There’s just one problem notes David Mertz, a director at the consulting firm Security Risk Advisors. “Turning encryption on requires awareness and a little bit of effort.”
Physicians don’t want electronic health records encrypted because they don’t want the additional time and hassle that encryption might require before they gain access to patient data, and they often have the clout to keep EHRs unencrypted, Mertz adds.
But medical devices can make an organization just as vulnerable, and encrypting devices is not a target of physician complaints. The culprit here is sloppiness, Mertz contends. Devices often are configured with default passwords that can be easily discovered by a hacker. New medical devices often will come into a facility without the IT department being informed, so encryption on new devices typically is not turned on.
Mertz advises the creation of a device acquisition process so devices entering an organization have to go through IT’s risk assessment security checks. He also advocates “network segmentation” so that devices are on a separate network and don’t easily tie into a main network.
The possibility that medical devices can be hacked is not just a vague possibility. In July 2015, the Food and Drug Administration warned of serious cyber vulnerabilities of a particular infusion pump—the Symbiq Infusion System from Hospira—and advised facilities to disconnect the pumps from their networks.
In November 2015, the FDA warned of cyber threats to networked devices. Then, in January 2016, the agency issued draft guidance laying out regulatory steps the agency wants device manufacturers to address to reduce cyber security risks. In particular, the agency wants providers to pay more attention to threats that can arise when devices undergo maintenance.
“While manufacturers can incorporate controls in the design of a product to reduce these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.”
FDA also wants shared security cooperation between device manufactures and providers, notes Clyde Hewitt, vice president of security strategy at Cynergistek, a consultancy. For instance, the agency wants providers and vendors to be able to monitor and assess vulnerabilities, including scanning devices before they’re deployed and reporting any vulnerabilities to the manufacturer so patches can quickly be developed. However, that would require a notification process to owners of devices, and it could be challenging for manufacturers to identify and contact providers, he adds.
Even with the FDA guidance out, some manufacturers may not take it seriously, Hewitt fears, because it is not a requirement but merely the FDA’s recommendation, and there are no penalties for compliance.
Chief information security officers must take a bigger role in device security, Hewitt believes. In larger hospitals, the biomedical engineering department is often outside of the IT department, so the role and scope for the CISO does not reach into radiology departments, laboratories, nephrology units and even areas that address wearable technologies.
“It comes down to assigned responsibilities in the IT areas,” Hewitt says. “[CISOs] may be aware of device vulnerabilities, they may be responsible, but they need to coordinate. But anytime you have two people responsible for security, there will be gaps.” Hewitt reminds stakeholders that HIPAA requires administrative, technical and physical security policies to roll up to one responsible person to avoid gaps.
The legal view
When the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, sanctions an organization for violations of HIPAA, a fundamental flaw of the organization consistently is the failure to have conducted risk assessments of threats to protected health information.
More than a decade after HIPAA went into force, a significant number of stakeholders still do not understand their HIPAA obligations or are trying to handle everything themselves and falling short, says Matt Fisher, chair of the health law group at the Mirick O’Connell law firm.
“If someone on the inside is not familiar with risk assessments, it’s easy to take the position that everything is okay,” he adds. “Everything is identified as low-risk, and that’s just not possible these days. You need outside help to address new threats.”
Chief security officers need to have discussions with medical device managers about the digital functionality and security status of older devices, Fisher advises. Sometimes, only the manufacturer can upgrade the devices, particularly large ones such as MRI machines.
An attorney can help an organization better understand obligations and risks, but when it comes to developing tactical strategies to improve the security of devices, don’t call your attorney; get a consultant, Fisher says. “You need someone who knows how to secure devices. Get appropriate support; don’t try to do it yourself.”
When turning to attorneys to advice, providers should heed it, Fisher advises. “We can advise but can’t force them to do anything. Some don’t take it to heart; with others, the light bulb goes off and you can see changes being made. Overall, most want to do the right thing while matching how the organization operates.”
But security gaps can remain even when an organization recognizes the gaps because of a feeling that they just don’t have the time or resources to make fixes.
“It comes down to the desire of each entity to focus on these issues,” Fisher says. There still is a good chunk of industry not focusing on these actions. The key is to reach that segment and explain how HIPAA compliance will improve the business.”