×

From incorporating security evaluations into the procurement process to mapping the flow of patient data among systems, hospitals can take many measures to mitigate the security risks associated with networked medical devices.

In 2007, Dr. Jonathan Reiner, cardiologist to former U.S. Vice President Dick Cheney, ordered the manufacturer of Cheney’s defibrillator to disable the device’s wireless capability, according to “60 Minutes.” Dr. Reiner was concerned terrorists could remotely send a signal to the device, telling it to shock his patient into cardiac arrest.

A few years later, security researchers began demonstrating the ability to hack medical devices like pacemakers, defibrillators, and insulin pumps. When they exposed those devices’ security vulnerabilities to the public, a number of stakeholders including health care providers, the Food and Drug Administration, and Congressional leaders took note. Now, the prospect of a patient being injured (or even dying) because of a device-level security vulnerability poses a new—and chilling—risk.

As if potential threats to patient safety weren’t worrisome enough, health care providers have additional concerns about the security of the medical devices connected to their networks: Hackers and other malevolent actors like hostile nation states and organized crime rings can potentially exploit security vulnerabilities to gain unauthorized access to providers’ systems. Once inside, they could steal patients’ medical or financial information, disrupt service by taking patient or administrative systems offline, commit fraud, introduce malware, and otherwise intentionally or unintentionally injure patients.

Some health care organizations have already experienced cyber security incidents involving networked medical devices. One hospital had to take its patient monitoring system offline for several hours after discovering it was infected with the Conficker virus. Another hospital had to shut off its automated medication management dispensing system for a few hours because it was infected with malware.

“Even though the information security and privacy risks associated with networked medical devices have only recently begun to emerge, security leaders at health care provider organizations are implementing a range of practices designed to mitigate them,” says Russell Jones, a partner with Deloitte & Touche LLP’s Security & Privacy practice.

Those measures include:

Inventorying and placing tighter controls on existing devices. Some hospitals are establishing a single, centralized inventory of networked medical devices and keeping it up to date, according to Jones. They stratify their inventories by wired, wireless, and legacy (those in service more than five years) technology, and classify devices based upon the degree to which they’re critical to patient health.

“This inventory proves invaluable when conducting routine security risk assessments and audits of networked medical devices, as no device gets left out,” says Jones. He also recommends deploying monitoring software to detect and analyze unknown or rogue devices, implementing strong authentication controls, limiting administrative access to devices, and maintaining lists of the individuals authorized to access them.

Raising awareness of medical device security issues. Clinical and biomedical engineers, physicians, CIOs, and even chief medical information officers may not fully appreciate the security, patient safety, and privacy risks associated with networked medical devices. Consequently, many security leaders have had to establish or enhance education and awareness programs for those stakeholders that highlight devices’ vulnerabilities and explain potential threats, according to Jones. “This may include incorporating analysis of threats, vulnerabilities, and risks into reports for senior executives, or presenting findings at brown bag lunches and other special briefings geared toward business and clinical leadership,” he says.

Incorporating security into procurement policies for new devices. “The health care and procurement professionals who typically purchase new medical devices are often unaware of the security risks those devices may pose,” observes Mark Ford, a principal with Deloitte & Touche LLP’s Security & Privacy practice. To compensate for their blind spots, some health care organizations have added security and privacy evaluations and requirements into the procurement process. They test the security features and vulnerabilities of products under consideration, and ask device makers to fill out and submit the “Manufacturer Disclosure Statement for Medical Device Security” (or an equivalent), a questionnaire created by nonprofit health care industry organization HIMSS, which promotes the use of information technology in the delivery of health care. Additionally, they incorporate ongoing security support and maintenance into contracts with device makers, Ford notes.

Mapping data flows. Some security leaders have identified and documented how networked medical devices store, process, and transmit regulated data, such as protected health information, inside their organizations. “Understanding the movement of sensitive data and mapping interfaces between medical devices and downstream systems is critical to understanding what data may be at risk in the event of a medical device security breach,” says Ford.

Instituting physical security, disaster recovery, and resiliency measures. While interviewing security leaders from nine health care organizations for a study on patient safety and medical device security, Deloitte & Touche LLP practitioners found that five of the leaders put in place physical safeguards to reduce the risk of theft or damage to networked medical devices. These safeguards include bolstering encryption and authentication controls; locking down devices; retaining spare components in case of device failure, damage, or theft; and confirming back-up generators, uninterruptible power supplies, and redundant HVAC systems are in place to protect facilities that house critical-care and life-support medical devices.

Working with device manufacturers. Many security leaders recognize the need to collaborate with device manufacturers in an industrywide effort to improve the security of medical devices and, by association, reduce risk to patient safety. Some currently work with device manufacturers to implement cyber security controls when their organizations procure a new product; others report cyber security incidents to vendors, according to Jones. “A growing number of security leaders now feel they have to proactively reach out and educate device manufacturers on how to secure medical devices to address regulatory requirements,” he says. “They’re also trying to get device manufacturers to provide security updates, patches, and cyber security guidance in a more timely fashion.”

*****

Jones notes that individuals who wish to exploit medical devices to harm patients or disrupt services have time and resources on their side—two assets often in short supply for security leaders at health care organizations. “To safeguard patients and confidential health information,” says Jones, “information technology, compliance, and risk executives in health care organizations may need to pool their resources and collectively address current and future medical device security risks.”