Why Secure Medical Devices Should be a Priority

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/02/17/why-secure-medical-devices-should-be-a-priority/

As more healthcare organizations implement electronic health records (EHRs)
and begin to connect to health information exchanges (HIEs), the need for
secure medical devices also increases in importance. A facility cannot run
the risk of exposing its systems – or patient information – to cyber
threats as it works to improve the exchange of information and patient care.

The issue of secure medical devices is becoming a more pressing issue
because various devices are able to connect to the internet. While this can
give providers the ability to communicate information quickly and
conveniently, it could also make information available to cyber criminals.
More federal agencies are taking note as well, and are working to create
initiatives that will keep protected health information (PHI) secure, while
also allowing healthcare organizations to provide necessary care.

What are considered medical devices?

In order to understand how best to keep medical devices secure, it is
important for healthcare organizations to understand what actually
constitutes a medical device. The US Food and Drug Administration (FDA)
monitors the use of medical devices, andexplains on its website that there
are certain mobile app functionalities that could be used in a healthcare
environment, such as in clinical care or patient management, but are not
considered medical devices. This includes:

- Mobile apps that are intended to provide access to electronic “copies”
(e.g., e-books, audio books) of medical textbooks or other reference
materials
- Mobile apps that are intended for health care providers to use as
educational tools for medical training or to reinforce training previously
received
- Mobile apps that are intended for general patient education and
facilitate patient access to commonly used reference information
- Mobile apps that automate general office operations in a health care
setting and are not intended for use in the diagnosis of disease or other
conditions, or in the cure, mitigation, treatment, or prevention of disease
- Mobile apps that are generic aids or general purpose products

Moreover, the FDA states that its cybersecurity guidance covers medical
devices that use OTS software, can connect to networks – both a private
intranet or the public Internet – and that needs updates or patches because
their OTS software is found vulnerable to viruses, worms, and other threats.

“FDA is concerned about the security of networks because vulnerable OTS
software can allow an attacker to get unauthorized access to a network or
medical device and reduce the safety and effectiveness of devices that
connect to those networks,” the agency explains on its website. “In our
view, it is rare for healthcare organizations to have enough technical
resources and information on the design of medical devices to independently
maintain medical device software. Thus, most healthcare organizations need
to rely on the advice of medical device manufacturers.”

What guidance is currently in place?

As previously mentioned, the FDA already has medical device cybersecurity
guidelines in place. Toward the end of 2014, the FDA released its
“Management of Cybersecurity in Medical Devices”guide. The guidance was
meant to supplement the FDA’s previously released information. The new
information was also designed as recommendations, not regulatory mandates.

“FDA recognizes that medical device security is a shared responsibility
between stakeholders, including health care facilities, patients,
providers, and manufacturers of medical devices,” reads the updated
guidance. “Failure to maintain cybersecurity can result in compromised
device functionality, loss of data (medical or personal) availability or
integrity, or exposure of other connected devices or networks to security
threats. This in turn may have the potential to result in patient illness,
injury, or death.”

Additionally, the Center for Internet Security (CIS) and Medical Device
Innovation, Safety and Security Consortium (MDISS) have released guidance
for ensuring secure medical devices.

The Security Benchmark Mapping Guidance offers security recommendations to
both medical device manufacturers and healthcare providers in evaluating
the security controls for medical devices as they evaluate products to
implement.

“The configuration guidelines, which were developed in collaboration with
healthcare providers, manufacturers, cyber security experts and government
entities, specifically apply to those devices that incorporate Microsoft
Windows 7 and XP operating systems, which are commonly used for healthcare
device systems,” according to the CIS website.

The recommendations also included guidance from IEC/TR 80001-2-2 security
capabilities and the Manufacturer Disclosure Statement for Medical Device
Security (MDS2) form, a collaboration between the Healthcare Information
and Management Systems Society (HIMSS) and the National Electrical
Manufacturers Association (NEMA).

Are there currently cybersecurity issues?

Along with updated guidance from CIS, MDISS, and the FDA, the Department of
Homeland Security (DHS) is also taking a more active approach to ensuring
secure medical devices. According to a DHS official, the agency started
examining healthcare equipment two years ago. The agency began the
investigation when cybersecurity researchers became more interested in
medical devices that were possibly more vulnerable to online attacks.

The worry is that cyber criminals could gain control of the devices. For
example, an infusion pump could be instructed to overdose a patient with
drugs.

The majority of healthcare data breaches are seemingly centered around
infiltrated data bases or lost and stolen devices, such as laptops and
smartphones. However, that does not mean that the healthcare industry
should not try and take a proactive approach in all aspects of
cybersecurity. Secure medical devices are a necessity, especially as
organizations continue to implement devices with online capabilities.
Facilities must take the time to secure all devices that they use, take
care to adhere to any federal regulations, and keep all guidance measures
in mind as well.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!