As more healthcare organizations implement electronic health records (EHRs) and begin to connect to health information exchanges (HIEs), the need for secure medical devices also increases in importance. A facility cannot run the risk of exposing its systems – or patient information – to cyber threats as it works to improve the exchange of information and patient care.
The issue of secure medical devices is becoming a more pressing issue because various devices are able to connect to the internet. While this can give providers the ability to communicate information quickly and conveniently, it could also make information available to cyber criminals. More federal agencies are taking note as well, and are working to create initiatives that will keep protected health information (PHI) secure, while also allowing healthcare organizations to provide necessary care.
What are considered medical devices?
In order to understand how best to keep medical devices secure, it is important for healthcare organizations to understand what actually constitutes a medical device. The US Food and Drug Administration (FDA) monitors the use of medical devices, and explains on its website that there are certain mobile app functionalities that could be used in a healthcare environment, such as in clinical care or patient management, but are not considered medical devices. This includes:
- Mobile apps that are intended to provide access to electronic “copies” (e.g., e-books, audio books) of medical textbooks or other reference materials
- Mobile apps that are intended for health care providers to use as educational tools for medical training or to reinforce training previously received
- Mobile apps that are intended for general patient education and facilitate patient access to commonly used reference information
- Mobile apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease
- Mobile apps that are generic aids or general purpose products
Moreover, the FDA states that its cybersecurity guidance covers medical devices that use OTS software, can connect to networks – both a private intranet or the public Internet – and that needs updates or patches because their OTS software is found vulnerable to viruses, worms, and other threats.
“FDA is concerned about the security of networks because vulnerable OTS software can allow an attacker to get unauthorized access to a network or medical device and reduce the safety and effectiveness of devices that connect to those networks,” the agency explains on its website. “In our view, it is rare for healthcare organizations to have enough technical resources and information on the design of medical devices to independently maintain medical device software. Thus, most healthcare organizations need to rely on the advice of medical device manufacturers.”
What guidance is currently in place?
As previously mentioned, the FDA already has medical device cybersecurity guidelines in place. Toward the end of 2014, the FDA released its “Management of Cybersecurity in Medical Devices” guide. The guidance was meant to supplement the FDA’s previously released information. The new information was also designed as recommendations, not regulatory mandates.
“FDA recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices,” reads the updated guidance. “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”
Additionally, the Center for Internet Security (CIS) and Medical Device Innovation, Safety and Security Consortium (MDISS) have released guidance for ensuring secure medical devices.
The Security Benchmark Mapping Guidance offers security recommendations to both medical device manufacturers and healthcare providers in evaluating the security controls for medical devices as they evaluate products to implement.
“The configuration guidelines, which were developed in collaboration with healthcare providers, manufacturers, cyber security experts and government entities, specifically apply to those devices that incorporate Microsoft Windows 7 and XP operating systems, which are commonly used for healthcare device systems,” according to the CIS website.
The recommendations also included guidance from IEC/TR 80001-2-2 security capabilities and the Manufacturer Disclosure Statement for Medical Device Security (MDS2) form, a collaboration between the Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA).
Are there currently cybersecurity issues?
Along with updated guidance from CIS, MDISS, and the FDA, the Department of Homeland Security (DHS) is also taking a more active approach to ensuring secure medical devices. According to a DHS official, the agency started examining healthcare equipment two years ago. The agency began the investigation when cybersecurity researchers became more interested in medical devices that were possibly more vulnerable to online attacks.
The worry is that cyber criminals could gain control of the devices. For example, an infusion pump could be instructed to overdose a patient with drugs.
The majority of healthcare data breaches are seemingly centered around infiltrated data bases or lost and stolen devices, such as laptops and smartphones. However, that does not mean that the healthcare industry should not try and take a proactive approach in all aspects of cybersecurity. Secure medical devices are a necessity, especially as organizations continue to implement devices with online capabilities. Facilities must take the time to secure all devices that they use, take care to adhere to any federal regulations, and keep all guidance measures in mind as well.
The post Why Secure Medical Devices Should be a Priority appeared first on HealthITSecurity.com.