Written by Thomas Graham, Sr. Information Security Consultant
Medical devices are a point of concern for any information security (IS) professional in the healthcare industry. Generally, the concern revolves around the need to ensure the device works as it is intended to (functionality) and the need to secure the data being processed, displayed, transmitted and stored by the device (security). Speaking strictly on the security side of the argument, this presents a unique set of challenges to the IS community. The information that medical devices utilize, often times, involves not simply processing and storing the information on the medical device, but transmitting the information to another device, database, or individual for availability in further treatment of the patient. However, there are threats involved with this information not only from within the organization, but also from external agents as this information can be very profitable on the black market. For instance, a recent FBI Cyber Division Privacy Industry Notification states that the value of a single medical record is $50 which is in contrast to only $1 for non-health related personally identifiable information (PII).
The Food and Drug Administration (FDA) regulates the classification and safety of medical devices used in the U.S. and recently released draft guidance to address security. The agency developed the guidance in an effort to provide assistance to healthcare providers, medical device manufacturers and other stakeholders by identifying categories of commonly recognized threats and vulnerabilities to cybersecurity that should be taken into consideration for devices being submitted for FDA pre-market approval. While not all-encompassing or binding, this is a step made in the right direction by the FDA to stress the need for capable security mechanisms on medical devices. This should provide some support and clarity to healthcare IS professionals looking to work with medical device developers and vendors in recognizing and solving cybersecurity risks to the information handled by these devices.
Throughout its recent efforts to update the approach to securing medical devices, the FDA has worked with other government agencies and advisory groups of stakeholders to leverage these groups expertise in addressing medical device security issues. Recently, the National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board (ISPAB) held a panel discussion on emerging guidance and standards that will pertain to the security of medical devices. This panel not only covered the aforementioned draft guidance from the FDA, but also the upcoming Technical Information Report from Advancing Safety in Medical Technology. Probably the furthest along on the path of medical device security is the U.S. Department of Defense (DoD). They have created a formal Medical Device Security Technical Implementation Guide (STIG) through the Defense Information Systems Agency. The guide is available to the public and documents the specific requirements that any medical device must attest to before it is allowed to operate on the DoD network. This document covers both the technical and non-technical security requirements of medical devices for the DoD, and offers guidance on how to properly secure, or “fix”, the items contained in the STIG. This guidance is probably the most all-encompassing policy in use for medical device security and should be reviewed by the FDA for incorporation into its standards if medical device security is truly a priority.
While most of the guidance has been developed within the last three to four years, technology develops much faster. Currently, some of the biggest issues for healthcare IS professionals are the use of mobile medical devices within the organization and the end-of-life (EOL) of various operating system (OS) and software packages, including those used by medical devices. This creates a multitude of concerns such as:
- How are these devices being secured?
- Who is responsible for securing them?
- What do the devices contain?
- Who has access to them?
These alone bring to mind issues with data-in-transit, encryption, authentication, configuration, etc. with the use of mobile medical devices and should give pause to even the most seasoned IS professional. Furthermore, there are several concerns with the security of the software when the manufacturer no longer supports its devices. In the June 2014 issue of HealthCare Business News Jeremy Molnar, the VP of technical compliance services for CynergisTek, points out that, “
[T]his means that critical vulnerabilities identified as affecting [Microsoft] XP will not be addressed, leaving them susceptible to malware”. In addition to addressing the specific issues with Windows XP EOL, the repercussions of now having to re-code medical specific software to function correctly on a new OS, coupled with the cost to the healthcare industry to purchase new equipment, is truly daunting.
The panoply of issues that undermine current efforts to effectively safeguard the cybersecurity of medical devices is finally beginning to get the attention in deserves from the FDA. As the stakeholders in the healthcare sector charged with developing and maintaining appropriate security safeguards for the information in our enterprise, we should encourage the FDA to continue its collaborative efforts to work with other federal agencies (ONC, NIST, DoD, etc.) to identify solutions and provide guidance to industry addressing some of the pressing issues impacting medical device security, including mobile medical device security and EOL into their system development life cycles. If not the insecurity and the risk of using these devices could negate the functionality that they were created to provide…saving lives!