09-23-13 | Blog Post
A little back and forth from the session about medical device integration:
How to Manage Security Vulnerabilities of Medical Devices as They are Integrated with the Broader Health IT Infrastructure
Moderator: David Finn Health IT Officer, Symantec
Speakers: George Fidas, Jr. Product Security Officer, Patient Care and Clinical Informatics, Philips Healthcare; Steve Merritt Manager, Imaging and Clinical Systems, Baystate Health; Paul Scheib IS Operations Director and Chief Information Security Officer, Boston Children’s Hospital
There’s a lot of speculation on how much medical device security issues are based on real threats to patient safety or fear-mongering and media ratings. The panel on managing medical devices started with a discussion of how much of an issue medical device security really is.
Moderator: Is this a real problem, and if so, why is it so complicated?
George Fidas: It is indeed a real problem and we see a lot of collateral damage across our medical devices. It needs to be treated as another endpoint on our network and a vector where an attack can come from.
The trend will likely go up as more devices contain PHI and become interconnected. At some point they will probably overtake more endpoints than current IT devices. We need to work as an industry to figure out how to effectively manage it.
From a complexity point of view, biomedical engineering has been isolated, and that needs to change with more convergence between clinical engineering and IT and we need to start taking best practices from both sides and having open debates. Have to have both the biomedical and IT engineers to figure out how to manage medical devices appropriately. At the end of the day, it’s about mitigating the risk of a vector attack.
Steve: I see the emergence of medical device security concerns as the obvious evolution of plugging that first medical device into the network – which brings along all its own security baggage. Security can’t just be the medical device industry being forced to do something by the FDA. It needs to be an agreement between the organizations and manufacturers with a game plan how to manage medical device risks.
Paul: Operationally, I don’t think clinical engineering groups are in a position to respond to these incidents. IT groups are usually more familiar with responding to security incidents. Clinical engineering groups are not equipped with the tools to use scripts and programs for updating and managing outbreaks in medical devices.
From a patient safety and care side, that’s the scenario everyone dreads. If there is a malware outbreak, do you start turning off the medical equipment? The cure could be worse than the disease. You try to isolate the device if you can, but architectural malware that is sending traffic to China, you don’t really know. There aren’t the processes in place to support responding to incidents of this magnitude. It drives you to partnering IT and clinical engineering groups much more closely together. Somehow we need to pair those groups and update incident response plans to address medical device compromise.
Moderator: Leon Rodriguez today mentioned that risk assessments are the largest gap. Do you include medical devices in your risk assessment?
George: not in a formal way, no
Mod: well, you are with the majority of providers today then 🙂
Steve: Doing that risk assessment in IT environments is something that manufacturers need to work with the providers on in order to evaluate the production environment.
Moderator: who owns medical device risk assessment and mitigation?
George: It’s shared with clinical engineering, IT, and the device manufacturers because everyone owns a piece of that. Every environment is unique so how do we take the generic information from the manufacturers and apply it to our specific environments in order to evaluate the risk and mitigate them as quickly as possible.
Mod: Many have controlled them by keeping them on a separate biomedical VLAN. is that a good long-term solution, and what kind of complications and administrative overhead is created with this approach? If you could choose a best solutions, what is it for these devices?
Paul Scheib IS Operations Director and Chief Information Security Officer,
Boston Children’s Hospital
For many years manufacturers preached isolation to the point of each manufacturer wanting a separate physical network. They have since given up on that, but the problem is it’s hard to isolate something that needs to feed other systems. How do you isolate a VLAN and all the equipment when that data feeds the EMR systems that multiple users need to access. They are systems, and the only thing that resembles a medical device is the piece that comes into contact with the patient. The convergence has driven us to a point where isolation is not a possibility any more. Access level controls have to be used instead. Network design can’t accommodate the isolation.
Steve: How do you work with customers and who else besides the government is giving guidance and are people using that industry guidance?
For the most part, regulations are usually several steps behind. Today’s best practices are tomorrow’s regulations, so the focus needs to be on looking for today’s best practices. Regulations require something bad to happen first. If you want something bad to happen, go ahead and shoot for the minimum regulation standard. Otherwise, look for the best practices used today.
What’s driving mobile device security – media type, business drivers??
George: We’ve seen collateral damage across medical devices and have had to consider if we need to replace all monitors in our system that have been infected with a worm. It’s not only managing outside risks, but also inside risks. For example, sometimes these devices won’t handle an internal port scan done as part of a routine security scan, which will cause an interruption in functionality of those services.
Steve: I love “Homeland”, but most examples are very targeted. While concerning and real, probably not worth battling every day. until you can get good at what you do every day, you can’t get too focused on the corner outlier cases and miss doing well on the 90% of the issues.
Where is the wealth in a medical device? Is “homeland” the scenario we need to really be concerned with? What would someone want to do with a medical device? What are you doing when you are hacking a medical device? Do you want to injure someone? That’s just a whole different level.
George: If there ever was a threat to patient health, that would be a whole other level of disaster. That’s why we try to do hard core separation of the network of medical devices.
Moderator: As more remote home monitoring happens, will this issue increase? How do you address that when they are attached to a patient who is running through the streets of Boston?
Panel: the general consensus was “yes”, medical device security will become increasingly important. Some large manufacturers like GE & Phillips have global security teams as part of what they offer, but other smaller, specialized medical device manufacturers won’t have the resources to address security.
Q: How does the way a service is implemented affect the risk?
Steve: The service model is part of the risk assessment itself.
Q: If the Covered Entity asks for risk assessment and asks for the risk assessment does Phillips provide that?
Yes, through the course of current customer relationships. You won’t go to a public download page to download Phillips risk assessment. There is variance in the implementation from one environment to another, and you don’t want the details specific to each environment to be something publically available.