If you work in healthcare IT and you’re committed to airtight security and compliance, you might consider yourself on top of your game. Building a strong security program, identifying risks and instituting corrective measures and smart policies – hopefully you know all of the right moves by now.
Yet there’s a common risk in healthcare environments that can get overlooked by even the most diligent IT teams. I’m talking about medical equipment – much of which is network-connected and increasingly hackable. While these advanced machines can save patient lives, they’ve often been overlooked when it comes to risk assessments and applying security controls.
These devices are such an integral part of the healthcare background that it’s easy to forget they can act as a conduit into an organization’s network. If you’re trying to block criminals from infiltrating your system, your thoughts will probably turn to accounting applications or patient portals – not a pump that’s administering a morphine drip. As a result, basic security protocols tend to go ignored.
And that can be a serious problem. These devices don’t always connect directly to the Internet, but many do connect to internal organizational networks. Few are firewalled off from other systems, providing easy access to hackers. This might not sound all that destructive until you consider the possible damage. A hacker could reset equipment back to factory settings, changing a pre-programmed temperature setting on a refrigerator holding critical biopsy samples. One attack could crash equipment during an emergency procedure or remotely alter medication dosages.
Consider the case of Vice President Dick Cheney. To treat his heart disease, he had a computerized defibrillator implanted in his chest that regulated his heart rate and could shock him back to life if needed. The problem: it could also be reprogrammed wirelessly from a short distance, making it a potential target for terrorists. For this reason, Cheney had the wireless feature disabled in 2007.
You might think these scenarios sound far-fetched – and no doubt you’re already occupied with safeguarding confidential information and keeping medical data accessible to providers. But the fact remains that securing medical equipment falls under the healthcare IT compliance umbrella. HIPAA’s Security Rule requires physical and technical safeguards to ensure the “confidentiality, integrity, and availability” of PHI – and that will bring some medical equipment into scope. Also, The FDA’s 21 CFR Part 11 regulation squarely addresses the need for security in medical devices which now include software and applications that can turn your smart phone into a health monitor.
The good news is that securing medical devices won’t differ much from your other risk management efforts. By working through the following measures, you’ll be able to proactively address security gaps and ensure your network integrity.
- Start by looking at your PHI – how it’s created, accessed and stored in your organization. Hopefully you’ve already mapped all of this out as part of your HIPAA compliance work, but you’ll want to revisit just how your data flows through your network. Remember to examine not just technology, but people and processes too.
- After that, make an inventory of all medical equipment and devices that connect to your networks. Again, you probably already have an existing inventory as part of your HIPAA work. Now you’ll want to make sure it includes all medical devices that interact with your systems. As part of this inventory make sure to note all of the built-in security measures or configuration settings that are available for each device.
- Next you’ll look at how those devices connect with your network and how any existing security measures have been configured. Now that you have an overall map of how PHI flows through your organization, including medical devices, the next step is to conduct a risk assessment for all of the devices in your inventory to identify potential vulnerabilities, threats and security holes within the devices configuration. These could be weak authentication policies, hacker-friendly interfaces or other weaknesses. Also consider the impact of any threats, such as the risk posed to patient safety, financial costs of a breach and the impact on your organization’s reputation.
- With those vulnerabilities articulated, it’s time to create corrective actions to mitigate each risk. Additional network segmentation will likely be necessary along with adding these devices to your monitoring systems to identify and log malicious activity, assess traffic, trigger alerts, and block and report intrusions – all of which can keep medical equipment protected from outsiders.
There’s no question that we’re facing a future of new developments in medical equipment. Along with this advanced healthcare technology comes the need for smart risk management techniques. Remember, both deliver the same goals: higher performance and better patient outcomes.