Securing Device Management Systems and Communications
As more medical devices offer wireless functionality to enable ease-of-use for patients, they encounter a concern regarding safety. Medical devices must address the need for security in these untethered devices and put safeguards in place in the event of a breach. This article provides insights on designing for these issues.
In the twenty years since the Health Insurance Portability and Accountability Act (HIPAA) became law, medical devices have progressed towards wireless, point of care, and even electronic, implantable technologies. Coinciding with this trend are several high profile instances of devices being hacked, targeting not data, but the operating and communications systems over which this data is carried. These acts can alter how the device operates, carrying the potential for patient illness, injury, and even death. Recently enacted legislation and federal agencies’ calls for more stringent oversight of medical device security are intended to combat this threat. Additionally, device manufacturers, OEM anti-malware manufacturers, and medical practitioners can take actions to ensure the safety of patients being cared for by potentially vulnerable medical devices and their supporting networks and communications systems.
The Threat — Examples
In early 2011, an attendee at The Black Hat Briefings, a computer information security conference whose attendees include federal agencies, corporations, and hackers, demonstrated how he hacked a wireless system communicating between a glucose meter and pump controller, and a wearable insulin pump. The hack intercepted wireless signals between the devices and broadcast a stronger signal, changing the readout and prompting the person to adjust their dose. This demonstrated how an attacker could manipulate the insulin injections and possibly mortally injure the pump user. Later that year, the OEM of a similar insulin pump system requested that software security experts investigate their device’s vulnerabilities in response to claims of potential hacking. Early 2012, security researchers confirmed that the OEM’s device was not only vulnerable, but several other features were also found to be at risk. While wearable insulin pumps have received much of the attention, many other classes of devices may also be vulnerable.
Devices used in clinical settings are commonly managed by centralized medical device management software applications and associated hardware and wireless communications configurations, which are also vulnerable to attack. In March 2013, a hospital management OEM system was hacked and disabled by just six lines of malicious code. There is growing evidence that many medical service providers, as well as hospitals and clinics, are neglecting to secure medical devices, partially because they believe the OEMs are responsible for such security. A 2011 study reported that 69 percent of respondents’ data security policies did not cover medical devices, and ninety-four percent reported at least one data breach in the past two years. The study also noted that costs associated with these breaches may total as much as $7 billion per year.
Current State of Regulatory Affairs
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act became law. This Act reinforces existing HIPAA law, and contains a new Stage 2 “Meaningful Use” Rule requiring that participants conduct risk assessments, as was required in Stage 1. However, the Stage 2 rule specifically requires that the analysis address the security of data stored in Certified Electronic Health Records Technology (CEHRT). While the original rule requires a risk assessment for the security of PHI, it was not equipped to address today’s challenges with respect to encryption; the Stage 2 rule requires that device software be designed to automatically encrypt electronic health information stored locally on end-user devices. In early 2013, the U.S. Department of Health and Human Services (HHS) issued its Final Rule on the Act, which went into effect on March 26. While the Act addressed the protection of “data at rest,” the security requirements contained in the Act did not include the high profile device hacking, which has since prompted calls for greater device security.
In August 2012, the U.S. Government Accounting Office (GAO) issued a report to Congress that urged the U.S. Food and Drug Administration (FDA) to consider expanding information security requirements for certain types of medical devices. The GAO identifies threats, vulnerabilities and risks associated with implantable medical devices. In its report, the FDA evaluated the extent to which it considered information security during its premarket review of certain devices with known vulnerabilities, and found what postmarket efforts the FDA has in place to identify information security problems. Several weeks later, the FDA announced it was investigating how it monitors for medical device security threats, including strengthening requirements related to the reporting of safety and security issues. This announcement declared that medical device security events are not effectively reported to the FDA; it also called for greater collaboration across agencies, including the Department of Homeland Security, in identifying and tracking potential threats. In June 2013, the FDA issued a safety communication for medical device manufacturers to minimize the risk of malicious attack, summarizing the scope of the exposure and recommending actions for both device manufacturers and healthcare facilities to evaluate device and network security. The communication also identified areas requiring more comprehensive incident reporting through the FDA’s Adverse Event Reporting (AER) program.
Recommendations for Improved Security
The following methods can be used to secure medical device technology, using risk analysis, leveraging current state of electronics security technologies, and providing training and education for IT staff and learned intermediaries who manage and use potentially vulnerable medical devices.
Threat Evaluation and Assessment
- Wireless network encryption. In many cases, wireless networking equipment is received with the encryption turned off. Wireless networking equipment such as routers should be encrypted at the highest level a network can support. Industry associations such as AdvaMed recognize that new digital technologies allow for medical devices and wireless networking to be manufactured with built-in encryption; whereas older and legacy devices may not support some of the highest levels of encryption available.
- Limit unauthorized device access to trusted users only, particularly for devices that are life-sustaining or could be directly connected to hospital networks. Such controls can include user authentication via ID and password, smartcard or biometrics; strengthen password protection by avoiding hard-coded passwords and limiting public access to passwords used to access areas where devices are used via physical locks, card readers, and security guards.
- Protect devices from exploitation and developing strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of security patches and methods to restrict software or firmware updates to authenticated code.
- Use design approaches that maintain a device’s critical functionality, even when security has been compromised.
- Provide methods for retention and recovery after an incident where security has been compromised, including incident response plans that address the possibility of degraded operation as well as means of restoration and recovery.
Use of First and Third Party Network Security Monitoring Software and Services
Many OEM device manufacturers and third-party service providers are recognizing the need to manage and also monitor the operation and performance of wireless devices attached to a wireless network as a best practice for assessing real-time threats. Use of software systems that use predictive modeling and can monitor medical devices and provide alerts if there is an outage, device malfunction, or intrusion within a clinical network add an extra layer of protection beyond other security methods.
Education and Training for Device Manufacturers and Learned Intermediaries
As medical devices increasingly rely on information technology for their operation and monitoring, device manufacturers, physicians, clinicians, and other learned intermediaries, as well as IT professionals employed in the healthcare industry, should have a working knowledge of device security and the threat unsecured devices pose to their patients. Data security policies including procedures for securing wireless medical devices should be reinforced as many clinical IT security policies omit the security of these devices. Where possible, affected individuals should pursue advanced education for securing medical devices from vulnerabilities. Fortunately, colleges and institutions are responding to this need through accredited courses in medical device security.
Expect further growth in the trend for wireless medical devices, thereby providing patients with freedom and flexibility. However, with this trend comes increasing vulnerabilities that healthcare providers and patients must be significantly prepared for in order to prevent unfortunate incidents from affecting the otherwise good intent of these point-of-care technologies.
For more information, visit http://bit.ly/18t84M4.