Mar 31 2017

National HIPAA Summit: 4 Steps to Better Securing Medical Equipment

While notebook computers and workstations are top of mind in healthcare security, insulin pumps and EKG machines are also vulnerable to attack.

In healthcare, the Internet of medical devices could be the next security battleground. The prospect of hackers infiltrating insulin pumps or defibrillators has kept medical companies on their toes, and in 2015, even former Vice President Dick Cheney ordered modifications to his pacemaker to keep it secure, Wired reports.

But often, for healthcare organizations, these devices are overlooked when considering a cybersecurity strategy, said Sheetal Sood, senior executive compliance officer and head of information governance at NYC Health + Hospitals, during the National HIPAA Summit on Thursday.

“When we do risk assessments we’re going around doing our walkthroughs, we’re looking at laptop computers and workstations, and what about all the biomedical devices? It’s important that we consider them,” said Sood.

While these devices are not considered computers or printers per say, Sood notes that they are very much computing devices.

“Many of them have computers in them — the large nuclear medicine machines or electrocardiogram (EKG) machines — they are all connected to the [electronic health records] and the other aspects of the network … they are very much a connected device, a device that we need to be concerned about and, the biggest concern is they have [protected healthcare information] PHI,” said Sood, noting that some devices can store large amounts of data.

How to Keep Healthcare Devices Secure

Tagging these internet-connected devices as risk areas is the first step, but what else can healthcare organizations do to ensure their devices are safe if they don’t have inherent security mechanisms built in?

Sood offers a few pieces of advice.

  1. Figure out how these devices connect to the network. “Do a little classification exercise, a — for lack of a better word — risk assessment exercise. Say ‘These devices have the most PHI, [so we] classify them as the highest priority’, or ‘this is the riskiest device as compared to the other ones.’”

  2. Put in some basic controls. Sood recommends checking to ensure the device isn’t using a default password and, if so, changing it to a more secure code.

  3. Lock it away. Not all security has to be software-based. “If none of the logical controls can be put in, move to some of the physical controls,” said Sood. “Lock up the device, put it behind locked doors, or what have you.”

  4. Segment the device onto a different network. “Take all the medical devices and put them on a network that is different from the rest of the organization’s network,” said Sood. This will keep the devices from being compromised if the rest of the organization is hacked, and vice versa.


aaa 1