Jun 14 2017

AAMI 2017: The Management Behind Medical Device Security

Hospitals must balance several elements to ensure safety against cyberthreats, Scripps Health’s Scot Copeland says.

Scripps Health Medical IT Network Risk Manager Scot Copeland believes that bolstering medical device cybersecurity is very much like securing a house.

There are tons of security controls and they all work together, Copeland said at the Association for the Advancement of Medical Device Instrumentation’s annual conference in Austin, Texas. “When you go to apply security to your own personal life at your home, do you have one thing that manages your security? No. It’s not just your door locks. You’ve got window locks. You have fences. You have lighting.

“That’s the way we need to understand how we apply security in medical devices, too.”

Security Elements to Consider

Copeland outlined several elements necessary to a hospital’s medical device cybersecurity plan, including having a business associate agreement in place with vendors, computerized maintenance management software for asset tracking and an access control policy that governs conditions under which users are allowed to access equipment physically and logically. Other aspects to consider for the success of such a plan, he said, include:

  • Wireless spectrum management: “Understand the wireless networking considerations of your medical device fleet,” Copeland said. “Can you segment? Do you have separate networks? You may or may not, but you need to have a policy on spectrum management. Where are you going to put new wireless devices? How are you going to manage wireless devices and make them a subset so you can apply your security policies to them?”
  • Remote support management: “Imaging guys are always dialing into your CT [scanner], your MRI, but how do we manage this?” Copeland asked. Oftentimes, he said, the access goes unmanaged. “We don’t understand it. We know there’s dial-in, the manufacturer takes care of it, but we don’t know how many entrances we have into the medical network. We don’t know what devices have that remote support or not. We don’t know how it’s secured or if it’s secured. We need to know. We need to start asking the questions.”
  • Vulnerability management plan: Software components make up our operating systems, and the longer they’re out there, the sooner they’re going to become a vulnerability, Copeland explained. To that end, organizations need a strategy for dealing with those vulnerabilities, particularly for medical devices, which have to stay in an environment for a lot longer than a regular IT device. “An IT device you’re going to roll over three to five years,” Copeland said. “Medical devices? Fifteen to 20 [years], especially expensive ones. When we come up with vulnerabilities in our devices, how do we manage them on an ongoing basis?”

Proactive Partnership with IT Can Keep Devices Safe

Additionally, Copeland said, medical device managers can’t hesitate to partner with the IT department.

“That’s one of the biggest challenges we’ve had. It’s taken years for us to get a relationship with our audit and compliance people, our [information security] people — the many departments of IS that seem to be very siloed and operate separately,” he said. “We needed to build relationships with them so they understand why we’re there and why we’re doing this with medical devices and that they are sympathetic to our cause and will support us. They own the network. A lot of the things we’re going to need to do to manage the security of our medical devices is going to have to be done by them.”

Read articles from HealthTech’s coverage of AAMI 2017 here.


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.