Hospitals increasingly prioritize strong security, particularly in the wake of crippling attacks that compromise patient privacy and safety.
But in healthcare, traditional and typically effective security policies, methods and controls are not adequate to protect medical devices. What works for workstations, printers, servers and internet access is not sufficient to address risks posed by medical devices and systems.
How, then, can healthcare IT managers develop a comprehensive medical device network risk management plan?
Bust Myths Around Security Patching
First, let’s dispel a common myth that U.S. Food and Drug Administration regulations bog down the process of security patching. While the FDA calls on manufacturers that significantly change the operating systems on their medical devices to apply for additional clearances, it does not require similar measures for those issuing security-driven OS and software patches.
In an FDA fact sheet on its role in medical device cybersecurity, the agency states, “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.”
Still, many medical devices won’t run anti-malware or anything that requires installation of additional software or hardware. Rather, most devices are designed to operate in a stand-alone environment or to be integrated with IT systems within a strictly defined, often proprietary pathway, or not at all. Typical resource management like Active Directory and other Lightweight Directory Access Protocols are likely not applicable.
To that end, healthcare organizations often turn to network segmentation to enhance security.
Offer Medical Devices a Network of Their Own
For the same reason IT professionals want servers on their own networks, they want medical devices on their own networks too.
This doesn’t mean putting all XP-based medical devices in a virtual LAN by themselves just to get them out of the way. The goal is to design VLANs to manage medical devices within them according to their security needs.
For guidance, look to those who have been working to bring network security to industrial controls in manufacturing, utility and other industries. For instance, the Purdue Model for Control Hierarchy, a common model in the manufacturing industry that segments devices and equipment into hierarchical functions, is likely applicable to medical devices. Different modalities may be separated by protocol or communication type so that efficient firewall rules can be applied.
The Health Level-7 and Digital Imaging and Communications in Medicine standards are two common medical device protocols, but many devices use proprietary communications and data structure. VLANs may provide good choke points for firewalls, intrusion prevention/detection systems and other network monitoring devices. Leverage network monitoring or security information and event management tuned to medical devices and events, which can provide enhanced real-time security data helpful in managing the environment. It may also be helpful to consider newer products that provide network monitoring and behavior analysis specifically calibrated for discovery and risk management of medical devices.
Assess Risk Before Adding a New Device
Once medical devices are segmented and focused on external controls, IT managers can contend with the risks to their device networks. Keep in mind that not all medical devices are the same, and just as IT management policies consider data classifications, patient risk must be considered as well.
For instance, not all medical devices deal with regulated data. IT managers should consult their organization’s privacy policies to understand what constitutes protected health information.
What’s more, patient risk differs according to a patient’s susceptibility to harm, which for a given device may be higher in an intensive care unit but lower in an outpatient setting like a doctor’s office or clinic. IT managers should solicit feedback from medical device specialists in their organizations, such as clinical engineers, biomedical equipment technicians or clinical risk managers.
Organizations that support various network security zones may want to consider managing by a combination of data and patient risk. Some regulatory agencies require medical device maintenance to be managed according to patient risk, so there is likely an assessment method or policy already in place that can be worked into such plans.
High-end modalities, especially clinical lab and diagnostic imaging, rely on vendor remote support or 24/7 system monitoring to promote maximum uptime and quality of service. Be ready to manage several different remote support policies.
Consider Health Regulations at Every Step
Many medical devices are being marketed to take advantage of offsite processing or provide diagnostic services to bring down cost and add efficiency to front-line patient care. These architectures, however, come with regulatory and security management overhead. Additionally, HIPAA and the HIPAA Security Rule within the Health Information Technology for Economic and Clinical Health Act require managing the security and privacy controls around remote data center activities as they would be managed locally.
Securing medical devices, networks and healthcare information presents a real challenge, but also an opportunity to be creative with technical and management skills. IT managers must embrace the challenge to promote a greater quality of life for patients, their families and communities alike.