Importance of Medical Device Security
Healthcare information technology has quickly become one of a clinician’s most powerful instruments. The implementation of technology to automate the collection and documentation of patient information, such as vital signs, continues to expand to users in more care settings within the hospital environment. Robust, network-capable devices, in these cases, are distributed and often mobile in nature and come with the ability to not only read a patient’s vitals, but also capture that information, store it, aggregate it and transmit it to other networks, devices and applications within the healthcare IT infrastructure—namely the institution’s EHR system. The result is a complex partnership between people, information and technology that ultimately supports the delivery of high-quality patient care. However, interconnectivity can raise security and compliance considerations. In order to help ensure safety, organizations must be able to trust the exchange of information that is facilitated through these medical devices.
Traditional means of securing these devices and ensuring proper compliance can inhibit provider productivity and cause frustration for users. For this reason, the burden of medical device security falls into many hands: those of device manufacturers, healthcare organizations, providers and even patients.
As a first step, many device manufacturers have started to implement changes that will allow for easier risk management and mitigation, including access controls. However, healthcare organizations must understand how to best manage these new security measures in order to help ensure user compliance and avoid disruption to clinical workflows.
While the topic of medical device security seems to be top of mind for the entire healthcare industry, regulators have yet to weigh in on the best approach. A successful strategy must include best practices for implementing access controls on medical devices to help increase security and ensure compliance without impeding patient care.
Security Considerations and Recommendations from Regulators
Over the past several years, the FDA has released guidance and recommendations to align medical device manufacturing processes with cybersecurity best practices. This guidance encourages manufacturers to design medical devices with cybersecurity in mind to aid in the prevention and mitigation of threats once a device has been deployed within a healthcare environment. From the FDA’s standpoint, as well as that of manufacturers and healthcare providers, the largest concern when it comes to medical device security is ensuring that cyber threats do not impede device functionality and, thus, patient safety. One of the primary methods for security outlined in the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices is to prohibit untrusted users from gaining access to these devices by enabling strong authentication. In response, many medical device manufacturers have designed configurable access controls such as the use of username and password to help ensure that only trusted users can gain access to networked medical devices and the sensitive PHI with which they interact. These access controls help align medical devices more tightly with the National Institute of Standards and Technology (NIST)’s cybersecurity best practices for protection, detection and remediation.
Similarly, the Health Care Industry Cybersecurity Task Force’s June 2017 publication, Report on Improving Cybersecurity in the Health Care Industry, leverages the NIST Cybersecurity Framework to identify areas of focus to help improve medical device security and privacy for both manufacturers and healthcare providers. While the NIST best practices have long been standard practice throughout the information technology arena, it is just recently that organizations have been forced to apply the same techniques to medical devices. Unfortunately, many standard security best practices are not yet practical or effective for medical devices. While the NIST best practices have long been standard practice throughout the information technology arena, it is just recently that organizations have been forced to apply the same techniques to medical devices. Unfortunately, many standard security best practices are not yet practical or effective for medical devices. While the industry quickly moves to better address these concerns, the Cybersecurity Task Force has outlined steps that organizations can take now to address primary trust concerns for medical devices. In recommendation 2.4 of the report, the Task Force suggests that organizations “require strong authentication to improve identity and access management for health care workers, patients, and medical devices/EHRs” (NIST, 2017).
More specifically, they suggest the use of single- or two-factor authentication to better establish trust between clinicians and devices, as well as between the devices and the networks with which they communicate PHI.
Key Takeaway
Following these practices can help to mitigate some of the most prevalent risks facing network-connected medical devices today including:
- Access by malicious or untrusted users
- Tampering with patient health information
- Data integrity concerns as information is shared between devices and EHRs
- Exposure of PHI knowingly or inadvertently on unlocked devices
- Patient safety issues on devices that support clinical decision-making and the delivery of care
Access control, through the use of strong single- or multifactor authentication, can play a key role in threat protection and identification as it allows organizations to lock down devices and bring an added point of visibility and auditability during clinical workflows—so long as these controls do not interfere with provider productivity or the delivery of patient care.
References
1. FDA, October 2014, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf
2. NIST: National Institute of Standards and Technology
3. Health Care Industry Cybersecurity Task Force, June 2017, Report on Improving Cybersecurity in the Health Care Industry, https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
4. NIST, June 2017, NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Life Cycle Management, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
