Case Study - Biomedical Devices - Preventing harm from security weaknesses

PROBLEM

Biomedical devices are a major cause for concern in hospital environments because:

  1.  They are connected to the hospital or care-provider’s network thus vastly increasing the attack surface area for evil-doers.

  2. Patient safety is at considerable risk as demonstrated by recent remote wireless hacks of insulin pumps and other patient monitors.

  3. Many devices have not had their operating systems patched or migrated to newer versions for years. These devices are especially vulnerable to known and widespread attacks of unpatched software. A virus infecting an “old” OS on an infusion pump can propagate and infect every other device, crippling the entire hospital network in minutes.

  4. The mobile revolution has resulted in many new consumer oriented apps or devices that perform patient monitoring which then send information upstream or downstream for additional diagnostic actions. Tainting of this upstream or downstream data is very possible and adds to patient safety concerns.

SOLUTION

 Solutions to fix this are multipronged:

  1. First conduct a Biomedical device inventory to identify each device connected to the network, the version of the operating system used, ePHI storage or transfer capabilities, wireless encryption mechanisms used, the device’s primary and secondary functions, and the name of the OEM. Without an accurate inventory, any preventive measures are like shooting in the dark.

  2. For large health systems or academic medical centers, consider using the following excellent, but very detailed framework: IEC – 80001 standard “Application of Risk Management for IT networks incorporating medical devices

  3. Segregate all biomedical devices into a separate virtual LAN (VLAN). This allows for IT administrators to quickly quarantine devices if a virus or malware is found on any device. Further, access control measures including what data can be sent, and to which specific ports within network switches, should be implemented if feasible.

  4. Ensure that the Business Associate Agreements (BAA) with all your biomedical device vendors contain provisions for these vendors to provide software patches within a reasonable time frame. (Many OEMs hide behind spurious or false concerns that software updates constitute a new product and therefore must go through a new and exhausting approval FDA process. This position, held by many OEMs, is false and has also been made explicitly clear by the FDA in 2015).

  5. Test or vet any mobile applications or consumer devices before allowing them to send data to any device, application or data repository that rests on your (care-provider) network.

IMPACT

 Patient safety is paramount for care providers. Ensuring that your biomedical devices are not easily hackable, and that the data they capture, store, or forward have not been tampered with, will result in better patient care and the prevention of potential crippling network outages.

Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.