Medical Device Security: Best PracticesA New Consortium Leads the Development Effort
The consortium hopes to provide a forum for stakeholders to work together to define the scope of the problem and devise security solutions, says founder Dale Nordenberg, M.D.
"All the medical or provider networks that we have spoken with have experienced malware issues with one or more of their devices," Nordenberg says in an interview with HealthcareInfoSecurity.com's Howard Anderson (transcript below). "As a consequence, [they] felt it was a matter of time before they started to identify an association between malware, security issues and adverse health outcomes."
Medical devices need to be monitored with the same scrutiny as any other equipment on a network, Among the leaders of the consortium are the Department of Veterans Affairs, which has launched an ambitious medical device protection program, and Kaiser Permanente.
In the interview, Nordenberg:
- Describes the goals of the consortium, which will bring together a cross-section of stakeholders;
- Calls for "expanding the dialogue from 'security and privacy' to 'security and safety';" and
- Outlines how the consortium can address the challenges of managing networked devices "so they are secure while still supporting the nation's drive toward interoperable healthcare systems and the meaningful use of healthcare data."
In addition to his role leading the consortium, Nordenberg, a pediatrician, is CEO of Novasano Health and Science, a consulting firm that focuses on leveraging the strategic application of information resources.
Securing Medical DevicesHOWARD ANDERSON: For starters, why is the security of medical devices an issue that is growing in importance?
DALE NORDENBERG: There are two key issues that are converging to cause this increased concern around security of medical devices. The good news is that the innovation across the medical device industry is healthy. We are seeing more and more medical devices, specifically digitally enabled and network medical devices that are good for patients and patient care, being designed, manufactured and implemented in provider networks.
On the one hand, we have an increased number of medical devices in our networks. At the same time, I think most people are aware of the fact that we're hearing more and more about malicious hacking and the generalized presence and prevalence of malware across networks in all industries. And the healthcare industry is not immune to this increased incidence of malware. As a consequence, these two factors are converging to cause increased concern around the issue of security of medical devices on the part of security experts in these healthcare systems.
The other factor that is also present is the fact that these devices are regulated by the Food & Drug Administration, unlike the computer that would sit on an administrator's desk in a hospital, which can be accessed and manipulated by the appropriate networking staff and healthcare system. These biomedical devices and medical devices, which are regulated by the FDA, present a challenge with simple patching and simple malware intrusion detection testing because of concerns over changing the functional specifications of these devices. While the risk is increasing, there are also some barriers to healthcare systems in terms of their being able to aggressively work with these devices.
The ConsortiumANDERSON: Tell us why you decided to launch the consortium. Will your group eventually recommend some best practices for protecting medical devices? And what are your other goals?
NORDENBERG: The consortium was founded because one of the nation's largest providers was starting to express concerns around the risk of adverse health outcomes that may be associated with medical devices that were infected. All the medical or provider networks that we have spoken with have experienced malware issues with one or more of their medical devices. As a consequence, this provider felt it was a matter of time before they started to identify an association between malware, security issues and adverse health outcomes.
In talking with this particular provider, and then, subsequently additional providers, what we realized is that we didn't speak to even one provider that wasn't very enthusiastic about working with their sister organizations around the country to better understand the scope of this problem and to work together to establish a scoping of the problem and solutions to the problem. As a consequence, providers have come together in the context of this consortium, which is being co-led by the VA and Kaiser.
There are three core goals at this point. The first goal is to create a public/private partnership that will include the broad stakeholder community around medical devices. This would include clearly the providers, the healthcare systems that are delivering healthcare to the people of this nation. It would include the manufacturers of the medical devices. It would also include other technology companies, the companies that are producing the chips and other pieces of the medical devices and security companies in the healthcare technology arena. It would include infrastructure companies. It would include academic institutions, research institutions, other not-for-profit organizations or associations, trade associations and also, importantly, patient advocacy organizations. ...
The second goal area is to work together to actually find the scope of this problem. We feel at this point there is not enough data that has been generated around how many devices are out there, how many are getting exposed to malware and how many security intrusions we are getting. We even believe, from an epidemiologic perspective, that we need to come up with clear case definitions, just like we would do with any epidemic - what a problem would be, what problems there are. Then we can rigorously count these from an epidemiological perspective. Ideally we'll do this in controlled environments where we understand the denominator. ... The second goal area is really focused on a series of activities and capability development that will allow us to contribute to the scoping of the problem.
The third goal area is understanding and developing the capability to address the issues identified by our scoping exercises. To that end, the consortium will work together with other cross-stakeholders to build best practices to address the issues related to security and medical devices. What the community realizes already is that no one stakeholder can do this. The manufacturers will have a clear role. They design these devices; they manufacturer them. The providers have a clear role. They ultimately buy these, implement them and maintain them. Then at the organizational level and provider networks, what we're discovering is even at that level there are best practices around the organization of the ownership of medical devices. Who is responsible for these? Is it biomedical engineering? Now that they're ... connected to the network, what is the role of technology? What is the role of the security group?
What we're finding is that there are a lot of silos in these organizations. So essentially, when we talk about best practices, it's not just at the manufacturer point but it's best practices at the point of implementation and maintenance as well across the whole life cycle. Additionally, we're very interested in the ability to take this particular issue and bring it to the attention of the chief quality offices and the chief safety officers of the healthcare provider institutions so they can understand that this isn't purely a technical issue, but that this is also a healthcare quality issue. The expression "security and privacy" is something that we've heard now for well over 10 years. It's obviously related to HIPAA, but the expression, "security and safety" is not heard very often. Part of our goal is to expand the dialog from security and privacy to security and safety.
ANDERSON: How can others go about getting involved in your consortium?
NORDENBERG: We have a website, and people can go to it. There's a downloadable brochure that's available. There's also other information available throughout the website, and there's the ability to go to the membership section and get information about how to become a member and fill out a form. We would welcome participation by all stakeholders.
Medical Devices and NetworksANDERSON: At a recent conference, you said that because so many medical devices are linked to computer networks, and because so many of those networks are linked to others, we have a national biomedical device network that remains largely unrecognized. What are the risks posed by that connectivity and how can they be mitigated?
NORDENBERG: The real issue here is that the medical devices have been developed with their medical functions being the primary focus for stakeholders and manufacturers. They have become digitally enabled; they're network-enabled and finally part of a network. However, they continue to be treated more like medical devices and less like a device on a network. ... While IT departments and staff for healthcare systems at provider enterprises are adept at managing computers on a network, they are expressing significant concern that medical devices are a challenge to manage. The technology best practices that are standard for computers on a network cannot be applied to medical devices on a network for fear of adversely impacting the medical functions of these FDA-regulated devices.
Furthermore, medical devices are often purchased by a department or a product line in the hospital, for example cardiology. It's not uncommon for the IT staff to be the last people to know about the purchase. Interestingly, this often occurs when the medical device shows up on the network and there's a huge spike in network traffic. If you contrast this with the usual hardware that's purchased and implemented by hospitals, most of this is done by the technology departments. And, as a consequence, it's possible for them to factor in issues such as stability, security, safety and the like.
The healthcare system must recognize that medical devices are increasingly a network commodity, often associated with quality of care impact. The medical device stakeholders, including manufacturers, healthcare systems that purchase and implement medical devices and healthcare professionals that use the medical devices are all just starting to recognize that medical devices on their networks must be treated differently than other network devices, for example, computers. In fact, the VA has pioneered isolated medical device networks as a strategy to render their medical devices secure.
Perhaps one of the key contributions of the consortium will be to help providers work together with other stakeholders, such as manufacturers, trade associations, academics and research institutes, to rapidly understand and address the challenges of managing networks for medical devices that are impacting the quality of healthcare for patients around the nation, even among international markets, so they are secure while still supporting the nation's drive toward interoperable healthcare systems and the meaningful use of healthcare data.
Inoperability remains a significant challenge. While institutions are just starting to recognize that they have a large population of medical devices on their networks, it's perhaps even less appreciated that these devices are essentially all interconnected across the nation ... and even beyond our national borders through the Internet. Failure to recognize the emergence of networked medical devices, the unique challenges of managing medical devices on the network, and the fact that networked medical devices have rapidly become so prevalent presents a risk beyond a single device or institution. In fact, a systemic, large-scale malicious attack on medical devices has the potential to cripple affected healthcare systems and may impact care at a city or multi-city level - and thus may even represent a risk to one of our nation's critical infrastructures.
Hacking Medical DevicesANDERSON: Is there any evidence yet of anyone hacking into medical devices to intentionally cause harm, or is it just a matter of time before that happens?
NORDENBERG: I haven't come across that specific signal incident yet, that first incident where someone has clearly documented that to be the case. But we do have some interesting data points. One is that we know of an instance where hackers went into two different sites that were created for the epilepsy community. They went into these two different websites and they actually created animations that were done with ... animations in a frequency that would be generally accepted to put epileptics at risk for seizures or other neurological events. While one might not traditionally consider a website as a medical device, this is a very clear example of how somebody tampered with technology; they hacked into technology with the explicit intent of causing harm to a population of patients.
The other thing that we know is that there have been multiple reports now in the literature around the fact that some implantable cardiac devices, infusion pumps and other medical devices have been demonstrated to be vulnerable to hacks, both from a wired perspective and a wireless perspective. So we can clearly establish the fact that people do have the intent to cause harm, these devices are vulnerable and it's going to be just a matter of time before we recognize what has likely already been going on, but we haven't been looking closely enough for it yet.
Interim Safety StepsANDERSON: Are there practical interim steps that hospitals and others can take right now to improve the security of medical devices while you continue your work in the consortium?
NORDENBERG: There are many resources out there that are starting to emerge. MITA [Medical Imaging & Technology Alliance], a trade organization for device manufacturers, has produced some very good documents around this issue. Going to the MITA website would probably be valuable to discover those documents. There are also emerging standards like the ISO 80001 standard, which is around how providers can start to deal with the issue of security. There are best practices that are emerging from entities such as the VA, where they have worked very hard to create isolated networks of medical devices that would render them better protected and much less exposed to whatever malware would be circulating in their environment. By isolating their medical devices, they obviously experience the issue of decreased inoperability in data sharing. But the VA, as well as Kaiser, our other co-founder, have been on the vanguard of identifying this as an issue.
Roger Baker, the assistant secretary for Veteran's Affairs, testified in Congress and provided tremendous leadership around transparency of this particular issue. Understanding or reaching out to colleagues that have been working on this for many years is also very helpful. I think that some of the things that make our consortium unique are that we're provider-driven, we are interested in [leveraging] the tools, standards and best practices that are already out there. ... The consortium, being an organization that's driven by providers, will have the ability to accelerate the understanding, accelerate the adoption and accelerate the development and adoption of the types of interventions that will ultimately render the medical device industry a safer industry.