In the movies, hackers make accessing information look so easy, but healthcare organizations are working as hard as they can to keep their organizations safe from cyberattacks. As medical devices become more advanced in their capabilities, there is an increased need to make them safe and secure when it comes to patients’ information and their safety.
“We now look at devices to make sure they are protecting the information,” said HIMSS Director of Thought Advisory Lee Kim. “Wired or wireless, no matter where the information exists or where it’s going, the information has to be kept secure.”
Medical device security protects them from cyberattacks, so both patients and caregivers have the peace of mind to use the best tools available for healthcare.
Many situations can arise from not having secure devices in healthcare. In the U.S., the Food and Drug Administration tightened security guidelines on them, citing patient safety.
“An example of this is the problem of some medical devices having hard-coded passwords,” Kim said.
She added this could be dangerous when it comes to devices such as those that provide insulin or other devices which are life saving or life sustaining.
“In recent years, the security of medical devices has improved, especially for larger medical device manufacturers,” Kim said.
However, she noted that with smaller or medium-sized manufacturers, one of the challenges could be that security is not necessarily at the forefront of one’s mind.
“Security may be an afterthought after the beta test. Or, you might report a security bug, but it might possibly be ignored by the manufacturer. So, you are left with a vulnerable device—until and if a patch is issued,” Kim said. “The medical device manufacturer, however, has its responsibility in terms of security of the device. However, you need to ensure that the device is as secure as possible on your end as well.”
In addition to having adequate technical controls, Kim believes in having a multi-disciplinary team, including IT, clinicians, legal and procurement to ensure the best device that is appropriate for the organization’s needs is chosen and that any risks associated with the device are adequately mitigated.
“All those hands really need to be on deck and everyone needs to come together and do due diligence, and hopefully the number one priority is that patient safety is kept top of mind,” Kim said.
There are many people involved in ensuring that a device is secure before implementation into a clinical setting. “It’s a shared responsibility,” Kim said.
First and foremost, the manufacturers are responsible for ensuring device safety, and not just in the design phase. “The manufacturer needs to be receptive of any bug reports and other any security concerns,” Kim said.
One of the ways manufacturers communicate the security features of a medical device to purchasers is through an MDS2 Form.
“It’s widely accepted. While it’s not mandatory, it’s helpful when you are in the market to buy a medical device,” Kim said. “It lists the security features of the device, according to the manufacturer.”
Some examples of the questions found on the form include:
“Many medical device manufacturers have the MDS2 Form as part of the marketing of the device to buyers,” Kim said. “It’s meant to ensure that the purchaser has that information in front of them and uses it as part of the due diligence before purchasing the device.”
Questions to consider before purchasing a device include:
And while the MDS2 Form is helpful, it should not be the only research into a device’s security features.
“You may still want to have a demonstration of the device and interview the company about the device, including any security-related questions,” Kim said.
While vetting the best manufacturer is important, there are other best practices both organizations and medical device manufacturers can take when it comes to being mindful about device security.
A penetration tester may be able to uncover vulnerabilities and notify the medical device manufacturer about them. Incentivizing this through bug bounty programs is one way to go. Another proactive measure is to have a coordinated vulnerability disclosure program, such that medical device manufacturers and researchers work together in a coordinated fashion.
“Bug bounty programs are a great way to potentially uncover zero day vulnerabilities and to have the manufacturer fix it before it comes a real problem,” Kim said. Other easier best practices for medical device security include:
“Have as many layers of security as possible to make things more difficult so it’s out of reach and not low-hanging fruit,” Kim said.
December 6–7, 2021 | Boston & Digital
Technology will continue to revolutionize healthcare, but the results will come up short if we don’t also secure critical data and protect patient privacy and safety. Now more than ever, not only do security leaders have to maintain their ongoing duties, but they are also forced to protect rapidly expanding, remote infrastructures from more exploitative cyberthreats and phishing attacks.