When dealing with medical device security, it is important to focus on six areas that will ensure that the entire system — the network environment and the device efficacy — is taken into account.
When dealing with medical device cybersecurity, three quotes by Bruce Schneier, a prominent security expert and author come to mind. These are:
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
“Security is a not a product, but a process”
The burden of medical device cybersecurity is a shared one between the device manufacturer and the organization that is introducing the device on to its IT network. In some cases, that organization can be a large hospital or clinic, but in others it’s the consumer leveraging a connected medical device as part of his or her home care.
One thing to remember when developing devices is that companies need to focus on the entire system by taking into account the network environment of a clinic or hospital as well as the clinical efficacy of the device. There are risks associated with the device itself, as well as how the device interacts with the network and the rest of the hospital or clinic ecosystem.
So, if I had to sum up six key areas to focus on, they would be:
- Ensure that end users are not leveraging default, or shared, passwords on the device or the network that the device is relying on
- Device manufacturers can create workflows to ensure that the passwords in use are sophisticated and difficult to decipher using dictionary attacks.
- In its factory default state, a device should be password protected.
- Discourage the use of Pre-shared keys, WEP (Wired Equivalent Privacy), or TKIP (Temporal Key Integrity Protocol) and rather promote AES (Advanced Encryption Standard) encryption and authentication.
2. Validate that Patient Data is not compromised, or intercepted
- Enforce that data is encrypted in transit as well as while at rest, or being stored on a given device.
3. Scrutinize the Medical device and its susceptibility to attack from within or outside the network
- Manufacturers can take measures to ensure that only secure protocols are used to access the device configuration.
- Work with the hospitals and clinics to implement role based access controls to ensure that a given device can only access what it requires on the hospital or clinic network.
- Work with the hospital to ensure that a defense in depth strategy is in place to protect medical devices and the data they transmit. This means focus on Authentication, Authorization, and Accounting.
4. Identify and understand underlying OS vulnerabilities
- Manufacturers should move away from using backend Operating Systems that are no longer supported such as Windows XP.
- Promote regular security patch management.
- Promote routine security audits and penetration tests.
5. Promoting Redundancy
- Manufacturers can build a layer of redundancy in the device to ensure that if a given communication medium is disrupted, the device can continue to safely and effectively function.
- The network supporting the device should be designed to be highly redundant, and prevent SPOF as much as possible.
6. Focus on Risk Management
- Security is never absolute. There needs to be a process in place identifying the weakest potential link, and pursuing continuous improvement.
- AAMI IEC 80001 is a great roadmap for a robust risk assessment strategy.
It is difficult for medical device manufacturers to mimic a hospital network, so every measure should be taken to test the devices on test beds that are configured as closely as possible to a hospital network, or on the hospital network itself. Hospitals can implement formal risk assessment and device onboarding strategies to help improve cybersecurity.
When dealing with home networks, the burden of running a secure network falls on average consumers which is an unreasonable expectation. This will continue to be an Achilles heel for the cybersecurity of medical devices and patient data.
[Image courtesy of DAVID CASTILLO DOMINICI/FREEDIGITALPHOTOS.NET]
Ali Youssef, PMP CPHIMS CWNE, is senior clinical mobile solutions architect, Henry Ford Health System. He will be speaking on two sessions dealing with cybersecurity at the MD&M Conference, Feb 9-11, at the Anaheim Convention Center, Anaheim, California