Collaboration among healthcare technology stakeholders—from device manufacturers and healthcare delivery organizations to healthcare security intelligence organizations—is needed to integrate medical and IT security requirements and develop a standard security framework for medical device technologies.
The Medical Device Innovation, Safety and Security Consortium (MDISS), the International Society of Automation (ISA), Health Information Trust Alliance (HITRUST), National Institute of Standards and Technology (NIST), and others are developing and improving standards to address various aspects of IT security for medical devices, from product design and risk management to IT networks and supply chain risks.
At the Healthcare Information and Management Systems Society (HIMSS) conference in April 2015 there was a tremendous display of both clinical and personal health care devices. All of these devices are intended to collect and share information with services such as health record integration and analysis tools in the cloud.
Devices are created from a set of sub-components that are integrated together into a working product and end up in a home or clinical network. Once on a clinical network, there’s ongoing maintenance that the health care delivery organization (HDO) or a third party performs on an ongoing basis. For security and IT management reasons, the devices should be closely inventoried for asset, vulnerability, and configuration management.
The device manufacturer (and maintenance personnel) will grow in awareness of devices threats and vulnerabilities as the U.S. Food and Drug Administration (FDA) message around device concerns continues to trickle through the industry. There’s a layered defense paradigm in play between security design of the device and the security design of the environment between. Are the conversations harmonizing information between these two camps? The answer: Not frequently enough, but it’s getting better.
Practically speaking, there is an economic challenge to improving medical device security. Medical device manufacturers are concerned over the cost increase of building in security and question if the buyers (clinical department more so than IT) will be tolerant of that increase. Government can help establish the message that not investing in security is an unfair trade practice because patients will suffer the consequences of increased risk.
Risk assessments are being performed, but not in a collaborative manner. Common symptoms that illustrate that medical device security is not yet receiving enough attention in the medical device industry are hard coded passwords, open ports, and debug code left in devices. Manufacturers could be sharing information, especially when there may be many shared common components under the covers. A framework is needed to effectively support the economics of risk management.
MDISS is a collaborative and inclusive nonprofit professional organization committed to “advancing quality health care with a focus on the safety and security of medical devices”. Its mission is stated to “protect public health and wellbeing by advancing computer risk management practices to ensure wide availability of innovative and safe medical devices.” The organization serves providers, payers, manufacturers, universities, government agencies, technology companies, individuals, patients, patient advocates, and associations.
MDISS members include medical device manufacturers, health care delivery organizations, standards organizations, medical device testing companies, service organizations, and device designers. The organization has evolved into a highly collaborative and trusted group capable of addressing complex policy, practice, and technical challenges for medical device security and safety.
MDISS also works closely with key government agencies and non-profit organizations such as the FDA, NIST/NCCOE, HHS, DOD, NHISAC, Center for Internet Security, AAMI (Association for Advancement of Medical Instrumentation), ACCE (American College of Clinical Engineering), SANS, and others.
The Current Conversation Around Regulating Medical Device Security
The conversation is robust and involved…and it is just the beginning. In the US, the FDA is leading the charge and has shared general principles including structured risk management reports outlining identification, inherent risk, control application, and resultant residual risk. Rather than being prescriptive, references to best practices are shared. An informative conference was held in October of 2014. Information from this conference can be viewed at www.fda.gov/downloads/medicaldevices/newsevents/workshopsconferences/ucm419427.pdf .
At the conference, it was clear that the basics are still important: Strong Authentication, Authorization, Privileged User, Code signing, Configuration Management, Encryption of data, Event logging and Incident Analysis & Response. In addition, the FDA’s guidance recommends assuming the device can be compromised and still safe-guard its critical clinical functions.