Medical device deployments demand a robust security strategy

With the number of connected devices steadily increasing, health systems and hospitals need a comprehensive plan to guard against cyber threats. At HIMSS20, one infosec pro will describe some best practices.
By Nathan Eddy
10:35 AM

Medical devices are a weak link in the security chain, uniquely susceptible to cyberattack. And the stakes – patient lives – couldn't be higher.

Historically, medical devices were standalone, and only interacted with the patient. But today devices are storing and transmitting data, and contain configurable embedded computer systems and are connected to the network, potentially accessible by anyone on the network and subject to cyberattack.

Complicating the picture, many are legacy devices with no control options, and current medical device inventory lacks basic IT information. So how can a health system build a robust medical device security program?

"First, know what you have," said Tamra Durfee, director of technology at Enloe Medical Center, who will speak March 10 at HIMSS20.

"Complete a full inventory of all medical devices including capturing the IT data about a medical device. That is where you start in order to be able to assign risk," she said.

Durfee said it's a good idea to work through a medical device governance committee, develop a risk matrix and assign a risk based score to each medical device.

For example, a medical device with Windows XP – an outdated and unsupported operating system – storing electronic patient health information and connected to the hospital network is a greater risk than a medical device with no ePHI not connected to the network, she said.

She explained health providers and hospitals can better prepare for the security issues around connected medical devices by implementing a device security program with strong executive oversight and support from the board.

"This starts with defining the problem, identifying an executive sponsor, establishing goals, and accountability through a medical device governance committee," Durfee noted. "All medical devices should be inventoried, capturing IT data. Then assign a risk based score based on predefined and agreed upon criteria; focused on minimizing risk starting with your highest risk medical devices."

She said the highest risk medical devices are those connected to the patient and those directly connected to the network, which means evaluate remediation options and action plans to resolve risk or implement mitigating controls to reduce risk should be created.

It is important to have reporting and accountability through the governance committee, she added.

"It takes a strong commitment from all to make this a priority and to consistently drive and measure progress regularly," Durfee explained. "Otherwise, the program will lose momentum and stall as the daily business to run a hospital will take center stage, pushing the program to the back burner."

Tamra Durfee will share more medical device security best practices in a HIMSS20 session titled, "How to Build a Medical Device Security Program." It's scheduled for Tuesday, March 10, from noon-1 p.m. in room W311E.