VA, UL collaboration advances case for medical device security standards
The United States Department of Veterans Affairs has millions of patients who receive ongoing, chronic care. With the growth of the internet of medical things, the agency has been able to realize the goal of staying connected to patients while also delivering them care where they live.
But, as has been well-documented, IoMT devices such as connected infusion pumps and other remote monitoring tools have cybersecurity vulnerabilities that can put both protected health information and patient safety at risk.
WHY IT MATTERS
So VA partnered with UL, the private-sector safety certification company, for a two-year cooperative research project that led to the publication this past week of a report highlighting the value of standards for medical device cybersecurity.
The report notes that some IoMT devices are constantly connected to the network, while others only update periodically. And equipment, once relegated to the physical confines of a hospital, now operates remotely from the home or even as a wearable device on a patient’s body.
As the world IoMT inhabits expands, the ability of healthcare organizations to control and secure the networks the devices connect to contracts.
As part of the project, UL conducted a simulated attack on an infusion pump certified to UL's 2900 series of standards, in an effort to ascertain the strength of existing standards as well as the risk landscape that continues to present new challenges for connected devices.
Among the takeaways from VA's collaboration with UL: VA's use UL 2900 and related product testing and certification can help speed adoption of innovative new healthcare technologies, thanks to better pre-procurement vetting and post-procurement product management.
Researchers also found that testing and certification to UL 2900 offered VA decision-makers greater confidence in the product development process, security control design evaluation and post-market patch management support being offered by manufacturers.
Compliance with UL 2900 also enhanced endpoint security and improved the balance of network security controls with product security controls, according to researchers, offering a more efficient allocation of cybersecurity resources, focused on priority threats to veterans’ security and safety.
THE LARGER TREND
An organization with as large a footprint as the VA can see massive reductions in the cost of providing care by innovating its uses of remote monitoring, especially those in rural areas, while also greatly enhancing the attention given to chronic conditions by using connected devices.
But a new portfolio of devices that have their own connectivity requirements means taking on an entirely new host of security risks. And as thousands of new devices are adopted, it's not just the immediate risks that must be considered, but their entire product life cycles.
How an IoMT device can handle patching or new security best practices developed years into its deployment, for example, can greatly impact ROI as well as the need for ongoing vigilance in security.
The VA-UL report found that the security landscape still comprises a patchwork of industry groups, government policy and organizational best practices. For a massive provider the size of scale the VA, waiting around for a cohesive set of security standards is not an option when considering to procure and roll out a gigantic amount of new devices.
Instead, developing a set of standards for procurement and operation is necessary so that a hospital can streamline device acquisition. UL found that adopting certain security processes and standards eliminated a guesswork and holes in protection between the different devices that compose an IoMT network.
Strategies around implementing remote care need to be all-encompassing, but are often created from the ground up. Unlike legacy networked devices that generally stay put within a hospital building, IoMT devices go where their patients do and can spend much or all of their lives outside of a secure medical network.
Because there is such variance from one manufacturer to the next in terms of software used and connectivity standards employed, it is necessary for a healthcare organization to find its own set of standards around IoMT security.
Coordinating with a broader group of stakeholders (other hospitals, device manufacturers, patients) to address a wide range of use scenarios and security needs also enhances buy-in and fosters a culture of security.
ON THE RECORD
The VA and UL collaboration "helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefiting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers," said Anura Fernando, chief innovation architect, life and health sciences at UL.
"As the VA is dedicated to the safety and security of veterans, this report is reflective of two years of close collaboration among private and public sector experts in healthcare and cybersecurity," said Marc Wine, director, Technical Integration Support and Industry Liaison, U.S. Department of Veterans Affairs. "The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem."
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.