Webinar: Medical devices and security challenges
Today's health IT infrastructure is experiencing a proliferation of IP devices—“the internet of things,” said David Finn, HIT officer at Symantec and former vice president CIO at Texas Children’s Hospital, during a Health Information & Management Systems Society (HIMSS) webinar exploring the security implications of medical device data systems.

The increasing level of connectivity among medical devices poses unique security challenges because if these devices are compromised, they can impact patient care through impaired functionality and lower performance or reliability. This can affect diagnoses, delivery of medication, therapy or other elements of patient care, said Finn.

The webinar, sponsored by Symantec, was part of a HIMSS series examining the FDA’s new Medical Device Data Systems rule and its implications for healthcare organizations. On Feb.15, the FDA published a final rule reclassifying medical device data systems, a new category of medical devices that act as a conduit for communication of electronic data obtained from other medical devices.

“Healthcare organizations today need to be concerned about some specific scenarios. First is the security of the device itself,” Finn said. “If a device operation or performance is compromised as a result of a cyber-attack or a malware outbreak, you can have some serious implications—the device architecture, communication channels and integration with the larger network are critical things to consider when you assess the risk of a device.”

Privacy is also an issue around medical devices, he added. Compromise of protected health information (PHI) stored in the device or communicated between the device and the network is a risk for exposure.

New developments in cybercrime mean you can’t be too cautious: “We are witnessing today significant shifts in the cyber-threat landscape and underground economy,” said Finn. Today’s attacks are targeted and more stealthy than in years past, he said. “Data stored in medical devices might not be of the same level of interest to a cyber-criminal as you’d find in an EHR or a financial system, but because medical devices are difficult to protect and patch, they can very quickly become an unintended casualty during a cyber-attack.”

Even the newer medical devices in use today were designed based on the security paradigm in use several years ago, Finn added.

What’s a healthcare organization to do? Evaluate devices and systems and create a single source of medical device information, said Pamela Arora, VP and CIO at Children’s Medical Center in Dallas, a 559-bed private, not-for-profit pediatric healthcare provider.

“We’ve had over 4,500 attacks this year [and] we’re not even through April. This is something we need to guard against,” Arora said. To protect its medical devices and data, Children’s uses firewall, virtual LAN and DMZ technology. “You can’t move fast enough because there’s so much going on right now. Organizations have to get their arms around PDAs, laptops, and it’s not just the software that needs to protect the organization—it’s also [ensuring] the individual users understand their accountability and protect PHI,” she added.

“From governance standpoint, if our organization is going to deliver the right care in the right place at the right time, we need to equip clinicians with the right tools in an environment for reliable care delivery.”

As part of its governance processes, Children’s has capital committees that determine whether purchases can be aggregated for cost savings, and if standards can be put in place. “Our equipment advisory committee covers both medical and nonmedical equipment, such as facilities purchases," Arora said. The equipment advisory committee has members from the supply chain group as well—primarily vice presidents and senior directors, she added.

“With biomedical devices, when you’re talking 18,000 devices and some of them are more than 10 years old, sometimes you want to look at refresh cycles in aggregate. So the governance processes are incredibly important,” she said. “They can be iterative…but when you’re trying to get your arms around these types of solutions, beyond getting agreement on IT software solutions that you might want to capture assets and get information aggregated, these committees also help instill standards that are going to help you get to your goals.”

In addition, Children’s moved its biomedical support into the hospital’s IT department. “Increasingly, we’ll have more devices that will have a software element that needs to integrate with our EMR,” said Arora.

Then there’s the data itself. “We’re on our fourth asset management system within a half-dozen years. You have to keep scrubbing the data because if a biomedical device [gets lost or stolen], you have to be able to get that information as to whether it has PHI.” Having “a single source of truth” for device information will save hunting it down in the event of a breach. “Instead of having to look at three sources, we’ve been able to get focused on a single source of truth,” Arora added.

“We’re constantly honing our process to say if you’re using the data, you’ve got to keep working to get it right.”