michelangelus - Fotolia
Karl West believes "medical devices are the new threat landscape."
The CISO at Intermountain Healthcare in Salt Lake City, Utah, explained that the influx of medical devices into health organizations, often without the knowledge of IT, may be adding to existing security problems. Experts agree that precautions concerning the cybersecurity of medical devices need to be taken on the part of the provider and the medical device manufacturer.
West explained that compared to the number of more traditional vulnerabilities within a healthcare organization -- such as endpoints like computers vetted by IT -- there are seven or eight times more medical devices which usually do not pass through the IT department first.
"What most healthcare [organizations] are doing right now is trying to wrap their arms around this new risk," West said. "It's significant."
Experts said while one concern is that these devices usually don't enter an organization's environment through the IT department -- West explained they usually come in directly through specific departments such as ophthalmology or anesthesiology -- another concern is that the U.S. Food and Drug Administration's (FDA) guidance when it comes to medical device security is lacking.
The FDA's medical device guidance and post-guidance
West and Mike Nelson, vice president of Healthcare Solutions at DigiCert, a security certification company located in Lehi, Utah, explained the FDA's medical device guidance used to focus mainly on patient safety and, while patient safety is important, at the moment many in health IT are more concerned about securing healthcare organizations and protecting them from data breaches.
"We're concerned about vulnerability, task management, the ability to keep these devices current, to scan them for virus[es] and malware," West explained.
But because the FDA's guidance is used to focus on patient safety and not on critical security protocols that medical device manufacturers should be taking, both West and Nelson explained, the manufacturers had no motivation to implement security features such as updates or patching.
However, the FDA recently released its Postmarket Management of Cybersecurity of Medical Devices guidance which the experts believe will help push manufacturers to better update and patch their devices.
"I think manufacturers have used the FDA potentially imposing additional regulatory burdens as a reason for not updating and doing patch management with their existing devices," Nelson said. "But the FDA has now cleared this impediment."
In other words, the postmarket guidance clarifies the FDA requirements for manufacturers therefore there is no reason for manufacturers to not update devices and outfit them with the correct security protocols.
Karl WestCISO at Intermountain Healthcare
However, West doesn't think the postmarket guidance is enough and that it still focuses too much on patient safety and not enough on what many in healthcare are worried about which are data breaches and data loss.
West said the guidance needs to not only address that these devices sitting in a hospital's environment are a potential threat to patient safety but also to the patient's data and protected health information. "That wasn't addressed or even discussed with respect to access to patients' data," West said.
Precautions providers can take
While it may seem that the security of medical devices is out of the provider's hands -- since it's up to the manufacturer to put the correct security protocols in place on the device itself -- West said providers can take steps to better ensure the cybersecurity of medical devices.
The first step is for providers to take inventory of all the medical devices that exist in their environment. West said it can take some time to find all the devices that may have crept into a healthcare organization from so many different places.
Once a healthcare organization has -- hopefully -- found every medical device in its organization, then it can assess the risk of each device.
"Which means you've got to classify the data that's on those devices," West said. "What kind of data is being stored? Is it persistent? Is it static? Is it dynamic? What is the category of risk that we assign to the device based on the understanding of data and location and then motion of data?"
Once the assessment of risk for each device has been made West said the next step is to identify what security controls exist, if any.
"In fact, many of the devices that are in the hospitals came out before the guidance that we've referenced," he said. "So there may or may not be any controls. And by controls what I'm talking about is the ability to put a password on, ability to put encryption on the device, [and] ability to update and manage the vulnerabilities."
With IoT, broader medical device security measures are needed
Healthcare CISO: The challenges of securing medical devices
Experts offer advice on how to detect and prevent cyberattacks