This content is part of the Essential Guide: A guide to healthcare IoT possibilities and obstacles

Healthcare CISO discusses security challenges for medical devices

Healthcare organizations need to connect procurement and cybersecurity to avoid common mistakes that could compromise medical device security, says a healthcare CISO.

Security challenges for medical devices weigh heavily on some health IT experts' minds, especially because many of them do not have the appropriate and necessary security features to ensure data is secure. Furthermore, given the arrival of the internet of things and the push to reach out to and care for patients via various technologies -- telemedicine, for example -- the surface area for attack has widened.

Karl West, CISO at Intermountain Healthcare in Salt Lake City, discussed the common mistakes healthcare organizations make that contribute to the security challenges for medical devices, as well as the concerns for security that come with IoT and the movement to reach patients via various technologies.

What are the common mistakes healthcare organizations make that cause security challenges for medical devices?

The mistake is not connecting medical devices to critical cyber processes.
Karl WestCISO at Intermountain Healthcare

Karl West: There's a couple of common mistakes being made around medical device security. First, these medical devices fall outside the traditional IS (information systems) controls. the common processes that we have in place for our servers, for our routers, for our end-points, don't include these medical devices. Those critical cyber processes that need to be comprehended are procurement, asset management, asset inventory, lifecycle maintenance, patching, asset disposition and common security controls. Those are things that happen in all of the other cyber programs and on traditional end-points and servers, but these medical devices generally come in through very different procurement channels. Right from the beginning we need to get procurement and cybersecurity looped in. Then we can establish asset management, lifecycle management, patching, disposition, the maintenance, monitoring, and vulnerability scanning. Those are traditional cyber processes that exist in most organizations that just are being either overlooked or they're not comprehended for these devices because medical devices fall in an organization that is outside of IS. The mistake is not connecting medical devices to critical cyber processes.
I think the other thing to note is the relationship of vendors and providers. That relationship has been strained in the past as we tried to understand the cyber-risk and the controls surrounding these medical devices. I think the relationship today is much better than it was a year ago, and significantly better than it was two or three years ago. Providers and vendors are sitting down. We're having healthy cyber-risk discussions. We're beginning to share device specifications and vulnerabilities. Those are the things that are going to help us to improve this.

With the push to care for patients via different types of technologies to address specific needs, are you concerned about the security challenges for medical devices this movement will bring?

West: Yes, very concerned, and the internet of things is a part of this growing concern. All of the devices that are flooding the market are good for health outcomes, but they do pose a significant challenge to cybersecurity. Those new devices are going to transform and improve our ability as caregivers in the home, in the hospital and in the ambulatory care setting. This technology advancement is going to improve our ability to deliver better care, and to have greater information to solve care issues. Today, we can't comprehend this digital transformation fully, as the technology is advancing so rapidly. What you're describing, the questions you're asking, that is at the heart of understanding the digital mobile transformation and protecting the associated devices. We have got to have better communications between device manufacturers and providers, better risk assessments and better threat intelligence about these devices. In the near future, that threat intelligence will need to be shared openly between vendors and providers.

One significant challenge is that these medical devices come in through multiple channels; often through homecare, or a caregiver, sometimes an anesthesiologist, or an ophthalmologist, perhaps into an audiology department. They come in as a result of the need for a device to monitor and manage the specific needs of a patient at the home, or at the hospital or in a clinic. The transformation of care and evolution of digital technology does create a large opportunity and a problem. The device manufacturers and providers must work together to understand risk and protect our patients and their data. That is the only way we're going to understand and solve all these medical device issues.

Next Steps

Develop a coherent medical device integration strategy

IoT medical devices are a challenge for IT

Improve medical device security with these ten tips

Dig Deeper on Medical technology devices