In recent years, automated biomedical devices have proliferated throughout the industry as organizations have looked to optimize staffing levels and practitioners have tried to get more timely and accurate information. Biomedical devices allow for the real-time capture and transmission of healthcare information aimed at providing better care and allowing a more efficient, hands-off monitoring of patients in home, ambulatory and in-patient settings. However, they can be a source of risk to an organization because they deliver vitals from patients and, in some cases, medication to patients. The risks go beyond privacy to patient safety. Here are some things to take into account when securing these devices.
They are just computers, treat them as such: Most automated biomedical devices are nothing more than a repackaged PC. They usually run a form of Windows or Linux operating systems. The same risks apply to them that apply to any other computer running these operating systems. They should have the same policies applied to them as are applied to your other computing environments.
There have been documented cases of insulin pumps and implants being hacked. My own security team cracked the root password of an IV pump running a Linux variant in less than five minutes. Can you imagine the patient harm that could be done with this level of access?
Understand maintenance responsibilities: You need to understand who is responsible for applying patches to the operating system and application. Is it your team? Is it the vendor? Have a plan for verifying that the devices are being kept current against the latest operating system vulnerabilities and malware threats.
Run only on secure wireless protocols: Make sure the wireless capability of your devices supports current wireless protocols. Do not run Wired Equivalent Privacy on any wireless device. Segregate your wireless biomedical devices from any public networks and, when possible, other data networks to reduce the risk of bring your own devices infecting them.
Ensure your vendors understand your security requirements: Make sure your biomedical device vendors understand your security requirements and can meet them. Get this in writing and have a plan to verify compliance.
Keep a tight inventory control: Many of these devices are portable. Make sure you know where they are at all times. Physically secure them when they are not in use.
FDA certification does not mean you cannot secure the device: It has been a common misconception propagated by some biomedical device vendors that applying security controls like antivirus software is not allowed because the device was not certified by the FDA with it. This is false. In November 2009, the FDA published guidance that stated: "While updates or patches may still require internal validation and approvals, the FDA has clarified that no such approval is necessary from the FDA itself."