By Jessica Davis, Health IT Security | April 3, 2019
With its HIMSS19 release of the information blocking rule, the Office of the National Coordinator set the ball in motion on greater interoperability in the healthcare sector. But as some health stakeholders have pointed out, greater data sharing may also introduce privacy and security concerns.
As Mac McMillan recently told HealthITSecurity.com, “We’re already seeing healthcare organization’s risk rising as a result of all of the service providers, organizations, applications, and individuals that now are connected to their networks.”
“Increasing interoperability, data sharing and use of commercial products through more APIs is just expanding the attack surface further without protective measures when there are no prescribed standards or security protocols that developers have to follow,” he added.
HEALTH IOT, MEDICAL DEVICE RISK
To Medigate Jonathan Langer, the risk with increased connectivity is significant with medical devices and health IoT. As recently pointed out by CHIME and AEHIS, regulators need to better understand that the risk of medical devices extends to the entire network and pose a real risk to patient safety.
“Medical devices reach beyond the physical device to networks, firewalls, apps, etc,” Langer said. “Securing these devices requires a deeper understanding of how their connectivity and role in patient care ultimately impacts a hospital’s cyber risk.”
READ MORE: 50% of Cyberattacks Target Supply Chain, Seek Lateral Movement
In response to that risk, ONC should work with other regulators and healthcare stakeholders to draft guidance with best practice methods to better secure hospital networks, including guidelines to secure all IoT devices connected to the network, Langer explained.
IoT devices include smart beds, printers, clinical devices, like smart beds, and medical devices, including smart pumps, he said. As seen in recent studies, IoT devices (including ultrasound machines and infusion pumps) pose a serious risk to health IT networks and patient safety.
“When it comes to interoperability, risks increase for hospitals without clear insight into which devices can and should be interacting with each other.”
Often, healthcare organizations unnecessarily introduce risk by adding IoT devices without considering its security. Most often, it’s due to a lack of understanding around the risk, as well as departments failing to include the security team when purchasing smart devices.
Langer argued that guidance can drive awareness and reduce that risk, but regulators need to work together with stakeholders to create the most effective guidelines.
READ MORE: Collaboration, Proactive Approach Needed to Improve Health IT Security
The power of collaboration was most recently seen with the Department of Health and Human Services voluntary cybersecurity guidance, which is “comprehensive, yet pragmatic” as it “empowers HDOs to protect their corporate and clinical devices,” Langer explained. This same mindset should be applied to drafting the IoT and medical device guidance.
“Regulators should begin with the most imminent risk to patient safety while taking care not to lose site of the industry goal of improving patient care,” Langer said. “When it comes to interoperability, risks increase for hospitals without clear insight into which devices can and should be interacting with each other.”
“For example, a soda machine should never transmit data to a fetal heart monitor – that is a clear indication of a security breach,” he continued. “Whatever the guidelines and rules, HHS and other regulatory bodies need to offer clear guidance while also giving hospitals ample time to update their security measures accordingly.”
The Role of Device Manufacturers
“Manufacturers are the first line of defense. Before a device is ever connected to the network, they must do their due diligence to address security issues,” said Langer. “Many device manufacturers already do this by working with third-party vendors who identify vulnerabilities in their devices.”
READ MORE: CHIME: Health IT Cybersecurity Gaps Lie in Data Inventory, Patching Issues
As a result, it’s also crucial for regulators to ensure they involve device manufacturers in these conversations, Langer explained. While many manufacturers are actively working with third-parties to find and remediate vulnerabilities, public collaboration and identification could encourage those companies currently lagging in security to improve their posture.
Those efforts, coupled with regulatory incentive, such as expedited device approvals for manufacturers actively securing devices, could also shift the needle on device security, Langer argued.
“As the FDA continues to update guidance addressing medical device risks, CHIME, AEHIS and others should publicly participate in these conversations, actively including all stakeholders to reinforce their responsibility for ensuring a medical device’s security,” said Langer.
“There needs to be a clear definition of what security means for both health systems and device manufacturers of all sizes – including specific guidelines aimed at each stakeholder’s unique role.”
Manufacturers also need to be diligent in alerting health providers of any vulnerabilities and provide patches, when able, Langer explained. Ideally, there would be a collaborative relationship between a hospital’s biomedical, IT, and security teams to effectively shore up those security gaps.
“Presently, there is a communication gap within the hospital between IT, security and biomed, and that gap widens at the manufacturer level,” Langer said. “Each hospital differs – there is no clear industry role dedicated to medical device security.”
“Manufacturers should make it a best practice to build strong relationships at the hospital to ensure security alerts are acted on in a timely and efficient manner,” he added.
Christian Dameff, MD, an emergency room doctor and researcher at the University of California San Diego shared similar sentiments around device security with HealthITSecurity.com in January.
“We have this siloed expertise that has led to this ineffective policy in hospitals: I secure the network, you secure everything else and when there’s conflict there’s really no accountability,” said Dameff. “You need a unified strategy. It’s still an alien concept that biomed should be a part of IT.”
“In addition to implementing incentives for manufacturers who actively identify and remediate vulnerabilities, regulators should consider penalties for those who demonstrate a clear lack of responsibility toward this key component – arguably the crux – of medical device security,” Langer said.
Part of this process should also include the development of a universal health security standard. But Langer said that it won’t be possible without industry collaboration between manufacturers, hospitals, and regulators.
“There needs to be a clear definition of what security means for both health systems and device manufacturers of all sizes – including specific guidelines aimed at each stakeholder’s unique role,” said Langer. “This requires experts from the IT, security and healthcare sectors who are equipped with the industry knowledge necessary to inform a standard that provides an adequate baseline for security.”
“While we know that standards often become the minimum requirement, it’s important to have a baseline that everyone adheres to,” he added.