Medical device security woes, opportunities

BOSTON—“Every hospital has concerns about medical device privacy and security. But it’s more than concerns—it’s out and out stress,” said Dale Nordenberg, co-founder and executive director of the Medical Device Innovation, Safety and Security Consortium, speaking at HIMSS' Privacy and Security Forum on Sept. 9.

Hospitals and delivery systems often are dealing with tens of thousands of medical devices, and with patient encounters high, ensuring their security is a momentous task. Conducting risk assessments on all devices is nearly impossible, especially with the rise of “connected health,” he said.

The FDA’s 2013 cybersecurity guidance, which recommends that medical device manufacturers and healthcare facilities implement safeguards to reduce the risk of device failure due to cyberattack, has prompted security reviews at healthcare organizations. 

At John Hopkins Medicine, Darren Lacey, chief information security officer, said his team has reviewed all new IT contracts, which totals 114, as well as 63 medical devices. “In terms of activity, that’s high for us. It’s been an education.”

Lacey said “we were feeling good about security,” but when they brought in the tools to assess risk of their 15,000-17,000 medical devices after the FDA guidance, they were in for a surprise. “There was a lot more infected devices than I thought there were,” he said, noting that there were “dozens and dozens of devices” infected.

“What we found after we remediated the devices was that the reinfection rate was astonishing,” he said.

At Albany Medical Center, the IT and biomedical teams do a good job at addressing security, said Kristopher Kusche, vice president information services–technology services. He said it’s the medical device manufacturers that exhibit “a low degree of willingness to tackle the problem.”

He recalled one device manufacturer that users had cited as having infection issues. When he brought it up to the manufacturer at a trade show, the representative asserted that the product had a high rating in the area of security. “There’s a huge disconnect between the manufactures and what’s really going on out there.”

Malware is growing increasingly prevalent with 100,000 new viruses per day, which attack operating systems and hard disks, and has “become so complex and broad.” Such requires continual updates “every five minutes”—which is not practical, he said.

To cope, companies should do whitelisting and sandboxing—blocking known malicious websites and implementing a security mechanism for separating running programs—on embedded systems. “That is the role that medical device manufacturers need to move into as well,” he said.

For Lacey, whitelisting should be “presumptive” for any IT or a single purpose drive, and he shared that whitelisting is one of his mantras when speaking at conferences. “It reverses the default bad security to good security,” he said. “I can’t for the life of me understand why this isn’t a bigger deal.”