Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Balancing Simplicity With the Exploding Challenges of Medical Device Security

Posted on December 3, 2018 I Written By

The following is a guest post by Gus Malezis, President and CEO of Imprivata.

The digitization of healthcare has allowed healthcare organizations to utilize robust technology such as network-connected medical devices to help improve both patient care and provider experience across the entire care continuum. Within this Internet of Medical Things (IoMT), medical devices can track and monitor patient stats, provide diagnostic information, help ensure lifesaving care delivery, and even make recommendations on treatment and clinical decision support – all while communicating directly with healthcare IT systems to ensure more complete and accurate patient medical records.

With these benefits of digitally connected medical devices, however, we now must consider and address a series of issues that are introduced with network connectivity and automated data integration; issues that relate to patient health and safety, cybersecurity, and compliance.

Simply put, advanced network-connected technology opens these devices to the risk of exploitation and compromised patient safety from both internal and external threats. Whether it’s an uninformed patient making changes to an unlocked infusion pump, someone stealing valuable protected health information (PHI) stored on an unattended device, or a cybercriminal using a network-connected medical device to gain backdoor access to a hospital’s entire network or disable the function of the devices (for the purpose of extracting ransomware), medical devices are now a source of risk for both healthcare organizations and patients. Compounding this issue is the fact that medical devices frequently run outdated operating systems and applications, all of which are difficult, or even impossible, to patch or otherwise protect with other standard security measures.

By 2020, the number of IoT devices is expected to reach 20.4 billion, and the number of IoMT devices is expected to reach 161 million. These numbers of incremental networked devices are truly staggering, which proportionally increases the risks of hacking, compliance, and health and safety. Clearly, healthcare IT can no longer afford to manage medical devices under current security protocols.

How locking down affects provider workflow

To address this threat and mitigate the risk posed by IoMT devices, organizations naturally look to implement security systems and tools that will safeguard the devices, enable only authorized personnel to interact and adjust/calibrate the devices, and safeguard access to patient records, clinical applications, and other sensitive data. Before implementing such solutions, however, healthcare organizations should consider several factors – particularly those relating to workflow.

Unlike other industries, healthcare can’t simply lock down information by building multi-layer security. Additionally, the focus is always on patient care, so minutes…and even seconds…truly matter, and clinicians need fast, unimpeded access to patient information. Layering in cumbersome security protocols has the potential to introduce new workflows, or create barriers to care. It is therefore critical that healthcare systems designers and architects consider several key factors when evaluating security options.

For starters, think about workflow integration: Any security tool should allow for optimal workflow efficiency among users, and that means the clinical staff and providers should not need to be “trained” on something new, or adopt a new workflow. Ideally, this means finding flexible and easy-to-use security tools that meet current existing workflows and preferences. Choosing easy-to-use options allows for security to be transparent so providers can focus on patient care, not on technology. For example, clinicians are accustomed to Tap-in and Tap-out (TITO) technology as a means of accessing HIT windows-based systems. This same workflow should be integrated and facilitated in anything new, thereby enabling secure and compliant access by utilizing a current and well known and adopted workflow. This is a win-win-win…the clinical staff win by using the same workflow, while IT, Cybersecurity, and Compliance teams also achieve their goals.

Another key factor is extensibility to other workflows: The need for security stretches across a number of different business and clinical workflows and applications. Healthcare organizations should look into a solution that provides the extensibility to meet all workflow needs, with the same consistent and transparent workflow model.

Addressing this challenge requires fast, efficient, and secure authentication for all devices that require security, including medical devices. For medical devices already requiring user authentication, appropriate security tools can improve efficiency by replacing the cumbersome manual entry of usernames and passwords with fast, automated authentication through the simple tap of a badge. Here we want to leverage the same consistent and transparent workflow model.

This way, organizations can optimize their use of interconnected medical devices to improve the delivery of care. They also maintain security and meet regulatory compliance requirements while ensuring efficiency for providers and giving them more time to focus on patient care.

Focusing on physical security and ID/Access control can enable the right balance — something that’s uniquely necessary in healthcare. A healthcare organization’s medical device access security plan should be part of a comprehensive identity and multifactor authentication platform for fast, secure authentication workflows across the healthcare enterprise. The medical device piece should combine security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.

As organizations are tuning in to the unique challenges of the IoMT era, it’s time to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Doing so achieves the balance necessary to ensure both security and flexibility.

About Gus Malezis
Gus Malezis is the President and Chief Executive Officer of Imprivata. Gus is widely recognized as a visionary leader in the information technology security industry where he brings more than 30 years of experience driving innovation and growth while building market leading organizations. Prior to joining Imprivata, Gus was most recently the President of Tripwire, a leading global provider of endpoint detection and response, security and compliance solutions. In his career, Gus has built a strong track record of delivering growth and innovation for leading technology and security companies such as Tripwire, McAfee, and 3Com.

Being Honest About Your Reasons For Cybersecurity Decisions

Posted on August 16, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This week, a team of McAfee researchers released a paper outlining a terrifying exploit. The paper describes, in great technical detail, how a malicious attacker could flip a cardiac rhythm display from 80 beats per minute to zero within less than five seconds.

This might not lead to severe harm or death, but it’s possible that other very negative outcomes could occur, notes Shaun Nordeck, MD, who’s quoted in the report. “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots,” he notes.

The paper does point out that if the bedside monitor is working normally, nurses have access to other accurate data, which could diminish the impact of such disruptions to some extent. However, the potential for adverse events is clearly higher than normal if someone scrambles a patient’s vitals.

Unfortunately, this is far from the only attack which wasn’t possible before connected devices became the norm. At various points, we’ve seen that pacemakers, insulin pumps and even MRIs can be hacked externally, particularly if their operating systems aren’t patched as required or haven’t put even basic security protections in place. (Think using “password” as a password.)

But while these vulnerabilities are largely known at this point, some healthcare organizations haven’t begun to tackle them. Solving these problems takes work, and costs money, The best-intentioned CIO might not get the budget to fix these problems if their CEO doesn’t see them as urgent.

Or let’s say the budget is available to begin the counterattack. Even if everyone agrees to tackle connected device vulnerabilities, where do we begin the counterattack? Which of these new connected health vulnerabilities are the most critical?  On the one hand, hacking individual pacemakers doesn’t seem profitable enough to attract many cybercriminals. On the other, if I were a crook I might see the threat of meddling with a hospitals’ worth of patient monitors to be a great source of ransom money.

And this brings us to some tough ethical questions. Should we evaluate these threats by how many patients would be affected, or how many of the sickest patients?  How do we calculate the clinical impact of vital signs hacking vs. generating inaccurate MRI results? To what extent should the administrative impact of these attacks be a factor in deciding how to defeat these challenges, if at all?

I know you’re going to tell me that this isn’t an all or nothing proposition, and that to some extent standard network intrusion detection techniques and tools will work. I’m not disputing this. However, I think we need to admit out loud that these kinds of attacks threaten individual lives in a way that traditional cyberattacks do not. For that reason, we need to get honest about who we need to protect — and why.

Medical Device and Healthcare IT Security

Posted on December 21, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In case you haven’t noticed, we’ve been starting to do a whole series of Healthcare Scene interviews on a new video platform called Blab. We also archive those videos to the Healthcare Scene YouTube channel. It’s been exciting to talk with so many smart people. I’m hoping in 2016 to average 1 interview a week with the top leaders in healthcare IT. Yes, 52 interviews in a year. It’s ambitious, but exciting.

My most recent interview was with Tony Giandomenico, a security expert at Fortinet, where we talked about healthcare IT security and medical device security. In this interview we cover a lot of ground with Tony around healthcare IT security and medical device security. We had a really broad ranging conversation talking about the various breaches in healthcare, why people want healthcare data, the value of healthcare data, and also some practical recommendations for organizations that want to do better at privacy and security in their organization. Check out the full interview below:

After every interview we do, we hold a Q&A after party where we open up the floor to questions from the live audience. We even allow those watching live to hop on camera and ask questions and talk with our experts. This can be unpredictable, but can also be a lot of fun. In this after party we were lucky enough to have Tony’s colleague Aamir join us and extend the conversation. We also talked about the impact of a national patient identifier from a security and privacy perspective. Finally, we had a patient advocate join us and remind us all of the patient perspective when it comes to the loss of trust that happens when a healthcare organization doesn’t take privacy and security seriously. Enjoy the video below:

Medical Device Security and Vulnerabilities with Tony Giandomenico from Fortinet

Posted on December 17, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is one of the most interesting and scary interviews we’ve ever done. Tony Giandomenico is a security expert at Fortinet. In this interview we cover a lot of ground with Tony around healthcare IT security and medical device security. We talk about the impact of breaches, places where healthcare organizations are vulnerable, and offer some ideas on how hospitals and healthcare organizations can be more secure.

In what we’re officially calling our Q&A after party we talk about things like the national patient identifier and its impact on security. We discuss block chain and its potential in healthcare and the security of block chain. We also have a patient advocate join us to put a great patient perspective on the need for security.

Medical Device Security – Where Is the Finger Pointing?

Posted on October 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.