Medical Device Security – Are your devices secure?
In the first seven months of 2011, more than 5.5 million patient records containing personal health information (PHI) were exposed via 126 separate breach/loss events according to the Privacy Rights Clearinghouse (Date of info: Aug 27, 2011).
Many of these events involved removable electronic media (memory stick or memory card), while others pertained to medical devices which had the built-in capability to retain patient data.
We normally think of laptops, portable hard drives, and thumb drives as the items which – if lost – will compromise PHI. The reality is, those devices absolutely are of interest, but so are your medical devices.
According to HIMSS, hospitals typically have 300 to 400 percent more medical devices than IT (information technology) devices.
Does your facility have a device which retains PHI?
Who is responsible for ensuring PHI is not exposed?
The equipment manufacturer? The health care provider?
Some say one, most say both.
To that end, HIMSS and the National Electrical Manufacturers Association (NEMA) developed the Manufacturer Disclosure Statement for Medical Device Security (MDS2). With MDS2, HIMSS intends to provide the health care provider sufficient information so the provider can create processes to protect patient PHI which is transmitted or retained by medical devices.
HIMSS went further: They created a template and worksheet to allow the health care provider to assess the risk of PHI exposure with the provision of useful and appropriate security-centric questions. Click to access the Manufacturer Disclosure Statement for Medical Device Securitydocument from NEMA.
Thank you, HIMSS, that is most useful from the health care provider’s optic, but what of the medical device manufacturers?
Many medical devices have telemetry requirements, which require patient data to be both present within the device’s resident memory and to be transmitted from the device to a monitoring or record-preservation device (hard drive or tape).
During transmission, are the content or command/control sequences protected? Do they need to be? Unfortunately, yes. The data must be protected not only from a PHI-data disclosure perspective, but also from data corruption perspective.
Hackers are out there, waiting.
At the recent Black Hat security conference, the integrity of the operational aspects of a medical device was thrust into the spotlight when an attack against a Medtronic-manufactured insulin pump was demonstrated by researcher Jay Radcliffe.
Radcliffe demonstrated how he was able to remotely take control of the insulin pump as the “attacker” and successfully adjusted the levels of insulin being pumped into the patient to a harmful level. (For additional reading see: Elinor Mills CNET coverage: “Researcher battles insulin pump maker over security flaw”)
While the risk to an individual may be mathematically low, we can all agree that the risk is above zero, and both manufacturers and health care providers have a role to play.
So what are medical device manufacturers to do?
Medical device companies need to make security a part of their design process and not a “bolt-on” solution after the device is manufactured and they need to participate in the HIMSS/NEMA process. The health care provider will then have available to them sufficient information to securely use the medical device with respect to both patient health information (protected by HIPAA) and the integrity of the operation of the device.
If the device manufacturers don’t, the US Government will be there to ensure they do, as Representatives Eshoo (D-CA) and Markey (D-MA) both senior members on the House Energy and Commerce Committees have asked the Government Accounting Office to conduct a review of the Federal Communications Commission’s actions in regard to wireless medical devices.
The congressmen specifically asked the GAO to:
1. Identify the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
2. Take steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
3. Ensure wireless enabled medical devices will not cause harmful interference to other equipment.
4. Oversee such devices to ensure they are safe, reliable, and secure.
5. Coordinate its activities with the Food and Drug Administration.
In conclusion, you are advised to take supra-Congressional interest to heart: Ensure your medical devices have security baked in and not bolted on, thus protecting the integrity of your device and the health and privacy of the patient.
————
The above was written for Medical Marcom as a guest blog post.
We’re hosting a free event focusing on Medical Device Hacking. Your readers might be interested. Media Alert follows:
Medical Device Hacking Summit to be Hosted by Mocana, Symantec & Codenomicon during MD&M.
San Francisco, CA – October 3, 2011 – Mocana, a company that focuses on smart device security, will host a summit of technology leaders to address dangerous security breaches, hacks and vulnerabilities recently reported in a range of electronic medical devices. Hosted jointly with Symantec and Codenomicon, the “Amphion Forum: Medical”will be held in Minneapolis, Minnesota on November 3, 2011 during the MD&M Conference. The invitation-only executive breakfast and roundtable seeks to foster frank discussions between the big medical device manufacturers, hackers and security experts about the opportunities – and threats – presented by the unprecedented proliferation of networked electronic medical devices within the healthcare industry.
The summit is free, but seating is limited. Request an invitation at http://amphionforum.com/medical11/
Mocana founded the Amphion Forum to provide a venue for stakeholders in the smart device economy to share solutions and forge a clear direction for the future of the “Internet of Things”. Event organizers hope to foster a “World Economic Forum-type” environment where big thinkers can share ideas for solving some of the most pressing problems facing the global device infrastructure, especially as it pertains to the tens of millions of networked medical devices.
“Security has always been a digital health issue, but traditionally security requirements have been driven by the regulatory requirement to protect electronic helath records (EHR). The issue taken on new urgency, however, since recent demonstrations of wireless hacks on devices like implanted insulin pumps and defibrillators.” said Adrian Turner, CEO, Mocana. “These devices are proliferating nearly five times faster than PC’s in healthcare environments, but we’re not seeing the same ‘due diligence’ PC’s receive when it comes to making sure these devices are digitally ‘safe’..Our industry needs to work together to solve this problem.”
Event attendees will engage in interactive sessions that explore the most compelling ideas for realizing the potential of the “Internet of Things” in healthcare. Some of the luminaries and iconoclasts that will participate in the Amphion Forum: Medical include Dr. Dale Nordenberg, MD, Executive Director of the Medical Device Innovation, Safety and Security Consortium (MDISS); Joe Pasqua, VP of Research at Symantec; Tom Zemites, Strategic Marketing Manager of the Microsemi Implantable Medical Devices Division; Andras Nadas, Senior Research Engineer for the Institute for Software Integrated Systems at Vanderbilt University; and David Chartier, CEO of Codenomicon, among others.
The Amphion Forum is free of charge, but seating is limited. To request an invitation visit:http://www.amphionforum.com.
Event Details:
Date: Thursday, November 3, 2011
Time: 8 a.m. – 1 p.m.
Location: Marquette Hilton: 710 Marquette Avenue South Minneapolis, MN 55402