With the Internet of Things and connected medical devices, poor cybersecurity poses risks to both patient safety and the infrastructure that keeps hospitals running. It’s an ongoing challenge for healthcare security professionals.
What makes it such a challenge is that the hospital environment is a very different beast than it once was. Clinical delivery has moved from a palliative care model to a highly technological model that’s very IoT-centered. It’s convenient because it allows hospitals to stack all kinds of monitors and telemetry systems in patients’ rooms. But it introduces risks, as IoT devices are unable to be managed centrally.
“There are inherent vulnerabilities and risks, and they’re growing at a pretty exponential rate,” Richard Staynings, chief security strategist at Cylera, said at the Healthcare Security Forum in Boston on Tuesday. “The machines are taking over our hospital environment.”
That raises a basic question: How can healthcare deal with this environment?
There’s no easy answer. Saif Abed, director of cybersecurity advisory services at AbedGraham, said the way medicine is being practiced is being forced to change because of how much technology there is in the clinical environment. One manifestation of this is that the newer class of medical students is growing up more technologically dependent, and the industry is still coming to terms with what to do when this dependency is exposed.
And thanks to interoperability, these devices don’t act in silos.
“To be effective, everything within the EHR is connected to these devices, and they’re introducing risk to each other,” Abed said. “This straddles multiple healthcare institutions.”
As Christopher Frenz pointed out, nobody’s going to approve a $1 million check for a new MRI machine running WindowsXP. Frenz, associate VP of information security at Interfaith Medical Center, is currently working on a project that produces what he calls a medical device deployment standard, in which devices go through a gauntlet of controls. Assessing a device before purchasing it, he said, is one of the best ways to prevent risk from happening in the first place.
This becomes an increasingly important consideration as the sheer number of IoT devices increases dramatically in healthcare. Mark Elliot, global technologist at Medigate, estimates the prevalence of such devices has increased about 60% over the past three years.
“People are trying to figure out how best to break your network, to capture your PHI, to capture your medical records,” Elliot said. “So what do we need? We need something that gives visibility. You have to know what’s on your network to defend your network.”
An organization needs to know the expected behavior of all IoT devices.
“Any IoT security system in your network needs to work with all the other expensive systems you’ve bought and paid for,” Elliot said. “It becomes the power broker. It makes the system smarter, telling you exactly what type of device it is and what type of behavior it has.”
Margie Zuk, senior principal cybersecurity engineer at MITRE, has been working with the FDA on the regulatory environment around IoT. In 2017, there was an initiative under the Cybersecurity Information Sharing Act in which the Department of Health and Human Services established a task force of 17 industry leaders and four government leaders that identified various cybersecurity issues and put forth a number of recommendations. The FDA, she said, is taking a whole-community approach to the problem.
“They’re regulating medical device manufacturers, but are responsible for patient safety, which happens in the hospital after the devices are connected there. It’s a challenging ecosystem.”
While the FDA is only issuing guidance and not hard-and-fast rules, it does lay out currently acceptable practices with more information available on the FDA website, particularly its mythbuster fact sheet.
Calling it a “confused picture,” Abed made the case for a more robust regulatory environment.
“Coming from Europe, I am far more interventionist,” he said. “I think there’s a role to be far more heavy-handed with the vendor community. … And we need regulations to be unified, because the challenges we face are similar. These are not siloed issues to any one country or health system. These are all shared issues.”
