In a recent bulletin, the National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Department of Homeland Security described the vulnerabilities associated with medical devices in the healthcare environment where wireless technology and networking are increasingly used. As many devices may be accessed through and connected to medical information technology networks, there are now concerns regarding theft of medical information and intrusion into networks through the devices. The NCCIC highlighted four factors that complicate security within a medical organization: (1) the current use of legacy devices placed in the market prior to the enactment of the Medical Device Law in 1976 when there was minimal testing on equipment; (2) failure to implement safety features on newer devices because of complexity of the technology; (3) budget constraints; and (4) failure to upgrade existing devices because they contain private information.
With technology rapidly changing, the healthcare arena is constantly challenged to keep up with the technology, especially because many medical devices now utilize wireless technology, may be linked to healthcare facility networks, and may be implantable within the body or otherwise portable. Furthermore, many healthcare professionals now utilize portable devices to monitor patients remotely. The NCCIC suggests a layered security approach to oversee this technology, with the following “best practices” noted, among others:
Purchasing only those networkable medical devices which have well documented security features available, and which network engineers can configure safely on networks;
Establishing strict policies for the connection of any networked devices, particularly wireless devices, to networks such that no access to networked resources is provided to unsecured and/or unrecognized devices;
Using the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network; and
Securing communications channels, especially wireless ones, by the use of encryption and authentication at both ends of a communication channel.
The bulletin, which may be accessed here, should be passed along to a healthcare organization’s IT network and technology specialists for review and discussion with organization executives.
Reporter, Christina A. Gonzalez, Houston, +1 713 276 7340, firstname.lastname@example.org.