The convenience and workflow improvements attained from using wireless medical devices come at a steep price. These types of devices are especially susceptible to being hacked or infected with malware. At Black Hat 2011, security consultant Jay Radcliffe wirelessly manipulated the functionality of an insulin pump, sending shockwaves through the industry.
Other demonstrations soon followed, raising alarms about wireless medical devices that can be hacked and put patient lives at risk. The Showtime series Homeland brought widespread attention to this issue by depicting the assassination of the vice president of the United States via hacking and manipulation of his pacemaker.
The possibilities are real. Malicious threats are as relevant to wireless medical devices as they are to any other networked IP device. Medical device misconfiguration puts other devices on the hospital's network at risk. These risks need to be understood, documented and managed. This issue has enough attention that the Wi-Fi Alliance, the FDA and the Association for the Advancement of Medical Instrumentation recently released best practices for managing wireless medical devices; they are drafting guidance on managing cybersecurity in medical devices.
Ali Youssef, Senior Solutions Architect, Henry Ford Health System
- Biomedical engineer who served as one of the lead architects for Henry Ford Health System's wireless LAN.
- A pioneer in larger-scale health care wireless networks, Youssef created a medical device certification and onboarding process for equipment evaluation.
- More than 13 years of experience with medical device design, network architecture and project management. Youssef is a member of the mHIMSS Advisory Council, the AAMI Wireless Strategy Task Force and co-author of the mHIMSS technical roadmap. Look for his book, Wi-Fi Enabled Healthcare, in 2014.
At Henry Ford Health System (HFHS), our RF footprint has grown from a handful of wireless access points in 2005 to around 8 million square feet of ubiquitous coverage in 2013. With wall-to-wall Wi-Fi available throughout HFHS, the demand for Wi-Fi-capable medical devices is rising steadily.
Major interoperability and security issues first came to light with the initial wave of medical devices on the network. An EKG device that relied on having a static IP address did not comply with IEEE 802.11i. We also spent about a year troubleshooting the wireless stability of a mobile X-ray system and working with the vendor to redesign the device. To proactively deal with these types of issues and to gain better insight about new wireless medical devices, it became clear that a comprehensive strategy combining process and technology was needed.
The current industry consensus is that the best practice for wireless medical device authentication and encryption is using 802.1 xs with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Advanced Encryption Standard encryption. This enforces mutual authentication and requires each medical device to have an x.509 certificate installed before it is allowed on to the wireless network.
Due to the wide spectrum of devices' wireless capabilities, it's often necessary to use a phased approach to manage wireless medical devices and promote ongoing authentication and encryption best practices. The HIPAA advisory and the Wi-Fi Alliance have acknowledged that 802.11 security features such as Wired Equivalent Privacy and shared key authentication are not secure enough. In an effort to promote continuous improvement, HFHS IT and Clinical Engineering have implemented the following phases:
Outside of Work
Apple or Android? Apple
Plan B: Veterinarian or cardiologist
Security hero? Bruce Schneier
Two things people don't know about you: I love to run, and I went to high school on the island of Cyprus.
What keeps you up at night? Mostly my one-and-a-half year-old daughter, Mina.
- Phase 1: All medical devices that support a certain authentication and encryption standard are configured to use a dedicated service set identifier (SSID), keeping the number of SSIDs as low as possible.
- Phase 2: Network policies are applied to limit medical device network access to required IP addresses.
- Phase 3: Medical devices that do not support Wireless Protected Access 2 EAP-TLS are continuously refreshed resulting in one SSID using EAP-TLS.
In addition to these three phases, it's critical to develop a centralized device inventory, and to adopt a standard certification and onboarding process in order to get a good handle on the wireless medical device space in the hospital. The certification process entails engaging all the technical and clinical stakeholders together to discuss and test a wireless-capable medical device and support expectations prior to ordering the device and introducing it to the hospital network. The testing entails functional security as well as clinical workflow testing. Any security concerns are identified through a thorough risk assessment in line with the recommendations in the IEC 800001 documentation.
As a result of launching and growing the program, we continue to have great traction and a much better grasp of our existing and potential wireless medical devices. We also have a better sense of their security and impact on our wireless environment. In addition, we have developed a fantastic collaborative relationship with our clinical engineering, supply chain, service level management and security teams.