This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on top security trends of 2011 and Security 7 award winners."
Download it now to read this article plus other related content.
Up until now, the information security risks involved with medical applications had to do with privacy breaches of patient or billing information. There was the potential of an incorrectly entered data element or an element that was not sent correctly through a medical interface. HIPAA was enacted to ensure privacy and security risks were identified and managed, although some question its effectiveness.
However, a malfunction in these new types of networked medical devices could cause harm to a patient. IV pumps, respirators and other types of networked medical equipment are now reliant on the security and stability of the network they are operating on; they are basically networked computers with the same type of vulnerabilities that exist with other networked computers. These networked medical devices are susceptible to network outages, malware and even malicious access. The threat was highlighted at the Black Hat conference in July, when a security researcher reportedly demonstrated how he could remotely disable his insulin pump.
A new ISO standard, IEC 80001-1, and the accompanying guidance published in IEC 80001-2 and IEC 80001-3, have stricken the first blow in the battle for medical device security. Given how badly this standard was needed, does it accomplish what it set out to do? Like all security frameworks, the answer is dependent on the implementation specifics..
The overriding theme in IEC 80001-1 revolves around establishing a risk management program for networked medical devices. There is nothing surprising about the risk management focus as all major security frameworks embrace this methodology in one way or another. However, what is surprising is how the responsibility for securing these medical devices falls mainly on what the standard defines as health care delivery organizations (HDOs). “This requirement makes it clear that the ultimate responsibility for compliance with the standard lies with health care delivery organizations using the medical device network, irrespective of what suppliers provide,” the standard states.
This stance seems reasonable at first glance because the safety and security of the network is ultimately the responsibility of the HDO. However, since the HDO has no direct input into the initial design of each medical device, the only alternative is to bolt on security measures after the fact. This is never a fully effective method, as most security practitioners can attest. The standard does require the manufacturer to disclose potential risks to security and patient safety and provides guidance on secure configurations. It also requires a contract called a Responsibility Agreement for making this disclosure, yet the contract seems more focused on protecting the intellectual property of the manufacturer. Delivering robust and secure networked medical devices has to be the responsibility of the manufacturer in order for IEC-80001 to be effective.
IEC 80001 calls for each HDO to assign an employee into a new role that will be responsible for managing the risk associated with the medical network. This role could be rolled up to an employee charged with HIPAA security as many of the goals are the same. However, the standard doesn’t list qualifications for the staff member charged with this responsibility, which also is a weakness in HIPAA regulations. Many organizations have simply assigned the HIPAA security role to a PC technician with little security experience. IEC 80001 could suffer the same fate if the medical IT network risk manager does not have the appropriate background. This problem is compounded further for small medical practices that may only have few employees.
Despite its weaknesses, IEC 80001 is a much needed standard whose time has come. Patients shouldn’t have to worry about injury from networked medical devices due to information security vulnerabilities or network instabilities. It starts to lay a solid foundation that with a few changes could provide the safety we all expect when we seek medical care. It’s a voluntary standard at this point, but many health care quality organizations will most likely merge it into their overall safety and quality audits. There is still time for the manufactures of these networked medical devices to take the lead by integrating security practices into the design of their products. Health care providers need to take heed and recognize that these devices could pose a threat to their patients and fast-track a risk management program. It’s simply the right thing to do.
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.
This was first published in September 2011