Up until now, the information security risks involved with medical applications had to do with privacy breaches...
of patient or billing information. There was the potential of an incorrectly entered data element or an element that was not sent correctly through a medical interface. HIPAA was enacted to ensure privacy and security risks were identified and managed, although some question its effectiveness.
Today, the emergence of medical devices directly on a network introduces a new type of risk that hasn’t been seen before in health care information technology. As electronic medical records systems have been quickly adopted -- spurred by the American Recovery and Reinvestment Act of 2008 -- organizations developed a need to have certain patient data entered directly into the electronic medical record. The overwhelming task of entering all of the data was falling on clinicians, which could introduce human error into the process. As a result, medical equipment has started to sprout network jacks and wireless radios. Using the network, medical equipment can transfer patient information directly into an electronic chart, increasing clinician productivity and data accuracy.
However, a malfunction in these new types of networked medical devices could cause harm to a patient. IV pumps, respirators and other types of networked medical equipment are now reliant on the security and stability of the network they are operating on; they are basically networked computers with the same type of vulnerabilities that exist with other networked computers. These networked medical devices are susceptible to network outages, malware and even malicious access. The threat was highlighted at the Black Hat conference in July, when a security researcher reportedly demonstrated how he could remotely disable his insulin pump.
A new ISO standard, IEC 80001-1, and the accompanying guidance published in IEC 80001-2 and IEC 80001-3, have stricken the first blow in the battle for medical device security. Given how badly this standard was needed, does it accomplish what it set out to do? Like all security frameworks, the answer is dependent on the implementation specifics..
The overriding theme in IEC 80001-1 revolves around establishing a risk management program for networked medical devices. There is nothing surprising about the risk management focus as all major security frameworks embrace this methodology in one way or another. However, what is surprising is how the responsibility for securing these medical devices falls mainly on what the standard defines as health care delivery organizations (HDOs). “This requirement makes it clear that the ultimate responsibility for compliance with the standard lies with health care delivery organizations using the medical device network, irrespective of what suppliers provide,” the standard states.
This stance seems reasonable at first glance because the safety and security of the network is ultimately the responsibility of the HDO. However, since the HDO has no direct input into the initial design of each medical device, the only alternative is to bolt on security measures after the fact. This is never a fully effective method, as most security practitioners can attest. The standard does require the manufacturer to disclose potential risks to security and patient safety and provides guidance on secure configurations. It also requires a contract called a Responsibility Agreement for making this disclosure, yet the contract seems more focused on protecting the intellectual property of the manufacturer. Delivering robust and secure networked medical devices has to be the responsibility of the manufacturer in order for IEC-80001 to be effective.
IEC 80001 calls for each HDO to assign an employee into a new role that will be responsible for managing the risk associated with the medical network. This role could be rolled up to an employee charged with HIPAA security as many of the goals are the same. However, the standard doesn’t list qualifications for the staff member charged with this responsibility, which also is a weakness in HIPAA regulations. Many organizations have simply assigned the HIPAA security role to a PC technician with little security experience. IEC 80001 could suffer the same fate if the medical IT network risk manager does not have the appropriate background. This problem is compounded further for small medical practices that may only have few employees.
Despite its weaknesses, IEC 80001 is a much needed standard whose time has come. Patients shouldn’t have to worry about injury from networked medical devices due to information security vulnerabilities or network instabilities. It starts to lay a solid foundation that with a few changes could provide the safety we all expect when we seek medical care. It’s a voluntary standard at this point, but many health care quality organizations will most likely merge it into their overall safety and quality audits. There is still time for the manufactures of these networked medical devices to take the lead by integrating security practices into the design of their products. Health care providers need to take heed and recognize that these devices could pose a threat to their patients and fast-track a risk management program. It’s simply the right thing to do.
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.