By Connor Walsh, CISSP
Over the last several years, we have seen a dramatic increase to not only the number of medical systems that are networked, but also how they are networked. From medical devices with applications residing in the cloud, to establishing external site-to-site connections for vendors to provide critical support, HTM professionals find themselves weighing the risk versus reward of introducing potential vulnerabilities into their networks. To deal with this new threat landscape, we must deploy a Defense in Depth strategy to ensure these potential risks are mitigated as much as possible. This concept implies that an organization will deploy a combination of “security controls” or safeguards that are in place to minimize risk. These controls are typically categorized into three main categories: physical-, technical- or administrative-based, and all fulfill the common goal of maintaining the confidentiality, integrity and availability (CIA) of our data.
Physical security controls are used to mitigate physical threats. Common examples that HTM professionals may encounter are physical walls/barriers for restricting access to sensitive areas, video surveillance, alarm systems, access control systems and security guards. For example, at your facility, how do you secure your medical system’s servers housing sensitive PHI/PII? For most, they would be housed in a centralized, locked room with card/badge swipe and key access as the only means of entry. If any unauthorized entity attempted to enter, alarms would trigger and security would be called. This is likely to deter any potential physical threat from accessing your medical servers.
Technical security controls are typically software based and are meant to prevent any unauthorized access to your medical systems. Operating system patching, two-factor authentication, host and network-based intrusion prevention systems, at-rest and in-transit encryption, and network isolation/segmentation (i.e. VLANs) are common technical security controls that could be implemented by HTM professionals. During equipment planning, make sure you are asking the vendor for and reviewing the manufacturer disclosure statement for medical device security (MDS2) forms during technical evaluations. Cybersecurity should be considered in all proposals, and these forms will help you plan for the technical controls you can implement during installation.
The last main category of security controls is administrative based. These are your organization’s policies, standards, procedures and guidelines as well as organizational training. Two of the most common administrative controls that an HTM professional may encounter revolve around environment of care (EOC) rounds. During the rounds, one of the first questions we may be asking clinicians is if they know what to do if a medical device stops working, and if they don’t know, briefly training them on our department’s policies. Additional policies and/or procedures that we may encounter are hard drive removal, removeable media scanning, OS and anti-virus patching, and disaster recovery.
The idea of Defense in Depth comes into play when we combine security controls from each of the above three categories. Physical security controls should always be your first line of defense, but they alone are not enough. As HTM professionals, we need to perform due diligence when it comes to procuring new devices, reviewing vendor MDS2 forms, and rolling them out with the approved and adequate technical controls in place. Finally, as we roll out these new systems, we need to ensure that as we manage them through their life cycle, that they continue to conform to our department policies. Applying a Defense in Depth approach to your new medical system deployments is of utmost importance as we continue to navigate this new threat landscape.
Connor Walsh, CISSP, is a biomedical engineer for the Department of Veterans Affairs.
The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.
