About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Cut, Coag, and Compliance: A Practical Guide to Electrosurgery Testing | April 29
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

Health Care’s Secret Weapon: Why VPNs are the Lifeline for Secure Medical Connections

6 Mins Read
By Nadia ElKaissi, CHTM

Picture this: One of the largest regional hospitals, known for its advanced imaging services, was hit by a cyberattack that left one of their newest critical medical devices – a networked MRI machine- compromised. The HTM team discovered that the connection between the device and the vendor was not secure, allowing the hacker to exploit a vulnerability in the system. Sensitive patient data was accessed, and the device was temporarily taken offline, causing a delay in care. The culprit? An unsecured connection between the medical device and the vendor’s network, one that could have been easily protected with a Virtual Private Network (VPN).

In today’s health care environment, more devices are becoming “smart” and networked, creating an interconnected web of medical technology that shares critical patient information. While this connectivity improves the health care provided, it also opens new vulnerabilities if security is not taken seriously. One of the most critical security tools to protect these devices and patient data is a VPN. Let’s break down why VPNs are so important, how terms like NAT and PAT fit into the picture, and why alternative methods of connecting to vendors – such as SSL or direct connections – may not be as secure.

Your first question may be, “What is a VPN and why is it essential?” A VPN creates a secure, encrypted “tunnel” between your health care organization and an external entity, such a vendor. When a medical device like an MRI machine or infusion pump connects to the vendor for updates, troubleshooting, or data sharing, a VPN ensures that this communication is safe from prying eyes. Simple terms. Its like having a private, locked highway between two points in the middle of a bunch of open roads.

Without a VPN the data being sent between the medical device and the vendor could be intercepted, altered or stolen. This is especially dangerous in health care because the data being shared often contains Protected Health Information (PHI), such as patient records, SSN or treatment plans. If compromised, this sensitive data could lead to HIPAA violations, financial penalties and loss of trust from patients.

In a health care setting, network configurations like NAT (Network Address Translation) and PAT (Port Address Translation) add another layer of security to VPN connections. NAT translates the private IP addresses of devices within a hospital’s internal network to a single public IP address before they communicate with the outside world (like a vendor’s system). This keeps internal device addresses hidden from external threats. PAT works similarly. It allows multiple devices to share one public IP address while mapping each device to a specific port. This means that even if an attacker tries to breach the public IP address, they won’t have direct access to individual devices because the ports provide a buffer. Both NAT and PAT ensure that medical devices are not directly exposed to the Internet, reducing the risk of being targeted in a cyberattack. When used with a VPN, these configurations add layers of defense, making it harder for unauthorized users to access critical medical systems.

Some may ask, “What if a vendor needs an SSL or direct connection to support the medical device?” Sometimes, health care organizations use SSL (Secure Sockets Layer) or a direct connection to communicate with a vendor’s system. SSL is often used to secure websites or email communications, and while it does offer encryption, it is not as robust as a VPN in this context. Even though SSL or direct connections may be the only option for communication, it is important to press the vendor to try to provide a more secure option. SSL can secure individual sessions but doesn’t provide the same end-to-end protection that a VPN does. With a VPN, the entire connection between the medical device and the vendor is encrypted, whereas SSL may only protect part of the communication, leaving room for vulnerabilities. Direct connections, on the other hand, bypass the network protections provided by NAT or PAT, meaning medical devices may be directly exposed to the Internet without the protective layers that hide their IP addresses and ports. If the vendor’s network is compromised, as we have seen recently to some health care vendors, and a direct connection is established, hackers could gain access to the medical device or other parts of the hospital’s network. VPNs ensure that, even in the event of a vendor breach, the connection remains secure and isolated.

Whenever a health care organization connects a medical device to a vendor, it’s crucial to understand what data is being shared and how it’s being protected. Even before equipment is procured, you should be asking vendors questions such as:

  1. What PHI is being transmitted? You need to know exactly what patient information is being sent to the vendor. This could include patient names, health records, or device usage data. Ensuring that the data shared is the minimum necessary to perform the tasks.
  2. How is the data encrypted? Make sure that both the VPN and the vendor use strong encryption protocols to protect the data in transit and at rest.
  3. Who has access to the data? Clarify who at the vendor’s end has access to the data and what controls are in place to prevent unauthorized access.
  4. Does the vendor have a robust firewall configuration? Before building a VPN connection with your device, the vendor needs to provide technical information to ensure the connection is sure and aligns with your organization’s security protocols. They should be providing you:
  • A Peer address
  • IKE Version: the Internet Key Exchange (IKE) version used, such as IKEv2, which helps secure the key exchange process
  • IKE and IPSec Encryption Algorithms: the encryption standards they use, such as AES-256, to protect data during transit
  • IKE and IPSec Hashing Algorithms: the hashing methods (e.g SHA-256) to ensure data integrity
  • NAT-T support: confirmation that Network Address Translation Traversal is supported, which allows VPN traffic to pass through firewalls using NAT
  • Diffie-Hellman Group: the key exchange method and group used, ensuring secure key generation
  • IKE and IPSec Default Lifetimes: information on how long security associations before keys are renegotiated
  • PFS (Perfect Forward Secrecy): Whether PFS is supported to ensure new keys are used for each session, preventing past communications from being decrypted if a key is compromised

By understanding what’s being shared and how it’s being secured, health care organizations can maintain compliance with regulations like HIPAA and protect patients from data breaches.

In health care, protecting patient data and ensuring the reliability of medical devices are non-negotiable priorities. A VPN, along with the security provided by NAT and PAT, ensure that the connection between networked medical devices and vendors is as secure as possible. It creates an encrypted, private communication channel that shields sensitive information from cyberattacks. As healthcare technology continues to evolve, so do the threats. Hospitals must prioritize secure connections to vendors by utilizing VPNs over more vulnerable methods like SSL or direct connections. It is not about compliance _ it’s about patient safety.

Nadia ElKaissi, CHTM, is a biomedical engineer in the healthcare technology management department at the VA Central Office (19HTM).
Share.

Related Posts

Add A Comment

Leave A Reply

X