Imagine you are approached with a procurement request for a new smart medical device never used in any hospital. Some of you might be thinking, “Yes! Let’s pave the way for other medical centers.” However, as a healthcare technology manager responsible for oversight of medical device/system management, it is your job to think a few steps further. Question not only how the device can be an asset to you, but also how it can be safely used within the security controls required by your program. You should put yourself in the mindset that you are strengthening your cybersecurity programs through security controls such as encryption, system hardening and firewalls.
As health care professionals, we are often painted as the “bad guys” when it comes to assessing and procuring medical equipment. However, it is our critical responsibility to ensure that all equipment coming through the facility passes a pre-procurement assessment, and ultimately ensure the equipment is safe and secure to be used in a health care environment. In today’s world, with the constant increase in cybersecurity-related incidents, performing these technical assessments is critical. These incidents challenge us to continually test the limits of the medical devices/systems, questioning every aspect of the system and its capabilities.
Beginning a pre-procurement assessment can be a daunting task. You need to review factors such as safety, or whether the system follows the regulatory requirements. The moment you hear the device may have network capabilities or the ability to store sensitive data, you should be getting your stop sign ready to go. Think of it as if you are purchasing a brand-new car. When you are entering the dealership for the first time, you may be looking for the latest and greatest model. But, once you choose the perfect car and start the negotiation, you begin to change gears. The value and details about what the car provides now become the most important factors. This is the same process when evaluating medical equipment. After your initial introduction to the equipment, it is time to start asking the questions:
- “How do we patch it?”
- “Does it store patient data?”
- “Are we able to encrypt?”
- “Is it FIPS compliant?”
- “How do we control access?”
These questions might start you down a rabbit hole of email chains between the manufacturer and yourself, but it is essential to understand the equipment and how it will integrate in your health care environment. While there are several concerns that need to be addressed, we are going to discuss three areas that tend to be overlooked in favor of more popular ones, such as OS patch management. These areas are: 1) Data Encryption; 2) User Authentication; and 3)Anti-Virus Software.
1. Data Encryption and FIPS compliance
If the system includes a database or if there is a possibility of sensitive information being stored on the device, start to focus on the data. Dive into the details of what the data is and where it is stored. You need to understand the data and determine if there is personally identifiable information (PII) and/or electronic protected information (ePHI) data elements. Ask questions such as 1) Is the data at rest? 2) If the data does contain sensitive information, can it be encrypted? 3) Is there a database on the system itself or stored in a cloud environment? 4) Can the database be encrypted and at what level? If the data is stored on a local hard drive, you should also ask if the system can autodelete after a certain period of time.
When focusing on encrypting data, your ultimate goal is to protect sensitive information. The last thing you want is a breach that could affect 500-plus individuals. Although there are many algorithms that can provide security of sensitive information, it is important to understand that when working with the U.S. federal government, there is only one standard the government allows, and that is FIPS. “But what is FIPS?” you may be asking. FIPS is shorthand for FIPS 140-2 (and soon to be 140-3) which stands for Federal Information Processing Standards. It is a set of government standards that are used to approve cryptography modules. The National Institute of Standards and Technology (NIST) provides a database for FIPS compliance certificates that can help with determining if there is an active certificate before you proceed with procurement.
2. User Authentication
One area of defense in a good cybersecurity model is enforcing strong password protection. Although it may not completely stop vulnerabilities, it will slow down the line of threat. With malware attacks on passwords increasing every day, it is important to review and follow your policy for passwords. Find out what authentication methods are available for the system and determine if the options are acceptable. If administrative accounts are required to operate the device, inquire about the available ways you can secure the system with a strong password.
Two-factor authentication is the preferred method for password protection, since it adds an additional level of protection. However, if the system can only allow for single factor authentication, you should be inquiring about the allowable password length (at least 14 characters), in addition to the ability to combine letters, numbers and symbols. Lastly, many policies contain an aging requirement for single-factor authentication. If the device only can support single-factor authentication, question if the device also supports password aging. Adding each of these levels of security will ensure one more layer of defense.
3. Anti-Virus Software
Many attackers start with something as simple as a virus on your computer. To prevent this, implementing basic security controls such as anti-virus software can vastly improve the security in your health care environment. Understanding if the system is capable to support anti-virus software, and if there is a list of exclusions is important when evaluating a system. If the system cannot support an anti-virus software, you will be imposing a higher risk to your network.
Procuring equipment is a group effort with multiple parties involved. We, as healthcare technology managers, must work together and mitigate risk to implement the best equipment for our health care environment. While we can be viewed as the “bad guy,” it is an essential part of our job to not sacrifice convenience for security and ultimately, the integrity of the patient record.
– Nadia ElKaissi, CHTM, is the chief engineer at Charles George VA Medical Center.
