By Tony Pham
Within the clinical industry, medical equipment and systems are constantly being redesigned and innovated. One main byproduct of all these designs is the increase in how many medical devices connect to a hospital’s network. Most medical equipment now either requires a network connection or at least recommend one to perform their intended functions. Couple in the growing importance of interoperability (the ability for one system to communicate with other systems) along with vendor remote support, it is easy to imagine how much traffic flows through and across each hospital’s network.
With so many machines that manage or have access to sensitive patient information on the same network, the hospital environment becomes a prized target for hackers. Since each networked device introduces vulnerabilities to other networked devices, cybersecurity measures must be enacted to mitigate any threats and vulnerabilities. At the Department of Veteran Affairs, the Office of Healthcare Technology Management (HTM) administers a Medical Device Protection Program (MDPP), in collaboration with the Office of Information Security (OIS). In short, the MDPP is a comprehensive cybersecurity initiative geared toward monitoring, mitigating, and remediating cybersecurity threats and vulnerabilities related to medical devices and systems.
One of the centerpieces of the MDPP is what is known as the Enterprise Risk Assessment (ERA) that essentially determines how any networked device or system, medical and non-medical, connects to and communicates with the VA network. To clarify the importance of the ERA, any medical device that connects to the VA network must first undergo a formal investigation by the Specialized Device Cybersecurity Department (SDCD), which is a part of the OIS. It will investigate the impact of the device with support of an HTM (or biomed) team and the original equipment manufacturer (OEM). The purpose of the ERA is to document what can and cannot be done by the device on the network.
As a formal process, an ERA is normally initiated by a local HTM (or biomed) before the procurement of new medical equipment. Within the scope of cybersecurity, even if an approved ERA already exists for a device, it will be considered a completely different system if it either uses another operating system (OS) version (i.e., Windows 7 vs Windows 10) or different application version. This means that it would require a whole new ERA. For example, if a medication dispensing system including a Windows 2012 server needs to have its server OS upgraded to Windows 2019, that OS upgrade cannot happen until an ERA specifically for Windows 2019 is approved if the system wants to remain on the network. An existing approved ERA for Windows 2012 would not work. However, if there are only minimal differences between an existing ERA and the desired medical equipment, such as the addition of supplemental software or a wireless component, an ERA modification can be requested. Regardless, the process for new ERAs and modifications follows the same steps.
Five standardized documents must be completed to submit a new medical device/system ERA or modification request. These documents include: 1) the VA Directive 6550 Appendix A; 2) an MDS2 Spreadsheet; 3) a Medical Device (MD) Inventory List; 4) an MD Ports and Protocols Services List; and 5) an MD Network Topology Diagram. The first of these documents is the VA Directive 6550 (called a 6550 for short). It is specific to the VA and builds the foundation for why an ERA is needed as well as what the device is for. The 6550 is a general form for system details related to cybersecurity features such as FIPS 140-2 or 140-3 certification, antivirus and OS patching, data encryption capabilities and electronic health record compatibility. Overall, the information this form requests is to be used for an initial assessment of risk and forming vulnerability mitigations needed. The HTM/biomed team and OEM should work together to complete the 6550 form prior to submission.
Similarly, the Manufacturer Disclosure Statement for Medical Device Security (MDS2) spreadsheet answers questions about various topics related to the cybersecurity of a medical device/system. However, it differs in the number and depth of its questions. The MDS2 spreadsheet is a voluntary standard used by medical device OEMs to document and convey cybersecurity information about their equipment. A complete MDS2 spreadsheet may already be available from the OEM. Most of the spreadsheet itself is heavily technical and would not be known by the HTM/biomed team, so the OEM is advised to fill out this spreadsheet. This portion of the documentation can be the most exhaustive and would most likely require more time to complete than the rest of the documents, so it is recommended to start working on this spreadsheet first.
The MD inventory is a detailed spreadsheet that asks for every networked device included within the medical equipment system along with any peripherals. Examples of components to the inventory list are workstations, servers, scanners, detection plates, wireless access points and much more. For each component, the ERA would like to know its device name, type, model, operating system, OS version and application name. There is also a comment section for each component in case there are important notes to make. Only the information available needs to be provided, so components without applications or OS versions can skip those data points. Otherwise, all components that contain applications should list out every application they utilize on the spreadsheet.
Next, the Ports, Protocols and Services (PPS) List works similarly to the Inventory List, but it is specifically concerned with all network communication between the medical equipment system and the rest of the network. Here, every communication service (SMTP, DNS, DICOM, Custom Comms, etc.) should be listed with accompanying port numbers, protocol (TCP/UDP/IP), direction of communication, whether the communication is to an external IP address or not and reason for use. If there is communication to an external IP address outside of the VA network, the associated external IP addresses and an approved MOU# must be provided. The PPS List is extremely helpful in setting the ACL for a new device or system.
Following the PPS List, a Network Topology Diagram should be created based on the identified communication services in the PPS. The diagram contains several key pieces of information, namely the Accreditation Boundary of the ERA’s medical equipment system, all directional Communication Services as identified by the PPS, and any External Data Flow (communications to systems outside of the VA network). The Accreditation Boundary is a red box that depicts what components of the medical equipment system are allowed within the same VLAN, providing those components free and open access to each other’s ports. Outside of the Accreditation Boundary are arrows going to and coming from various objects, showing the flow of all network traffic. The traffic flow can be bidirectional, outbound or inbound. It is important to note that the ports specified in the diagram along with the direction of the arrows must match exactly with what is listed in the PPS list. Finally, the External Data Flow shows which ports are open for access to outside vendors. These should also have been detailed out in the PPS list. The information portrayed here should indicate what approved MOU these external communications are based on as well as the direction of communication.
Once all these documents have been completed by the OEM with support of the HTM/biomed team, a formal ticket is submitted to OIT (specifically the OIS) by HTM/biomed to review for approval of a new ERA or modification to an existing ERA. Typically, the process of reviewing will take half a year to a full year for a new ERA while a simple modification may be completed within a few months. Throughout the process, a contact from the OIS will reach out and schedule meetings with the OEM point of contact and the HTM/biomed team for clarification of any documents and to ensure completeness of the ERA. Once the ERA is complete, both the local HTM/biomed team and OEM are cleared to proceed with networking the medical device. The ERA will show them exactly how to do it.
