By Garrett Seeley, MS, CBET, and Ian Contreras
The health care landscape has seen an advancement in technology where medical devices now play a pivotal role in providing efficient and effective patient care. Patient monitors, imaging modalities, infusion pumps, and more have become interconnected systems to help streamline health care processes and enable better outcomes. Despite this, an increased reliance on these networked medical devices has, in turn, increased cybersecurity threats that could compromise patient data, privacy and safety. However, the use of access control lists (ACLs) and port security has provided hospitals and health care systems with the ability to protect their medical devices by bolstering their cybersecurity measures.
ACLs are a set of specific rules that allow or deny identified users access to certain areas of the network. ACLs act as filters within routers or switches to manage the traffic accessing the network. By controlling access and permissions to different segments of the entire network, hospitals can define who is able to communicate with various devices preventing malicious personnel from performing unauthorized activities. This may sound like a firewall in its function. However, an ACL and firewall have distinct differences that allow for ACLs to be easier to implement.
The main differences between ACLs and firewalls are a difference in hardware. Recall that there are two types of firewalls, one running as software on a host or end user computer, and another as a security device on a network. Focusing on the network security, a network firewall is a stateful connecting device. It looks at packets, inspects, and monitors packet flow, logging and implementing controls in a device-to-device communication. A network firewall is a device the network communicates to, such as a router, to leave a segment. It has great security options but creates a network bottleneck. For this reason, an ACL is a better choice for hospital networks. It is a stateless software running on a router. An ACL does not try to inspect packets or log communication other than to look at the ports used and the IPs using them. This allows for a similar level of security ran at the switch and router level that does not require much processing or storage to implement. In short, the stateless configuration of an ACL saves on resources and decentralizes network communications, allowing for a faster, but still secure network.
Recall that ports act as entry points for data to be transferred and exchanged between the abundant number of medical devices across a hospital network. Port security, therefore, is a cybersecurity measure that also limits data activity and flow between networks using ACLs. Similarly, an IP is a location on a network and can be used to identify a device and infer its purpose on a network. Additionally, ALCs employ techniques like media access control (MAC) filtering. In this way, they utilize static MAC addresses as well as IPs to set up penalties for the port. To best utilize port security, trained users need to be savvy in network segregation, updates management and password hardening. These types of security measure are all a part of ACLs, acting as another method for safeguarding hospitals against unauthorized access through the medical equipment attached to the network.
Cybersecurity breaches have created severe consequences for health care organizations that have had vulnerabilities compromised within their medical equipment such as functionality issues and private sensitive data being exposed. For example, in October 2022, CommonSpirit hospitals lost accesses to medical records, had procedures delayed and appointments canceled. This caused heavy delays to patient care and throughput for many of these systems. Not only do these issues affect patient care and data privacy but also the reputations of these hospitals are under fire and are increasingly legally liable for these types of incidents. Therefore, the use of robust ACL and port security measures are significant and proactive steps to securing medical devices and protecting health care institutions.
Regulations and standards related to medical device cybersecurity have increased significantly over the last decade as the industry recognizes the importance of secure and safe networks to protect overall patient data, privacy and health. Late March 2023, the FDA guidance issued that all new medical device applicants must not submit a plan on how to “monitor, identify and address” cybersecurity issues. In July 2022, NIST released its Special Publication 800-66, Revision 2 to act as a resource guide for actionable steps for health care organizations to take to improve cybersecurity measures. IEC 62304, ISO 27001, and NIST 800-53 all serve as industry best practices for a good foundation on cybersecurity. With collaborative efforts between HTM and IT teams, industry standards now suggest implementation of ACLs and port security enables health care systems to be fully aligned with the industry’s regulatory and compliance standards for cybersecurity.
It has become more increasingly clear each year the importance of protecting medical devices from cyber attacks as healthcare delivery organizations become more reliant on networked medical equipment to best serve their patient populations. ACLs and port security are just some of the vital tools and methods for the HTM community to implement to best support their hospitals in this ongoing effort. By managing access to devices, preventing unapproved port connections and implementing cybersecurity best practices, hospitals can ensure patient data privacy and patient safety. They can also allow both patients and providers to feel confident in their health care institutions. It is imperative that we utilize these and other security measures to prevent patient harm and ensure that the advancements in medical technology continue to drive patient outcomes in a positive manner.
Garrett Seeley, MS, CBET, is a Biomedical Equipment Support Specialist with VISN 17: VA North Texas Health Care System.
Ian Contreras is a biomedical engineer with VA North Texas Healthcare System.
