By Inhel Rekik, clinical engineering manager, MedStar Georgetown University Hospital and John Rasmussen, MedStar Vice President & CISO
EDITOR’S NOTE: PART 1 OF THIS ARTICLE RAN IN THE JANUARY ISSUE OF TECHNATION and can be viewed here.
Application of security controls should be done as a partnership between clinical engineering, IT and the medical device vendor. This will ensure that there are layers of defense to prevent infection.
Operational security considerations
The security program mentioned in Part I of this article should include a myriad of tools to ensure multiple layers of defense to counter the different threats to the confidentiality, integrity and availability of biomedical devices. The tools can be broken down into three categories:
• Physical security
• Network security
• Application/Operating system security
Physical security protects the device from unauthorized access or alteration. A device containing PHI needs to be protected from unauthorized access. This can be done through locking screensavers if it’s a desktop type of medical device, or by placing the device in a secure area where the public does not have access. Another way to secure these devices is to use a cable lock or physically bolt them in place. If a device has USB ports, these can be utilized to install malware or can be used as key loggers, the USB ports should be secured. There are ways to disable the USB ports from the operating system or they can be physically blocked using USB port locks. However, this needs to be done with medical device manufacturer approval.
Physical security controls should extend to the end of life of a product and must include controls for surplus of the devices. A device should never be sent to surplus if it contains patient information. That data must be removed from the device before it is accidentally disclosed to someone who is not authorized to view or access it. Drives should be removed and physically destroyed or degaussed. This should be clearly stated in the medical device disposal policy.
Administrative safeguards are your policies and procedure around medical device security. HTM partnership with IT security helps to establish this governance. IT security professionals are here to guarantee that our patients’ data is protected and that our medical devices are operating in a safe and secure manner. It’s important to build a solid collaboration in order to have an effective medical device security program which includes policies, standards and guidelines for securing medical devices.
Technical safeguards include many types of technologies that create multiple layers of protection and include border defenses like firewalls, email gateways, web filters, internal network segmentation, intrusion detection systems, advanced endpoint protection, network access control, antivirus (AV) and patching.
Virtual private networks (VPNs) between vendors and hospitals can act as a conduit for infection. If a vendor network contains malware it may try to propagate over the VPN connection to the hospital network. Unless absolutely necessary, alternative remote connection technologies should be utilized to keep exposure to a minimum.
Network segmentation is utilized to isolate or restrict access to certain kinds of devices on the network. A medical device should not be located on the same network as a regular workstation that routinely accesses the Internet in order to prevent propagation of a worm.
Network access control can be utilized on some networks to prevent unauthorized devices from connecting to the network. This could prevent an accidental or malicious device from gaining access to vital network resources.
For application/operating system security controls the most important control is to patch the operating system.
Very few medical devices use general purpose operating systems. Most devices use a stripped down operating system to guarantee real time availability, connectivity and processing power, data integrity and security.
Microsoft operating systems have been the most targeted with cyberattacks and thus need to be patched regularly. If the medical device uses a standard Microsoft operating system, patches can be applied with or without manufacturer’s approval simply by downloading them from an operating system manufacturer’s website. Be sure you understand your support contract before patching the device as you may invalidate support.
Many medical devices use Microsoft Windows Embedded standard which is a stripped down version of standard Windows operating system that can be patched such as contrast injector, hemodynamic system and many imaging systems. The patches for these systems are provided by the vendor.
Medical devices with Real Time Operating Systems (RTOS) devices run a compiled firmware, no patching or modification of the software can be done. This offers them protection against malware.
Firmware needs to be re-installed when vulnerabilities are discovered in a certain firmware version. Windows CE is the Microsoft version of RTOS.
With medical device patching, the main challenge remains that when vulnerability is known, medical device manufacturers don’t have their patch ready on time and when a patch is released for a certain operating system, oftentimes it’s not validated to be used with the software version running on the medical device. This was clearly shown during the WannaCry outbreak.
Antivirus can also act as good defense on these devices. If the vendor does not support or allow antivirus on the system you will need to look at other options on the network level to keep the devices secure. If antivirus is not supported ask the vendor why it can’t be used. Sometimes a vendor will allow it to be installed if it is configured to exclude certain folders or files on the device.
This is better than running with no antivirus and should be considered as a hardening option.
A device should arrive in a hardened state but sometimes the device is configured to run a lot of services. Work with your vendor to identify services that could be shut down or if application firewalls can be used to limit inbound and outbound traffic.
An additional area of vulnerability for these devices is password management. Devices may arrive with default passwords from the vendor and these devices may be common among an entire class of device.
The use of common passwords can place an entire collection of devices at risk of compromise. Utilize best practices for privileged account management when managing these passwords and create a policy around password management.
One of the most important aspects of the program is incident response planning. When something goes wrong, and it will eventually go wrong, you should have a written incident response plan in place that has been tested. A response plan should be written in conjunction with providers, clinical engineering and IT to ensure that all operational aspects are considered. The plan should identify incident leads, contact information, and downtime procedures. The plan should be tested annually in a tabletop exercise to identify weaknesses, update the plan and, most importantly, to ensure everyone is prepared.
Residual risk
Biomedical devices typically have a long life span, much longer than the average computer lifespan of 4 years. While an operating system may be supported for a decade or more, biomedical device manufacturers may not develop a product running on the OS until halfway through its lifecycle and may continue to sell devices on this OS until the date it is no longer supported by the OS vendor. This can create residual problems for unsupported devices or devices that are resold after their useful life at a hospital has passed. This should be taken into consideration if a hospital resells equipment.
Additionally, the contract between a vendor and a hospital may not permit the transfer of a software license between the hospital and a third party. If a hospital is reselling old equipment it should review its contracts to ensure it is not in violation of the contract agreement.
Fundamentally, a hospital should also consider who it resells used equipment to. If items are being sold to community physicians or providers in underserved communities, do those providers have the means to protect their patients, networks, and data that is stored on these devices that are past their support periods?
Proper disposal of the device should include removal of any non-volatile memory and physical destruction of the data on that memory (degaussing or shredding).
Summary
Until the medical device industry catches up with cybersecurity there are steps that hospitals can take to minimize medical device cybersecurity risks. An effective program with defining medical device governance is a good place to start.
Operationally, medical device security starts with the procurement process and proper asset management. HTM departments need to know the “big picture” and understand where they sit in a network full of integrated devices and think in terms of “medical systems” as opposed to individual devices. In a system full of connected devices, security is only as strong as its weakest link.
