Regulatory recommendations and considerations for medical device security

With the rise in adoption of new technology in the healthcare industry, robust, network-connected medical devices are rapidly becoming critical tools used during the course of patient care. According to a recent study by Research and Markets, the rapid growth of the medical device market will continue steadily (4.5% CAGR) over the next five years, and culminate in 2023 with over $409.5B in market value. However, as is common with new technology – even before you take into consideration the capabilities of machines used to capture, aggregate, and transmit patient health information – many medical devices are now seen as a critical point of exposure for PHI and as a potential security risk for the rest of the healthcare IT infrastructure.

In fact, there are major financial incentives for hackers to infiltrate EHRs by using connected medical devices as a backdoor to the rest of the network – and, if you add that to HIPAA fines that can be associated with failure to protect PHI stored on a medical device, the consequences can be dire for healthcare organizations.

In the first installment of this three-part series dedicated to educating healthcare organizations on the best ways to implement security measures for network-connected medical devices, we’ll discuss what the current regulatory ecosystem looks like and what that means for health systems today.

Healthcare organizations need to ensure the proper security measures are implemented in order to protect confidential PHI from exposure, whether accidental or as a result of malicious activity. Currently, there are regulations and guidance set forth by the FDA and other governing bodies to properly align medical device manufacturing processes with cybersecurity best practices in order to ensure that cyber threats and unauthorized users do not impede device functionality or patient privacy. As such, many manufacturers have responded by adding access controls to better ensure the physical security of their devices, a measure which tightly aligns with National Institute of Standards and Technology (NIST) best practices. However, direct regulation and guidance for healthcare organizations themselves is lacking, leaving IT and security leaders struggling to understand and prioritize security initiatives for network-connected devices in their environment. 

Today, the NIST framework is the closest guideline organizations can align to when it comes to medical device security; however, not all components of the framework are compatible with today’s device technology. Due to the long design and lifecycle of medical devices, organizations often face difficulty when it comes to patching or updating devices in order to deter security threats. Many devices are operating on outdated or legacy operating systems that are difficult, if not impossible, to patch via normal methods. Additionally, threat detection, analytics, and other security practices standard to desktops and other endpoints are just starting to be common place for network-connected medical devices. Furthermore, manual patching and updating of the device software often requires biomedical engineering teams to take the devices out of service for a period of time, leading to interruptions in care.

As a quick win, organizations should look to implement single and two-factor authentication, which can help support physical device security by restricting unauthorized access to these devices. However, if not done properly, security measures like strong authentication can actually lead to increased risk by encouraging password and other security work arounds.

In the next installment of this series we’ll outline some of the most critical security and compliance workarounds that healthcare organizations can face when security measures become barriers between clinicians and the patients they are trying to treat.

Imprivata is working with leading medical device manufacturers to better enable organizations to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Join our upcoming webinar on August 1, 2018 for a deep dive into the best practices for implementing access controls on medical devices, or contact an Imprivata representative today to learn more.