Medical Device Vulnerabilities High on CIO's List of Worries
Health Leaders Media
A Big, Big, Big Problem
Windows XP is also a continuing headache in too many medical devices, Miri says. "I just saw one the other day in the UK, where a Windows XP device that was actually a lab instrument was infected with malware and had inadvertently infected an entire NHS hospital."
Another example Miri cites is medication-dispensing machines. "In my previous life, I had three brand-new medicine-dispensing machines shipped to me, brand new, still in the shrinkwrap," he says. "We put them into a brand new unit we had just built. We turned them on. We plugged them in the network. Immediately, my systems started going haywire. Sure enough, these things came infected from the factory with malware, because their underlying operating system was Windows XP. This was just a year and a half ago.
"Based on my conversations with other CIOs, [we] don't even know what's happening because of how unmanaged these devices are." He likens these devices to "little pockets of individual freedom floating out there that must attach to your network because the FDA mandates it must do so, without any ability to get your arms around the product, because they play by a different set of rules. So it's a big, big, big problem."
In Washington, groups such as CHIME and HIMSS are calling for tougher rules on medical device manufacturers, but Miri notes that responsibility for solving the problem is divided by between the FDA, the FTC, and the HHS Office of Civil Rights. "Who is the true sheriff of the road?" he asks. "Anybody who knows anything about government knows that once you have multiple agencies playing, they seem to get in each other's way."
The White House has a cybersecurity coordinator, but Miri says there is an effort to augment this with, effectively, a national chief information security officer, to stop the finger-pointing among agencies. A provision in the Cybersecurity Information Sharing Act of 2015, signed into law by President Obama in December, may help put such a czar in place.
"Some action is better than no action, but there is still no mandate, and I am still able to go buy medical devices on the market without any encryption, or without following the same rules that I am forced to go by as a covered entity," Miri says.
For now, CIOs such as Miri will have to rely upon a protective superstructure of security software, overlaid upon their computer networks, to try to detect intrusions, and limit the amount of damage that a rogue device can do upon a network. Miri relies on commercial solutions from vendors such as Imprivata to manage important aspects such as single sign-on, user access controls, and auditing.
"Especially when it comes to IT, I'm competing for every dollar I need to spend against a dollar that could be spent on a new bed or a new instrument, so if I cannot show ROI, you can bet your bottom dollar the CFO is going to give me any money to spend."
"So beyond the convenience and quality and safety factors of being able to audit, track, and disseminate what's going on with my community, I am able to show time saved. I am able to show a maximization of the time spent at the bedside with the patient."
Miri described other techniques that are making a difference, including virtual desktop interfaces (VDI) which provide further control of desktops. But I came away from our conversation believing it is high time that we crack down on those devices that represent one of the most vulnerable attack vendors of healthcare IT today.
It's not difficult to believe that if we do not act much more aggressively, a lot more ransoms shall be demanded by cyber criminals. At this crucial time in healthcare, it's the last thing any of us need.