Improving Medical Device Information Security

Start me up: improving information security through better management of biomedical devices

Biomedical devices in contemporary hospitals and other care delivery environment are necessarily
ubiquitous. They are instrumental for delivering excellent health care. While conducting a security risk
assessment at a 400 bed hospital, we found over 5000 such devices, many of which required network
connectivity to report results to a downstream piece of software, or for remote IT management. We
also found a staggering variety of devices types ranging from cytometers, infusion pumps, to heart rate
monitors and resuscitators.

For IT security practitioners, such devices are often a bane. For various reasons, including unclear
regulatory direction, many biomedical devices use outdated operating systems that run applications
built with inadequate software security. As a result these devices are ripe for attack by viruses, worms
and other forms of malware. Perhaps most disturbingly, most of these connected devices in hospitals
hang off the core IT network. We find in most hospitals we assess that rarely are these devices
segregated into “Virtual LANS” that provide an added measure of safety. Instead in most hospitals, a
virus infiltrating, say an old infusion pump running an unpatched version of Windows 2000 can
propagate like wildfire, bringing the main hospital network to a crawl or even fully disabling it. Another
example of a security hole is the use of an “unsecured” or poorly secured wireless connection that is
easily exploitable by an attacker with rudimentary wireless hacking equipment.

Obviously the ramifications for a hospital are tremendous. Information is the lifeblood of modern
hospitals – from admitting, to billing, to labs, and diagnostic machines to electronic medical record
repositories, a modern hospital cannot function with reliable information technology.

So with such massive risks posed by medical devices, what should security practitioners do? We suggest
doing the following first:

  1. Create a cross disciplinary team of Biomedical engineers and IT experts to manage all Biomedical
    devices. For historical reasons “Clinical Engineering” departments have been responsible for
    biomedical device management. Usually this function is kept quite separate from the IT experts
    responsible for overall hospital IT. As a result very little knowledge is shared and these two
    groups have built their own “islands of expertise”. Coordination between these two typically
    disparate groups will allow proper design of IT networks, segregation requirements, wireless
    frequency management and the like. It is much harder to fix a technology problem in the
    production phase than in the design phase and these two groups should meet often to discuss
    how to resolve their problems. For example, IT experts might recommend that all biomedical
    devices have their own private “Virtual LANS” (VLANS) so as to not share the same core network
    as say the core revenue cycle application.
  2. Conduct an extensive inventory of all biomedical devices. Understand which operating systems
    are in use, how wireless frequencies are used, what applications run on top of any embedded
    OS, and note any protective measures used to protect the device or other downstream devices.

These two items from a core first step at improving the data hygiene problems posed by biomedical
devices that need to be networked. Through these two formative tasks, any problem areas (i.e.
opportunities for remediation) will surface and can be resolved by simple triage – reduce the riskiest,
least costly to fix, and most dangerous problems first.

Subsequently, the security officers of a hospital should then supervise how biomedical devices should be
designed, managed, serviced, and monitored to ensure the overall sanctity of the hospital’s information
infrastructure. We recommend that hospitals integrate the American National Standards Institute’s
(ANSI) approach described in: ANSI 80001 (Application of risk management for IT networks
incorporating medical devices – Part 1: roles, Responsibilities and activities. This document provides a
clear, concise and reasonable template that most hospitals can follow.

Biomedical devices and especially those devices connected to IT networks are not going away. We live in
a networked world, where one application or device needs to communicate with many upstream or
downstream devices and applications to deliver safe care. We must consider biomedical devices to be
an integral part of our information infrastructures and therefore we must permit and nurture their
security. Doing this in a clear, uncluttered and stepwise fashion is the right start for most US hospitals
today. We cannot and should not ignore this threat to patient safety.