State of Data Security
We operate our businesses in a world where many of us are constantly looking over our shoulder. Threats to the security of our personal information are real and consistent. These threats need to be confronted and dealt with.
Physical security, unlike cyber security, can be actively managed to an extent. We can be aware of our surroundings, keep a lookout for threats, and confront or remove ourselves from hazardous situations.
Threats to our privacy and personal information, however, are more insidious. Many of us try to maintain a degree of information security in our lives. We protect our personal computers and other electronics from potential malware and intrusions. We make sure our personal information is protected from public scrutiny by electronic security, physical home security, or destruction as appropriate.
However, for an individual, data security is not as substantial or straightforward. There are many situations where private information is not in the hands of consumers to protect. For example, credit information at the local store or gas station. Names, addresses, and phone numbers can be sold very easily.
Similarly, personal credit and health information utilized by our local hospital.
Cybersecurity has been a hot topic for quite some time, and has recently been brought to the forefront again with widespread ransomware attacks. While several experts were wringing their hands, a couple of very intelligent individuals took it upon themselves to come up with a very elegant and sensible solution – registering the domain name of the malware, thus proving its illegitimacy. And, and it worked! If not for this correction, these attacks could have been more catastrophic.
For the most part, American companies do a very good job of front end insulation from cyber-attacks. This is both in part for their need to protect customers, as well as their reputation and bottom line.
Complex solutions based on prudence, good judgement, and technology, are part of the nominal infrastructure. The time and effort in protecting the front end of our networks and systems, although not perfect, has been satisfactory.
Healthcare vs. Non-Healthcare Businesses
Most Healthcare organizations can be described as above. They do a good job in protection with network controls and tools. They normally have a very proficient and dedicated staff on hand to research, defend, and counterattack malware and Personal Health Information (PHI) breaches. Unfortunately, healthcare institutions, by design, have differing issues that need to be dealt with verses the average business.
The vast majority of businesses isolate their physical buildings and equipment from visitors and other non-employees. Access is very regimented and controlled.
Hospitals not only have a population of patients, but a larger number of visitors, with facility access that would make most companies cringe. There is minimal access control.
And, unlike many businesses, there is normally a large amount of non-employee/staff, with access into the heart of the facility. This includes everyone from sales and service personnel, to visiting clinical and consultant staff.
Businesses are usually able to standardize point of use electronic equipment. The number of different vendors and models is reduced. The specific requirements can nominally be handled by this rather minimal range. Employees can provide a degree of protection with individual passwords, personal ownership, and local physical security. This allows point of use, as well as, network security to be maximized with a minimal number of tools and processes.
Hospitals, on the other hand, usually have a very large range of devices from different vendors. These are needed to provide critical patient care in many areas, for maximum effectiveness and patient safety. This wide range of devices does not normally allow for individual ownership and attention. The vast number of devices makes physical security very difficult. The need for real time patient information, for both critical decision making and record implementation, requires more devices to be networked and available with personal data. Needless to say, networking a large number of disparate devices requires overcoming unique technical hurdles. This in turn increases the difficulty of cybersecurity.
For the most part, a cyber-attack will not be injurious on a physical level. Informationally, an attack can be disastrous. At the hardware level, loss of a computer or printer to malware can lead to a production stoppage, costly repairs/replacements, and rework.
Loss of PHI at the hospital level is equally disastrous for a healthcare institution. Not only can personal and financial information be disclosed, but sensitive individual health data can be exposed. But more importantly, a malware attack can affect the operation of medical devices to the point of degraded treatment efficacy and patient safety!
The Chain Is Only As Strong As The Weakest Link
As stated, most hospitals do a very good job on front end protection of their backbone and various adjunct networks. They also do a good job in the connection and protection of devices in the Local Area Networks.
But by far, the largest group of medical device security risks are administrative and environmental.
Direct Network Connections
Some large scale medical devices are directly net connected with IP access. This can include radiologic devices and complex biomedical systems. This is requested by the vendor so they can monitor device operation and use. This is normally a low security connection, and the potential for breach is high.
Medical Device Inventory
Most healthcare facilities utilize a device inventory for cataloging individual device files. These files normally contain standard information on the device such as Type, Model, Serial Number, Vendor, etc. To correctly deal with potential cyber threats, information needs to be added: Hardware/Software/Firmware Revisions, associated Networks and IP’s, Active Ports, stored and pass through PHI, and on board Security Software.
Poor password protection can result in direct access by unauthorized individuals. Many facilities utilize vendor default passwords for operation, configuration and maintenance. Device passwords can be found in routine internet searches. A robust password policy and program can dramatically decrease any unauthorized access.
Accessible Data Ports
Disconnection, removal, and covering of accessible interface connectors also needs to be done. Visitors have been known to charge their cell phones on the front USB ports of patient monitors. If the USB still has power, then the port is most likely active, with the question of how accessible the data is.
Spare devices and secondary Central Monitoring Stations need to be disabled and protected if not currently in use. Some nursing units will have an alternate central monitor away from the primary Nurse station. If active, someone may be able to disable or reconfigure alarms, or download patient data.
Proper Use of Medical Devices
Using devices for other than their intended operation can be very problematic. Listening to a home brew music CD on a $500,000.00 minimally invasive video system may be enjoyable for the staff during an O.R. procedure – but what else is on the CD, where did it come from?
Personal Temporary Storage Devices
Temporary storage devices used with medical devices should be provided, controlled, and monitored by a structured hospital policy. Commercially available security storage devices should be obtained, inventoried and distributed to qualified employees who have need of use only.
Devices not currently in use should be secured in a locked, limited access area. In addition, any small form factor devices should be attached with security hardware to prevent theft.
Ongoing Security Inspections
Device security aspects should be included in the Preventive Maintenance/Inspection schedule. Logs should be reviewed and old data purged. Non-used active ports turned off if possible, and password use scrutinized. Any networked device should be compared with information in the device inventory file to ensure the data is going to where it should. Periodic overall security audits should also be completed.
Equipment disposal continues to be an issue. Data thieves routinely scour hospitals for unsecured medical records and PHI. Disposal of devices should include removal of any PHI, to the point of removing drives and disposing per hospital policy. This would include medical devices to be disposed as electronic waste, trade-in equipment, and any devices sold to third parties.
Where does HCTec fit into this?
It is accepted that we do a good job of protecting our Networks and Infrastructure from external threats. It is also obvious that we do not rise to the challenge of protection for our individual medical devices and internal threats. A comprehensive program needs to be put into place to deal with these challenges on an ongoing basis.
HCTec offers a Medical Device Data Security Program that can be customized to the customer’s needs. The program includes on site review and process implementation, to cover all facets of the described risks.
In addition, the program offers emergent assistance to security issues, occurrences, and regulatory concerns.
Scheduled audits can also be included as needed.
For more information on the Medical Device Data Security Program, please contact HCTec.