Connected devices have been an integral part of the healthcare industry for several years now. These networked devices form the basis of connected healthcare for monitoring, drug delivery, and record-keeping are frequently seen in hospitals, clinics, and research facilities. The Department of Veterans Affairs has put these connected devices to work to simplify the delivery of care and automate essential processes. However, while there are obvious benefits to using connected devices, they also present a growing risk.
“Many of these devices, frankly, present a huge security threat to government networks as well as to the personal data of patients,” cautioned Paul Parker, Chief Technologist, Federal and National Government at SolarWinds, which develops IT management and cybersecurity technology.
The issue, Parker explained, stems from the sheer variety of wired and wireless devices from multiple manufacturers that can connect to the network. “Wireless medical devices can be moved around the building, or even taken to other locations. Yet, this ‘Internet of Health’ isn’t always treated with the same security mindset as a laptop or cell phone,” he said.
With more than 55,000 networked medical devices in use, the Department of Veterans Affairs has made aggressive moves toward solving this issue. Under the Medical Device Protection Program, launched in 2009, a new set of protocols was introduced to isolate connected medical devices on the network.
However, several security challenges remain. As Parker explained, “Many medical devices can store personally identifiable information, and most have restrictions on software patches and updates, which makes them vulnerable to attack. Not only can someone steal or inadvertently release the data that’s stored on each device, they are potential entry points to the entire network.”
In addition, medical devices may not be supported by enterprise management and cybersecurity tools, and some older devices simply can’t be updated to meet new security protocols. “These devices aren’t always visible to the network management tools, and, ironically, they can’t be scanned for infections,” Parker pointed out.
The solution, he said, stems from viewing these devices as entry points to the network. “Just like any other mobile device or a connected appliance, like a thermostat or lighting system, medical devices provide benefits and risks.”
Parker emphasized that compliance with security standards and regulations, including the Federal Information Security Management Act (FISMA) and the Risk Management Framework, are absolutely essential, adding, “Another must-have is centralized access control and configuration capabilities for every asset on your network.”
In a healthcare environment, where no breaches are acceptable, Parker suggested that an effective approach requires a comprehensive access control list (ACL) strategy that incorporates standardizing ACL configurations across the network while isolating and protecting medical devices. He also stressed the need to review and implement authorized network configuration changes while detecting and fixing unauthorized or suspicious changes, all in real time.
“Just like everything else in security, it comes down to having a strategy, enforcing policies, training the users and network staff, and using the right technologies for the task,” Parker said. “With the Internet of Health, the risks are huge, but those risks can be contained. For any agency dealing with medical technologies, there is no choice; these devices and the data they collect must be protected.”