Medical Device Security Begins with Health IT Infrastructure

November 09, 2017 - Medical device security complexities continue to plague healthcare as organizations look for health IT infrastructure solutions to exchange data over the network. As more medical devices connect to the network, the more complex securely exchanging data becomes.

Rule and regulations can be implemented for connected devices, but proactively increasing network security and functionality is the most foundational and fundamental step to ensuring patient data is always protected.

Healthcare organizations need to develop a strategy that addresses the issue at the infrastructure level by developing a risk-based framework that promotes technological innovation to better protect patient data, according to the FDA.

Many infrastructure tools that will be developed to increase workflow and patient care will be cloud-based applications. Applications have access to data repositories but sometimes the amount of data they access is not regulated.

Every application does not need access to all of the data within an organization. If an application has access to all of the data, even data it will never need to perform its function, there is a higher chance more of the network will be at risk if that application is hacked.

Containers and edge computing are two ways organizations can control which data the applications have access to. Edge computing is a decentralized approach that focuses on near real-time data processing. Edge computing does not have to sort through data it does not need to cut down the time it takes collect, process, and present data at the source.

Containers also add functionality while better securing data by isolation applications. If one application is hacked, the hacker cannot use that application as a means to access other apps or infect the network.

The Internet of Things (IoT) also presents a complicated challenge for securing healthcare data. The IoT appears in many different forms and can often make it difficult for IT administrators to differentiate among information sources, devices, networks, and IT applications, according to AHIMA. Without proper network control and visibility, it becomes harder for IT administrators to tell what is inside and what is outside of the network.

IoT devices that may not seem hackable can threaten the network if they are not managed and monitored properly. Seemingly harmless devices such as defibrillators can violate a patient’s privacy or come under a cyberattack just as well as a computer or smartphone. A device does not need a screen or an interface to be hacked.

“Network construction and maintenance needs the help of skilled IT and—more importantly—skilled security personnel,” explained AHIMA. “Incidents where security and privacy compromise occurs, such as service attacks that block information input to a device or where the device battery is unnecessarily depleted, are major areas of concern.”

AHIMA added that how healthcare organizations will address cybersecurity for IoT devices such as implanted medical devices will differ from traditional strategies. Traditional security strategies will not work for implanted devices because they do not function the same way and they do not carry the same hardware.

Standardization is the only way to solve the problem of patient data security as healthcare organizations add more advanced and different devices to their networks.

“The standard published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), IEC 82304-1:2016 Health Software–Part 1: General requirements for product safety, is focused on patient safety of health software,” said AHIMA. “This standard emphasizes that software development has been identified as a major area that can compromise patient safety.”

Organizations cannot develop software the same way across the board when they are dealing with stationary, mobile, and IoT devices that all communicate with the network different ways. The software that works for a mobile device most likely will not work for a stationary or IoT device. If all devices are treated the same, organizations will have large gaps and vulnerabilities in their security infrastructure.

Developing a standard provides consistency across the software development for different kinds of devices.

“Commonly, areas such as quality management, information management, and systems and software lifecycle processes, have not been addressed in a consistent way,” AHIMA explained. “They may have differing importance depending on the stakeholder involved, and differing requirements depending on the context of use and their place along the device and information lifecycles.”

Protection of patient data remains an issue that healthcare organizations deal with and cannot be addressed on a single level. Beginning to build secure software solutions that accommodate the unique uses of different medical devices will significantly decrease the chances of patient data being compromised in the future.