Over 90 Total Lots Up For Auction at One Location - WA 04/08

Out of Sight, Out of Control: Uncovering Hidden Data Security Risks of Connected Medical Devices

April 11, 2011
From the April 2011 issue of HealthCare Business News magazine

• Cover the basics.
At the very least, you must track each device and protect it, and make sure your organization’s policies and procedures cover it. Look at the availability of your equipment. If equipment is vulnerable – if data can’t be executed properly, or you can’t guarantee the device will perform on a consistent basis – you may need a different set of standards, compared to devices that don’t carry patient information, or don’t have the same availability requirement. A different standard for critical care devices may be necessary as well.

• Hold vendors accountable.
Vendors should not be able to sell you things on incompatible levels of software. Some make money by allowing outdated software to expire and requiring you to buy an upgrade – they may not even remember what’s running on it. Make it clear to vendors that you will not buy that equipment if you find out that’s the case, and inventory what you have and what those devices are running on.

• Fill the clinical engineering/IT gap.
As previously discussed, neither group is completely comfortable owning connected device security. One solution to this problem is to implement change management — meaning getting IT, clinical engineering and the device owner working together to achieve data and device security. Recently, one hospital was having medical devices knocked off their network every other week. They saw a pattern but couldn’t understand what triggered it. As it turned out, a mobile imaging lab was pulling up its truck and connecting to the hospital. The truck hadn’t changed the address scheme from the last hospital, so when they got to the new hospital, the addressing conflict kicked devices off the network.

By implementing a change management process between IT, clinical engineering and operations (risk management, quality control, etc.), you allow for a common point of contact. It may also be helpful to ask questions like: How do I get a new static IP address if I’m a clinical engineer or vendor installing a new device? How do I tell you if I need to change that address? How does IT document that request? If IT has to reboot a switch, how do they inform clinical engineering? Answering these questions ahead of time will ensure both groups are proactively monitoring and will be ready to act should there be a security breach.

• Educate individuals on data security.
Prevention begins with education of individuals within a health system. Physicians that run their own practices but are connected to larger health systems are especially important to educate, since they come and go, connect and disconnect from the network frequently. Start with the importance of password policies. You may be surprised at how many physician offices don’t have one, or have passwords taped to a drawer that everyone can access. Start building awareness of these types of risks. Meanwhile, it’s important to develop a culture of reporting problems. In 2009, nearly 80 million health records were breached from threats that were not properly assessed, according to the Privacy Rights Clearinghouse. It’s amazing how much people will tolerate with regard to technical problems – they think they can just hit the reset button to fix them. A problem may persist for weeks or years until something bad happens. Teach people that if it doesn’t look right, report it and call for help.

You Must Be Logged In To Post A Comment