Medical Devices: New Challenges in Medical Information Security

Wednesday, August 29, 2018

The advent of wireless networking technology has enabled the development of devices and services that are transforming patient monitoring and health care delivery. In addition to configuring implanted devices using wireless networking, medical devices that are ubiquitous on the floors of hospitals, such as infusion pumps and telemetry monitors, now use wireless technology to transmit data directly to an EHR or to allow clinicians to adjust the medical interventions being provided from their computer desktops.

While transformative, the application of wireless network technology to medical devices is not without risk. The release just days ago of Special Publication 1800-8 “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations” by the U.S. National Institute of Standards and Technology (NIST) reminds us of these potential risks. 

Medical practices can frame medical device risk management using the same risk management framework(s) used for other forms of information security risk, such as NIST SP 800-53 or the NIST Cybersecurity Framework. However, based on this new guidance from NIST as well as our own experience performing medical device security and privacy risk assessments, Purdue Healthcare Advisors' IT team has found the following controls warrant greater attention when evaluating medical device security and privacy risks in medical devices.

Device Inventory:  We often rely on automatic updates to patch security vulnerabilities in our workstations and servers. Medical devices, however, are less likely to run operating software that supports automatic updates. Even if they do, they may not allow end users to update their software for fear of the device becoming non-functional, or may only allow manual software updates. Therefore, knowing what devices you have, what software they run, and how/when they can be updated is critical to device security.

Access Credentials:  It is hard to understate the importance of unique login credentials for each user in any environment. Medical devices often are less supportive of strong access controls than workstations, but don’t just assume this to be true. Read your devices’ documentation and implement the strongest credentials that are supported by the device in question that will allow the necessary functionality. If device access controls are weak, augment credentials with other access controls such as restricting physical access to devices.

Device Monitoring:  When your practice’s cool new telemetry device updates your EHR automatically, what information is it sending over the network? Is the stream of data encrypted? You should know. If your devices are sending PII over the cable or through the air in plain text, this is a vulnerability you need to secure. Further, can you gain access to the device by simply connecting to the wireless network? What about from your practice’s guest wireless network? Who is logging into the device and what are they doing? All of these questions are especially important to medical device security not only because of the sensitive information they may transmit, but because unauthorized access has a uniquely acute ability to negatively impact patient health.

Physical Security:  Many medical devices are both portable and valuable. In fact, if the march of technology has not yet made your expensive medical device small enough to carry around, the vendor has graciously put it on wheels for ease of transport. If your laptop cost you $50,000, you’d probably do a better job of keeping it locked up or looked after. Your medical devices are, in many cases, super-expensive portable devices that provide critical care to sick patients. If you don’t have a policy and procedure to regularly purge these devices of patient information, they may also be rolling HIPAA breaches in the making. For all of these reasons, you should put in place multiple controls to ensure that you don’t lose track of your medical devices.

Though medical device security can be framed by extending standard IT security and privacy risk models, implementing strong security for these devices is tricky.  If you have medical devices in your practice (especially infusion pumps), you should read NIST’s most recent guidance. If you have questions or concerns about the security of your devices, we can help.


Writer: Joe Beckman, 765-496-1911, beckmanj@purdue.edu

Writer: Jeanine Parsch, 765-496-7583, jeanine@purdue.edu

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.