September 04, 2013
It has been almost twenty years since the Health Insurance Portability and Accountability Act (HIPAA) became law.1 This law had many purposes, among them addressing the security and privacy of health data, and defining policies, procedures and guidelines for maintaining the privacy and security of protected health information (PHI). As medical devices have progressed towards wireless, point of care and even electronic, implantable technologies, there have been several high profile instances of devices being hacked. The target of these acts is not the data, but the operating and communications systems over which this data is carried. However, these acts can alter how the device operates, resulting in potential patient illness, injury and even death. Recent legislation has been signed into law, along with calls by Federal agencies for more stringent oversight of medical device security, which are designed to combat this threat. Additionally, device manufacturers, manufacturers of OEM anti-malware software, medical practitioners and hospital IT services can – and should – take actions to ensure the safety of those patients who are using potentially vulnerable medical devices and their supporting communications networks.
In early 2011, a man attending The Black Hat Briefings2, a computer information security conference whose attendees include federal agencies, corporations and hackers, demonstrated how he had hacked a wireless communication system between a glucose meter and pump controller, and a wearable insulin pump.3 The man was a diabetic who personally used wireless insulin pump technology. The hack intercepted the wireless signals between the devices and broadcasted a stronger signal to change the readout, causing the person to adjust their dose. This would allow an attacker to manipulate the diabetic’s insulin injections and could possibly be used to injure or kill the pump user.
Later that year, the OEM of a similar insulin pump system requested that software security experts investigate potential vulnerabilities associated with their device, in response to claims that their devices could be hacked, with potentially similar patient outcomes.4
Early last year, security researchers confirmed that the OEM’s device was not only vulnerable to this type of malicious attack, but that several of its other features were also vulnerable, potentially causing the user to operate the device in an unintended manner or to miss warnings that insulin should be delivered.5
While wearable insulin pump devices have received much of the attention relative to malicious attacks, many other classes of devices, including those critical to patient health and safety, may also be vulnerable.6
Threats to patient safety are not just limited to the point-of-care devices themselves. Point of care devices used in clinical settings are more commonly being managed by centralized Medical Device Management software applications and associated hardware and wireless communications configurations, which are also proving to be vulnerable to attack.In March 2013, the OEM of a hospital management system was hacked and disabled by just six lines of malicious code.7
Lastly, there is growing evidence that many medical service providers, hospitals and clinics are neglecting to secure medical devices and associated networks, as they believe it is the OEMs responsibility to secure their devices.8 In a study conducted in late 2011, 69 percent of respondents said their data security policies do not cover medical devices, and ninety-four percent of respondents said they had at least one data breach in the past two years, up from 86 percent in 2010. The study also reported that costs associated with these breaches may total as much as $7 billion per year.9
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act became law.10 This Act, which is essentially a reinforcement of existing HIPAA law,11 contains a new Stage 2 “Meaningful Use” Rule12 which requires that participants conduct risk assessments, as was required in Stage 1 of HIPAA. However, the Stage 2 rule specifically requires that the analysis address the security of data stored in Certified Electronic Health Records Technology (CEHRT).13 While the original rule requires a risk assessment for the security of PHI, it was not equipped to address today’s encryption challenges; the Stage 2 rule requires that device software be designed to automatically encrypt electronic health information stored locally on end-user devices.14 In early 2013, the U.S. Department of Health and Human Services (HHS) issued its Final Rule on the Act, which went into effect on March 26.15 While the Act addressed the protection of “data at rest,” the security requirements contained in the Act were developed prior to the high-profile device hacking. This has resulted in additional calls to action for greater device security.
In August, 2012, the U.S Government Accounting Office (GAO) issued a report to Congress which urged the U.S Food and Drug Administration (FDA) to consider expanding information security requirements for certain types of medical devices.16 In their report, the GAO identifies threats, vulnerabilities and risks associated with implantable medical devices. They also evaluated how deeply the FDA considers information security during its premarket review of certain devices with known vulnerabilities, and determined the post-market efforts the FDA has in place to identify information security problems17. Several weeks later, the FDA announced that it was investigating how it monitors medical device security threats, including potentially strengthening requirements related to the reporting of safety and security issues.18 They also cited that medical device security events are ineffectively reported to the FDA and also called for working with other agencies, including the Department of Homeland Security (DHS) in the identification and tracking of potential threats.19 In June, 2013, the FDA issued a safety communications calling for medical device manufacturers to take measures to minimize the risk of malicious attack. It also summarized the scope of the exposure and recommended actions for both device manufacturers and healthcare facilities for evaluating device and network security.20 The communications started the process for implementing a more comprehensive event reporting process through their Adverse Event Reporting (AER) program.21
The following methods can be used to secure medical device technology including risk analysis, leveraging the current state of electronics security technologies, and providing training and education for information technology staff and learned intermediaries, who manage and use potentially vulnerable medical devices.
These methods can include:
Many OEM device manufacturers and third-party service providers are recognizing the need to not just manage, but also monitor the operation and performance of wireless devices attached to a wireless network as a best practice for assessing real-time threats.28 Software systems that use predictive modeling and can monitor medical devices and provide alerts when there is an outage, device malfunction or intrusion within a clinical network can add an extra layer of protection on top of other security methods.29 30
As medical devices continue to use more information technology in their operation and monitoring, device manufacturers, physicians, clinicians, learned intermediaries and IT professionals employed in the healthcare industry should have a working knowledge of device security and the threat that unsecure devices pose to their patients. This includes reinforcing data security policies including procedures for securing wireless medical devices, since many clinical IT security policies do not address this.31 Advanced education in security medical devices from vulnerabilities is essential. Colleges and institutions are responding to this need in the form of accredited courses in medical device security.32
The advance of wireless electronic medical devices has brought improved patient care and effective patient monitoring. The security of these devices has thus far lagged behind the importance of the protection of patient data. These devices can, and should be, given due consideration within the framework of hospital and clinical IT security; the means for doing so is becoming increasingly clear via regulatory rulings and IT security best practices. Application of regulatory guidance and security management best practices can help ensure both the security of electronic medical devices and the patients and medical professionals they serve.
To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, SVP of OneBeacon Technology Insurance at firstname.lastname@example.org or 952.852.6028.