The Medical Device Security Life Cycle

By German G. (John) Baron, CBET, BSBME, CSP

Asset management throughout the life cycles of medical devices is one of the major responsibilities for health care technology management (HTM) professionals. They must ensure that equipment complies with all requirements and that it functions safely throughout its life cycle. An increasingly critical element of this life cycle is security. This article offers one example of an approach for incorporating security and privacy into the life cycle management process. It is based on collaborative teamwork involving a range of organization members and medical device vendors.

The life cycle of a medical device encompasses a span of time from before the system is purchased to when the health care organization disposes of it. The life cycle phases of particular concern to the HTM team may include market analysis, selection, acquisition, inspection, acceptance, operation and maintenance, and finally, the proper disposal of the system. (Security and privacy should be addressed during the initial design phase by the medical system manufacturer. However, that is beyond the scope of this paper.)

Security is a key element of the life cycle because each member of a health care organization is directly or indirectly responsible for protecting both its medical devices and the sensitive information of its patients. To ensure an effective life cycle security process, it is important for the organization to decide on a standardized definition of what medical devices are and the important role that each department plays in their security life cycle. It may be helpful in this regard to refer to the FDA’s definition of a medical device along with its classification of devices by risk (see www.fda.gov/MedicalDevices).

Making Security a Priority

Why is it necessary to include security and privacy as part of the medical device life cycle? Besides having to comply with federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, there is a need to enhance the security of medical devices to ensure the confidentiality, integrity, and availability of the patients’ sensitive information.

In addition, the security of medical devices should be made a priority, since it is directly related to patient safety. IT security controls must be implemented to protect stand-alone and networked medical devices. For example, a stand-alone unit (not connected to the network) with wireless networking capabilities may be at risk of remote tampering if this function is not turned off or protected with tight access controls. Another example is the possibility of delivering fatal shocks to a patient by hacking the implanted wireless heart defibrillator from a distance of 50 feet. This risk was demonstrated by Barnaby Jack, director of embedded device security at services firm IOActive, who also showed that unauthorized access to insulin pumps can be achieved with a basic PC and an antenna.¹ It is not difficult to see the many risks that unauthorized access to medical devices or to the information stored on them can pose for patients.

HIPAA and HITECH mandate that all protected health information (PHI) in both paper and electronic form be protected. Today, many medical devices are, in part, computer systems that store, transmit, or process patient-sensitive data. Therefore, the health care organization must implement all security measures possible to protect the data and ensure patient safety by minimizing unauthorized access to the devices. The National Institute of Standards and Technology (NIST) provides guidance on how to control access to information systems in its Special Publication 800-53.2.² In addition, Subpart C of the HIPAA regulation (“Security Standards for the Protection of Electronic Protected Health Information”) itemizes the administrative, physical, and technical safeguards that should be employed.³

It is important to note that the security of medical devices is to be managed with greater care and oversight than standard IT systems.⁴ The consequences of making any changes to the systems from the original equipment configuration without the vendor’s involvement or consent may incur serious consequences for both the health care organization and its patients.

This means that the medical device vendor must first assess the patch or update to ensure that it does not compromise the functionality or the original configuration of the medical device. Once documented confirmation is received from the vendor, the medical device can be patched accordingly. For this reason, the security structure for the life cycle of medical devices needs to include the collaboration of the medical system vendors as well as that of the information technology department, privacy or information security officers, and other organization team members. It is a good practice to review the medical device manufacturers’ patch-management process prior to the acquisition of the systems so that this is included in the management plan. I also recommend reading the FDA’s documents related to security and patch-management responsibilities for medical device software and systems, especially John Murray’s presentation on “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.”⁵

Life Cycle Management

 

Figure 1: A flow chart depicting one way an organization could incorporate security and privacy protection into the life cycle management of its medical equipment. (Click to enlarge.)

Figure 1 depicts how an organization may want to incorporate security and privacy protection into the life cycle management of medical devices. The health care organization begins by performing a market analysis for the system requested by the service chief. The analysis will include the security and privacy protection features that are designed into the system to protect sensitive data. Along with other technical and security documentation, the medical device manufacturer or vendor may provide a disclosure statement for medical device security (MDS2), which documents model-specific security.⁶ Through a collaborative approach, the various teams of the organization assess and review all of the offers in order to select the best system to meet the business needs.

After the selection and acquisition process, the HTM team then inspects and accepts the system into the organization’s inventory or asset-management system. This is a prime opportunity to include in the system’s documentation the type of sensitive data that the system processes, stores, or transmits, along with the security controls that are used to protect the data. Risk assessments and privacy impact assessments are important documents that record the aforementioned system information. Overall, this inventory and documentation will prove valuable for incident resolutions upon the unauthorized access or loss of the device. I also recommend that every system be inspected at this stage to ensure that there is no stored PHI on the device.

In the next phase, the HTM team installs the medical device and works collaboratively with the IT personnel to ensure that all network and security policies are followed. It is a good practice to isolate the equipment from the other networked systems in order to protect against or contain any spread of malware. At this time, all administrative, physical, and technical protection should be verified with the organization’s information security and privacy officers.

During the operation and maintenance phase, a continuous monitoring process for security should be in place to ensure that the medical device is up-to-date with all patches and updates. A good rapport with the manufacturer will enable a mutually agreeable patch-management process to be implemented efficiently and effectively. Some medical device manufacturers may already have an automated patch-management process, but if not, a manual process must be implemented. The manufacturer should test the patches regularly and promptly. After the manufacturer gives the go-ahead, the HTM team applies the patch or update, then tests the system for functionality and safety. This process should be done routinely for all the organization’s medical devices. (It should be noted that under the HIPAA Omnibus Rule, device manufacturers or servicers may now be considered as business associates of the health care organizations, which makes them responsible for the patch management.⁷)

Perhaps some time in the near future, a medical device database linked to the NIST common vulnerability database (nvd.nist.gov) can be established so that HTM professionals and medical device manufacturers can expedite the patch management of the medical devices. This risk-management dream can only be made possible by collaboration of many stakeholders.

Finally, during the disposal phase of the medical device life cycle, the organization should have a process where all the sensitive data is properly and completely removed from the device before it leaves the premises. In cases where the systems are traded in to manufacturers or sold to other entities, then the removal of the data is even more imperative. A good practice is to make arrangements with the vendor for this during the acquisition phase. The contract can stipulate the provision of a new hard drive at disposal phase so that the system can be turned in or sold fully operational with no sensitive data stored on it. The swapped-out hard drive can then be physically destroyed or wiped, according to the organization’s policy.

The planning and development of a comprehensive and effective medical device life cycle program, including security and privacy protection, requires a collaborative team approach. Each member of the health care organization is responsible for the data and for the safety of the patients; hence, a team approach is the best solution. The sharing of information and best practices is an excellent approach to enhancing the security and privacy of medical devices and patient safety at the same time.

The failure to protect unauthorized access to the devices or to the sensitive data poses substantial risks for the patients and the health care organization. It is therefore not only a legal obligation, but also a moral responsibility to enhance the security of the medical devices. 24×7

Life Cycle Team Members and Responsibilities The following list identifies possible team members who may be involved in managing the medical device life cycle, along with their possible responsibilities. Organizations may adapt examples as appropriate to best meet their business needs. Contracting Officer (CO) • Ensure that all solicitation documents contain the appropriate documentation describing the functional properties of the security controls employed within the medical system with sufficient detail to permit analysis and testing of the controls. • Ensure that solicitation documents have been reviewed by the Health Care Organization’s chief information officer (CIO) and information security officer (ISO) or privacy officer. • Include specific language in contracts to ensure protection and sanitization of sensitive information when the product is returned to the company for repair or disposal. • Ensure compliance with information security policies by conducting self-assessments of this policy. In the acquisition cycle, contracting can follow a methodology consistent with NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle. • Ensure that the ISO review and is involved with the IT contract requirements in all stages of an acquisition. • Include contract language ensuring that information accessed, stored, or processed on outside systems is safeguarded. Service Chief or Designee • Work with the HTM and IT staff to determine the business need for connecting the device to the organization’s backbone. • Work with interested parties before purchase to ensure review by the CIO and ISO. Information Technology Department • Work with HTM staff to determine and plan for networking and security. • Work with HTM staff to isolate the medical device in a VLAN. Information Security Officer (ISO) • Work with HTM and IT staff to determine the security categorization of the medical device. • Review and approve each acquisition of a medical device from an information security perspective. • Determine whether the equipment manufacturer has an existing business associate agreement (BAA) with the organization, and assist with establishing a BAA where needed. • Determine the current status of virtual private network access for the manufacturer’s service organization, and assist with establishing remote access where necessary through accepted organization procedures. • Ensure protection and sanitization of sensitive information when the product is returned to the company for repair or disposal. HTM Staff • Work with IT staff to determine the business need for connecting the device to the Organization’s backbone. • Work with ISO and Information Technology (IT) staff to determine the security categorization of the medical device. • Engage with IT staff in development of a request for proposal and statement of work to identify IT needs. • Obtain manufacturer disclosure statement for medical device security (MDS2). • In conjunction with the manufacturer or vendor, complete the organization’s security documents, privacy impact assessments, and, if applicable, the pre-installation worksheet regarding the security requirements and appropriate level of security controls. • Identify other devices and systems requiring communication for proper operation. • Maintain an accurate inventory of medical devices. • Assure a quality assurance program is designed for the useful life of the device, consistent with statutory and regulatory requirements, including those of FDA, NFPA, and The Joint Commission.

References

1. McGee MK. How to minimize medical device risks. Healthcare Info Security. November 29, 2012. Accessed June 21, 2013.
2. Recommended security controls for federal information systems and organizations. Washington, DC: National Institute of Standards and Technology. August 2009. Accessed July 3, 2013.
3. Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9 (2010).
4. Guidance for Industry—Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. Washington, DC: Food and Drug Administration. January 14, 2005. Accessed July 3, 2013.
5. Murray JF. Presentation: cybersecurity for networked medical devices containing off- the-shelf (OTS) software. March 23, 2010.  Accessed June 21, 2013.
6. Manufacturers disclosure statement for medical device security. HIMSS. December 8, 2004. Accessed July 3, 2013.
7. Anderson H. Medical devices: new security help. Healthcare Info Security. March 6, 2013. Accessed June 21, 2013. 

German G. (John) Baron, CBET, BSBME, CSP, has more than 30 years of experience in the biomedical arena, including military medical specialties and clinical experience, and 10 years in the IT security arena. For more information, contact [email protected].