As cyberthreats to healthcare continue to grow and evolve, healthcare technology management (HTM) professionals and medical device manufacturers are still wrapping their heads around the best ways to ensure the security of hospital-based medical devices and networks. At the same time, the migration of patient care into so-called “nontraditional environments,” such as the home, has added additional challenges.
“We are still a long way from doing an effective job in terms of addressing the security of medical devices in the environments that we’re all familiar with,” said Stephen Grimes, managing partner and principal consultant for Strategic Health Care Technology Associates, LLC, during Sunday morning’s Clinical Engineering Symposium hosted by the American College of Clinical Engineering (ACCE). “As we begin to work in these other environments, we’re seeing a greater challenge.”
One of the biggest challenges is the lack of control HTM and cybersecurity professionals have over the environment medical devices are brought into. Patients have different Internet service provider, varying degrees of cyber hygiene, and different levels of technological savvy.
“Often, as we reach out into these nontraditional environments, we’re very constrained in terms of the amount of control that we have,” Grimes said. “So, one of the things you certainly need to be doing is considering the environment that you are placing these devices in—not only what the risk is if these devices fail as a consequence of a security-related problem, but also what are the kinds of controls that you will be able to exercise over these devices.”
In general, such controls include:
- Setting up virtual private networks, or VPNs, as a “secured tunnel for exchanging information.”
- Using security routers to monitor traffic coming into the environment.
- Restricting access from unauthorized operators.
- Disabling hardware and software ports that are not necessary for the clinical function of the device.
- Encrypting data at rest and in motion.
- Employing role-based access to the system or device.
But ultimately, HTM professionals and device manufacturers are going to need to think outside the box if they are going to develop and deploy devices that keep patients and their data safe when used outside of brick-and-mortar hospitals.
“Many of the traditional security measures that we take in healthcare environments aren’t appropriate for use in nontraditional environments,” Grimes said. “We aren’t going to be able to use the same kinds of processes and infrastructure as we have in more controlled environments, so we need to come up with alternatives to ensure that we have as safe an environment as possible.”