A guest post from Christopher Burgess, the former senior security advisor to the chief security officer at Cisco.
In the first seven months of 2011, more than 5.5 million patient records containing personal health information (PHI) were exposed via 126 separate breach/loss events according to the Privacy Rights Clearinghouse (Date of info: Aug 27, 2011).
Many of these events involved removable electronic media (memory stick or memory card), while others pertained to medical devices which had the built-in capability to retain patient data.
We normally think of laptops, portable hard drives, and thumb drives as the items which – if lost – will compromise PHI. The reality is, those devices absolutely are of interest, but so are your medical devices.
According to HIMSS, hospitals typically have 300 to 400 percent more medical devices than IT (information technology) devices.
Does your facility have a device which retains PHI?
Who is responsible for ensuring PHI is not exposed?
The equipment manufacturer? The health care provider?
Some say one, most say both.
To that end, HIMSS and the National Electrical Manufacturers Association (NEMA) developed the Manufacturer Disclosure Statement for Medical Device Security (MDS2). With MDS2, HIMSS intends to provide the health care provider sufficient information so the provider can create processes to protect patient PHI which is transmitted or retained by medical devices.
HIMSS went further: They created a template and worksheet to allow the health care provider to assess the risk of PHI exposure with the provision of useful and appropriate security-centric questions. Click to access the Manufacturer Disclosure Statement for Medical Device Security document from NEMA.
Thank you, HIMSS, that is most useful from the health care provider’s optic, but what of the medical device manufacturers?
Many medical devices have telemetry requirements, which require patient data to be both present within the device’s resident memory and to be transmitted from the device to a monitoring or record-preservation device (hard drive or tape).
During transmission, are the content or command/control sequences protected? Do they need to be? Unfortunately, yes. The data must be protected not only from a PHI-data disclosure perspective, but also from data corruption perspective.
Hackers are out there, waiting.
At the recent Black Hat security conference, the integrity of the operational aspects of a medical device was thrust into the spotlight when an attack against a Medtronic-manufactured insulin pump was demonstrated by researcher Jay Radcliffe.
Radcliffe demonstrated how he was able to remotely take control of the insulin pump as the “attacker” and successfully adjusted the levels of insulin being pumped into the patient to a harmful level. (For additional reading see: Elinor Mills CNET coverage: “Researcher battles insulin pump maker over security flaw”)
While the risk to an individual may be mathematically low, we can all agree that the risk is above zero, and both manufacturers and health care providers have a role to play.
So what are medical device manufacturers to do?
Medical device marketing companies need to make security a part of their design process and not a “bolt-on” solution after the device is manufactured and they need to participate in the HIMSS/NEMA process. The health care provider will then have available to them sufficient information to securely use the medical device with respect to both patient health information (protected by HIPAA) and the integrity of the operation of the device.
If the device manufacturers don’t, the US Government will be there to ensure they do, as Representatives Eshoo (D-CA) and Markey (D-MA) both senior members on the House Energy and Commerce Committees have asked the Government Accounting Office to conduct a review of the Federal Communications Commission’s actions in regard to wireless medical devices.
The congressmen specifically asked the GAO to:
1. Identify the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
2. Take steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
3. Ensure wireless enabled medical devices will not cause harmful interference to other equipment.
4. Oversee such devices to ensure they are safe, reliable, and secure.
5. Coordinate its activities with the Food and Drug Administration.
In conclusion, you are advised to take supra-Congressional interest to heart: Ensure your medical devices have security baked in and not bolted on, thus protecting the integrity of your device and the health and privacy of the patient.
Christopher Burgess (@burgessct) is the former senior security advisor to the chief security officer at Cisco. Prior to joining Cisco, he served as a senior national security executive for more than 30 years. He has lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America where he acquired understanding of people, cultures, and societal issues. Christopher addresses threats to intellectual property, security aspects of social media, security strategy, security education and awareness and prevention of industrial espionage. Additionally, he is the co-author of Secrets Stolen, Fortune Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century, and a regular contributor to The Huffington Post which began with his piece, “A common sense approach to social media.” He also focuses on a number of societal issues such as, hunger, slavery, health, as well as how to keep ones family safe online via his personal blogs: BurgessCT and Veritate et Virtute. Christopher is a member of the advisory board to the Mayo Clinic Center for Social Media.