BLOG SERIES, PART 3 | Healthcare’s Space Junk: Medical Device & IoT Security
At the beginning of space exploration, lost satellites and flight equipment were probably not high on the space program’s priority list. Once satellites were launched and replaced, then the topic of lost “space junk” emerged. Medical device and IoT inventory management poses a similar issue in our industry. Not knowing where devices are located is a red flag in managing data security; as a treasure trove of data may be resident on the devices themselves.
A strategic direction for managing medical devices should be captured in a formal medical device and IoT security program and strategic plan.
Organizations must build a medical device security and IoT program that aligns with leading industry standards such as those offered by the FDA, NIST, MDISS, HIMSS, ISO and HITRUST. Organizations should not wait for regulators like the FDA to drive enforcement of security standards. Instead, health entities should be active in conversations with regulators about needed data security standards and work collaboratively with the medical device market to ensure appropriate data security measures are factored into product design and implementations
Understanding stakeholder needs is vital to appropriately establish a medical device security program. Motivations for key stakeholders may vary depending on their perspective.
For instance, clinicians and physicians may be most focused on patient safety, while finance may be most focused on impacts to the availability of systems to provide care and receive funding (e.g. ransomware outages have real financial impact when patients must be diverted to other facilities).
IT leadership is often focused on interruption to uptime and availability of devices and systems. Compliance leaders have a high interest in regulatory compliance, avoiding fines and audits.
Not all devices are created equal. Thus, medical devices should be tiered based on clinical safety considerations, the volume of patient records managed by the device and platform, etc. Medical device security programs must prioritize which devices to secure first and then move on to others over time.
One of the biggest gaps with technical solutions is leveraging tools to do medical device inventory discovery and then moving on to more advanced proactive protection capabilities.
Technical solutions like cloud-based inventory and IoT security automation solutions are helping to fill some of the technical security challenge gaps, but the larger challenge is defining the people and processes required to implement a medical device security program.
On the macro level, health organizations should be actively involved in thought leadership with both regulatory and medical device manufacturers. By engaging in the dialogue on data security needs and vulnerabilities, CISOs are in a unique position to help set the industry standards for security of PHI. In 2017, two bills were introduced to address data security on medical devices: Internet of Medical Things Resilience Partnership Act (October 2017)  and the Medical Device Cybersecurity Act (August 2017).
For a deep-space view of managing medical device security, download the comprehensive white paper, “Hijacking Your Life Support: Medical Device Security”, March 2017, which outlines the basics of setting up a medical device security program.
You can also download Meditology’s trend report entitled Navigating the Changing Cyberspace: 2018 Healthcare Data Security Outlook. It’s packed with trends and strategic advice on handling emerging and continuing threats to securing patient data.
This is PART 3 of a five-part blog series highlighting Healthcare Information Security trends as we pay tribute to the anniversary of the Apollo 11 mission of 1969.
About the Author
Brian Selfridge leads Meditology’s IT Risk Management Services practice which is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare. He advises the federal government including OCR and HHS and is a frequent presenter and sought-after leader in the healthcare security and compliance industry. Contact Brian directly at firstname.lastname@example.org or follow him on LinkedIn.
 HIPAA Journal, “Internet of Medical Things Partnership Act Bill Introduced”, Oct. 9, 2017. Retrieved from: https://www.hipaajournal.com/internet-of-medical-things-resilience-partnership-act/
 Snell, E., HealthcareITSecurity.com “Medical Cybersecurity Act Draws Industry Support”, August 7, 2017. Retrieved from: https://healthitsecurity.com/news/medical-device-cybersecurity-act-draws-industry-support