Medical Device Security in the SpotlightNew HITRUST Working Group to Address Concerns
In yet another sign that medical device cybersecurity is becoming a growing concern, a new group has been formed to tackle the issue - the latest in a series of initiatives in this arena.
The Health Information Trust Alliance, best known for its Common Security Framework, has launched a working group in an effort "to improve the overall security of and trust in health information technology, including systems and medical devices." The goal of the program "is to avoid, report and mitigate vulnerabilities related to health IT and medical devices," HITRUST says.
Networked medical devices, such as MRIs, ventilators and insulin pumps, face emerging cyberthreats, including malware, software flaws and hacker attacks, that can affect the integrity of data and raise potential safety concerns for patients (see Medical Device Security: The Hurdles). Security experts say that, until recently, there was a general lack of awareness among many device manufacturers as well as healthcare providers about the need to identify and mitigate cybersecurity vulnerabilities.
HITRUST's new project is just the latest in the arena of medical device security.
For example, two not-for-profit organizations, the Medical Device Innovation, Safety and Security Consortium, or MDISS, and the Center for Internet Security last October jointly released guidance to help manufacturers and users of medical devices running the Windows XP or Windows 7 operating systems to quickly assess the devices' security configurations.
And last fall, the Food and Drug Administration announced it was collaborating with the National Health Information Sharing and Analysis Center to develop a shared risk assessment framework that can enable healthcare stakeholders "to efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities and take timely, appropriate action to mitigate the risks" related to medical devices, as well as the integrity and security of the healthcare IT infrastructure.
The FDA's work with NH-ISAC follows other FDA activities over the last two years aimed at bolstering medical device cybersecurity. That includes FDA issuing guidance in 2013 urging manufacturers to develop cybersecurity controls in the design phase of their product development. The guidance also recommends the device makers document their risk analysis of cybersecurity threats and vulnerabilities and spell out ways to mitigate those risks, such as through encryption.
The FDA also issued a "safety communication" to manufacturers and healthcare organizations, listing steps they should consider taking to mitigate cybersecurity risks to medical devices.
In addition, a recently released 2015 work plan of the Department of Health and Human Services' Office of Inspector General that outlines new and ongoing activities indicates the watchdog agency will be more closely scrutinizing whether federal oversight of hospitals' medical device cybersecurity steps is sufficient (see Medical Device Security: More Scrutiny).
Dale Nordenberg, M.D., founder of the Medical Device Innovation, Safety and Security Consortium, which is now working with NH-ISAC on efforts related to improving health sector information sharing related to medical device security threats and risk mitigation, tells Information Security Media Group he's not surprised that HITRUST is becoming more active in the medical device security domain.
"This is a major public health problem, and the more people we have working on these issues, the better," Nordenberg says. "The medical device domain is a very complex from a technology, regulatory, policy and public health perspective. Organizations addressing medical device security and safety will benefit from these [various industrywide] efforts."
Nordenberg adds that over the last four years, he's seen "good progress and increased commitment" to medical device security risk assessment and mitigation efforts. That progress includes more awareness among manufacturers about the need to address cybersecurity risks in the designs of their products, he says.
HITRUST Working Group
As for HITRUST's new Health Information Technology and Medical Device Integrity and Security Program, the alliance says the working group "will canvas the industry to ensure that the efforts of the program will leverage and complement existing clinical safety reporting capabilities, standards and best practices."
The working group will focus on several areas, including creating "communication" to address concerns over the security and reliability of health information systems; raising awareness about the individual's role in system usage; and increasing the trust of the public in health information technology as it relates to privacy, security, confidentiality and reliability.
HITRUST says the group will also develop a "framework" to help organizations avoid, report, and mitigate vulnerabilities. The group will also identify and document security-related issues, challenges and concerns related to the lifecycle of medical devices.
The new working group will address some of the gaps in medical device cybersecurity efforts, says group member Sara Coulter, vice president of industry relations at medical device maker Philips Healthcare.
"One of the biggest challenges the industry has is that the implementation of technical security elements varies ... and may employ a number of technologies, including firewalls, virus-scanning software, authentication technologies, etc.," she says. "As with any computer-based system, protection must be provided such that firewalls and/or other security devices are in place between the medical system and any externally accessible systems."
Healthcare lacks a standard means for recognizing and sharing vulnerabilities and for sharing best practices, Coulter says. "The establishment of the HITRUST working group will be extremely important to ... sharing best practices and development of a common framework to leverage existing clinical safety reporting capabilities, standards and best practices."
HITRUST also recently announced that it is adding privacy controls to the latest version of its Common Security Framework, slated to be released Jan. 31 (see HITRUST Adds Privacy Controls To Framework).