S3 E15: Medical Device Cybersecurity

Audio version

Medical Device Cybersecurity

Transcript

Jordan Eisner (00:01)
So here we are back again with another episode of Compliance Pointers again on camera and again audio obviously. So Carol, this is your seventh time. I know that because we were just looking at a stat count of frequent guests and you were at six. So this is seven. So thank you again for joining us.

Carol Amick (00:23)
Thank you for having me.

Jordan Eisner (00:25)
And we’re talking about a unique topic today, one that I don’t have too much familiarity or experience in. So I’m interested to learn as well with some of these questions that we’ve put forth today. But we’re going to be talking about cybersecurity risks posed by medical devices and how healthcare organizations can mitigate those risks. What makes Carol Amick adept or experienced enough to

Have these questions asked of her and advise on these while she’s got this is 20 plus years experience Carol, but it’s close to 30, isn’t it?

Carol Amick (01:02)
Yes, but we’re gonna. I started when I was five.

Jordan Eisner (01:06)
Right, exactly. Yeah, when you started is, you know, it’s the experience that counts and I think it’s close to 30 in the space as a consultant, as a compliance personnel within the organizations, extensive experience with HIPAA, of course, from security and privacy standpoint, but also high trust, which is a certifiable framework for organizations to help them up the ante, I think even, and how they’re demonstrating.

Cybersecurity and information assurance as it pertains to PHI and other sensitive data sets. So yeah, she’s well qualified to talk about these things as many of our frequent listeners and viewers probably already know since this is your seventh time on. So let’s start with the basics. Give us some examples of medical devices that could pose a risk from a security standpoint.

Carol Amick (01:58)
There are a lot of medical devices that could expose the risk because you know they now all have PHI on and they’re all interconnected. It’s things like pacemakers that may be implantable into people, insulin pumps that you know people are using to protect to deliver insulin if they’re diabetic. The IV pumps you see at the hospital, the tree you know that you see on the medical shows or if you’ve been in the hospital is connected to you that’s giving you fluids, maybe giving you blood depending on what you’re having.

All kinds of devices that are both implantable and in part of your body, put on your body temporarily, like a pump that you could take off and on, or that are you using while you’re in a medical facility receiving treatment, chemotherapy, dialysis, that kind of thing. So there are a lot of medical devices being used and they’re all interconnected. They’re all communicating with others and sharing your data so they protect you as your health and they also help your health care provider see what’s going on within your health. For example, my mother wore a device that just warned her doctor if her heart had an issue. It wasn’t really a pacemaker. It was just a constant monitoring device. So you’ve got a lot of different devices in the environment right now.

Jordan Eisner (03:16)
That’s a good overview. Beyond the obvious on why security risk associated with these right there, they’re tied to personnel. There’s some life dependent information that they’re communicating, beside the obvious, why do these devices pose a security risk? Why do you call these out in particular?

Carol Amick (03:38)
There are two, there’s a couple reasons. I mean, you talked about one real quickly that they do pose a risk to the patient. If somebody gets a hold of them and does something to them inappropriately, a pacemaker, for example, you’re wearing that device in your body. If something was done to it, theoretically, it could impact your quality of your life. could impact your life. So that’s one risk. The other is that these could be a way for a bad actor to introduce malware into a connected health environment.

And then start rants and we’re not just the information. I your medical device might just have information about you, but if they got into the environment, then they would have medical. They might be able to get medical information.

Jordan Eisner (04:18)
Yeah, feeds into what everybody else is feeding into. Yeah, good point.

Carol Amick (04:22)
Yeah, and that’s, know, it has actually, it’s been several years, but the NIH and United Kingdom, I think, and some other people were impacted by a ransomware virus that was kind of introduced into their network via a medical device. So you have seen this happen where you’re now bringing down the entire network and it was because of a weakness in a medical device. So a lot of people don’t think about these as a real security thing, but they are something that needs to be considered because they are exposing you to risk in this environment we’re currently in where everything is interconnected. And they do a great job of keeping your health and making sure you’re in good shape. But if you are the healthcare provider organization, you have to make sure that you’re protected.

Jordan Eisner (05:10)
So let’s get into that, you know, how they do that. So what are steps a healthcare provider or organizations need to take or can take to mitigate risk from medical devices? Or associated with, maybe not from, but associated with medical devices.

Carol Amick (05:26)
First you need to consider the risk. And I say that because several years ago, HIMSS did a survey of healthcare organizations and talked to them about, you look at, what do you do in your risk assessment? And about 30% of them said, we don’t even include medical devices. And I think maybe that’s partially because they didn’t wanna know what they would find, but you’ve got to figure out what your risk is. The other thing you need to know what your medical device inventory and risk exposure is.

Medical devices are unique in that they’re sometimes introduced into the environment, not through the normal IT procurement cycle. So for example, if you’re going to buy a new piece of IT equipment, it goes through this entire risk assessment, security screening, and IT people are all involved every step of the way. A medical device might have gone through an entirely different procurement cycle and in some cases be introduced into your environment, hooked into your network, and you really don’t know what’s going on.

You’re the IT cybersecurity people. It’s just out there running and you go into that department. There it is. I tell people, you’ve got to do a couple of things. One is you got to get an inventory and you got to figure out where they are. And you’ve got to start, they’re portable devices that are part of your facility, you got to start tracking them. I mean, there are actually vendors out there that, you know, track them. It’s kind of like putting an air tag on the insulin pump so you know where it went.

Jordan Eisner (06:50)
You know, what are the names of some of these?

Carol Amick (06:53)
Yeah, I don’t have the vendor names off the top of my head, I’m sorry. But there are vendors out there that do help you track them and something to consider as you go into this because you do, mean, when I was at a previous healthcare provider, we actually had a IV pump walk out the door. The patient ran away from the hospital and took her pump with her as she left. So you need to know, okay, that one needs to be disconnected from the network and turned off because it is no, until we find out what happened to it, we don’t want it out there in the environment. People doing things to it.

So you need to know where they are and you need to know what they are. The other thing you’re going to have to look at is how old are they and can they be patched? And that has been a significant problem within the device. These things are not cheap. A lot of them were not built really to facilitate easy patching. And so you may have devices in your environment that you control that have not been patched.
If it’s a pacemaker, you may be at the mercy of you’ve got to make sure it’s getting pushed out to the device that’s implanted in the patient that you all are dealing with. So there’s a lot of pieces that go on to this. Can it be patched and has it been patched? And I know they’re expensive. And so a lot of times what we find when we go out and look at hospitals is there are pieces of equipment around that are old, that are not secure, that are not patched, but finances aren’t there right now in this environment to replace them. And so that’s, you’ve got to figure out how are you going to mitigate that risk.

Jordan Eisner (08:24)
That gives me a real uneasy feeling thinking about that. No, mean, seriously, people they can’t be patched?

Carol Amick (08:29)
Yeah, now there are things you can do. mean, I would guarantee that a lot of times when you go out and you find those old devices and you look at them and you try to log into them or something, they’re still using the password that they came with or they don’t have any password because it was never turned on and it was. They’re using your Wi-Fi network and they may be actually not being on an encrypted network. So there are things you can do even if they’re not protected that you can start protecting yourself.

Do what you can and know those devices that are at risk so that you can monitor those and look for unusual activity coming out of them so that you are prepared to, like I said, that device that walked out the door, we were able to say, it’s just now disconnected from the network. If it showed back up, it wasn’t going to be able to reconnect in. We weren’t gonna, it couldn’t just show back up at the hospital when the patient returned it saying, I’m sorry, and connect back in. It had to go somebody had to go look at it and make sure that while they had it, hadn’t then.

Jordan Eisner (09:34)
And is this a theoretical or did this actually happen?

Carol Amick (09:39)
The advice did not come back. It did really walk out the door.

Jordan Eisner (09:43)
Yeah, know that but you never. Yeah, yeah, that would be too good to be.

Carol Amick (09:45)
It did not come. We never saw it again.

That’s probably more likely that you’re not going to see it again. But there is an option that, you know, that they walk out the door and their family member, somebody, a couple says, you know, wait a minute, you can’t keep this. We got to take it back. I’m going take it back. You know, it could happen. It has, I’ve seen things like that happen in healthcare.

Jordan Eisner (10:09)
So. And maybe you alluded to that a little bit, just in that past statement, but what are some plans organizations need to have in place so they’re ready to act if they suspect a device has gone missing or is compromised or you know there’s been an incident?

Carol Amick (10:27)
I think that’s where you need. First of all, once you go back to you need to know what your devices are. If you have gotten that situation, have a way to deactivate that device. Have a way to take it off your network. Make sure the device authentication information is removed so it’s no longer accessible. It can’t reconnect in if you think something has been compromised. If you feel like something is. You know it should be part of your logging and monitoring system.

So that if something weird starts happening to a device, you kind of have a way to see it. If you see access to the amp-3C authorized, that’s something to watch out for, just like it would be if they were most trying to break into your electronic medical record system. You want to pay attention to what might be going on there. Looking at your wireless network, that’s another one where you want to make sure that you have that really secure, because most of these devices are connected through a wireless system to your network.

So they’re not, they’re transmitting wirelessly. You want to make sure that is a secured separate network from your guest network. Yeah. Basic compromise that your patients are going to be on your guest network in this day and age. You’ve got to have a guest network for most of your patients. You’re not going to, you know, if you’re in the hospital, you want your wifi so you can communicate with your friends. That’s a separate network. Make sure it’s secure. Make sure you’re monitoring for unauthorized access attempts in there that somebody hasn’t gotten a hold of the information off of the medical device to try to use that to innovate to enter into your wireless networking from there into the rest of your environment. So you’re it’s back to the monitoring and paying attention to what’s going on and then knowing what all is connected and what’s coming on. So if somebody does go out in one of the clinical departments and buy some fancy new device and connect it to you, is there an alert or something that a device just showed up that you weren’t expecting and you need to go figure out what it is? Is it secure?

Can it be patched? What’s the risk? Because we all know that’s what’s working healthcare long time know that this is not the first thing that comes into the clinicians mind when they’re fighting, when they’re looking at the new toy. If a new, if a manufacturer shows up with a device for a provider to try and they are testing it at your hospital or your location and it connects.

You need to be aware of that and go see what’s going on because you know, a of times these sales reps will show up with stuff and they don’t want to show it off. And you know, the doctor said, well, here’s the password to the wifi and they’re in. So yeah, make sure you kind of know what’s going on. So yeah, you should get on alert that you have a device you didn’t expect suddenly on your network.

Jordan Eisner (13:08)
Yeah, well, Carol, I’m impressed you packed a lot into this short podcast. We did that quick and I think you covered most of my questions and I think you leave our viewers and listeners with the wealth of information that I can take away in a short period of time. So thank you once again. We’ll have to get you rescheduled for episode eight pretty soon.

Carol Amick (13:31)
Yeah, I did want to point out. think the biggest thing is to make sure you’ve covered this in your risk assessment. If you’ve covered these in your risk assessment with the same robustness you’re covering all your other IT environment, you’re probably going to be in decent shape. If you haven’t and you haven’t mitigated this risk, then you’re probably wide open.

Jordan Eisner (13:48)
And if you’re wondering what risk assessment she’s talking about, that’s something to look into too.

Carol Amick (13:56)
You should be doing that risk assessment annually. I think we did a podcast on that though.

Jordan Eisner (14:00)
Yes, and you can do it internally. Get a third party in as well so. Well, on that note, if you have questions around. HIPAA security risk assessments, privacy risk assessments. Please don’t hesitate to reach out. CompliancePoint can be reached in many different ways. The easiest probably go to our website. You can email us at connect@compliancepoint.com. Carol and myself are both available via LinkedIn. Our emails are easy, first initial last name at compliancepoint.com. And just a reminder for everybody, we produce content like this regularly. So this is your first time. Be sure to click the subscribe button. If this is more than one time for you and your regular listener, leave us a review. Give us some feedback. Maybe make some suggestions or recommendations of what you’d like to hear from us. Until next time, thanks everybody.