170 likes | 357 Views
Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague, Senior Business Analyst, UHC. April 12, 2005. Who is the University HealthSystem Consortium?.
E N D
Cybersecurity for Medical Devicespresented at the MedSun Audioconferenceby Catherine Sprague, Senior Business Analyst, UHC April 12, 2005
Who is the University HealthSystem Consortium? The University HealthSystem Consortium (UHC), formed in 1984, is an alliance of academic health centers situated mainly in the United States. As a membership organization, UHC provides its 90 full members and 123 associate members with a variety of helpful resources aimed at improving performance levels in clinical, operational, and financial areas. The mission of the University HealthSystem Consortium is to advance knowledge, foster collaboration, and promote change to help members succeed in their respective markets.
Background • Early in 2004, The UHC CIO Steering Committee asked UHC to investigate the issue of medical device security and suggest ideas to mitigate the problem. • The UHC Medical Device Security Team: Pete Giordano, MCSA/MCSE - Security, CISSP, Senior Security Analyst; Catherine Sprague, Senior Business Analyst; and Doug Surch, PMP, CISSP, Director, Project Management Office
Background • Interviews with: • Medical device vendors/manufacturers • Government Agencies • Industry Groups • Members, members, and more members! • Lots of research, culminating in a… • White Paper published in January 2005, available at: http://public.uhc.edu/uhcmail/Push_Emails/MedicalDeviceWhitePaper.pdf
The Problem • Medical device security is a significant issue for healthcare organizations. • The problems are related to the complex and sensitive nature of the devices. • Security solutions are often invasive, requiring patches or updates to the device software and/or OS. Not the FDA! Must usually be applied by the manufacturer! There is often a disconnect between the manufacturers and providers as to what “secure” actually means, as well as the length of time that is acceptable for a medical device to be exposed to risk before a patch can be applied!
The Solution must: • Accommodate the providers’ need, timing, and sense of urgency; • Accommodate the vendors’ time and resource constraints; • Fix an identified vulnerability or provide an extra measure of protection for the device and/or network, without compromising the performance and/or integrity of the device.
Short Term SolutionsFDA/MedSun Reporting • The FDA encourages health care organizations to report any and all problems. • There is a notable lack of formal reporting on the part of the providers. • Without formal evidence, the FDA is limited to act. • This is something that providers can and should start doing immediately!
Short Term SolutionsIncident Response An effective incident management plan can: • Minimize the damage from a security event. • Provide important lessons for improving security. Incident response plans must: • Include network medical devices. • Provide feedback to regulatory agencies and device manufacturers.
Short Term SolutionsRisk Management • Requires a vigilant methodology • A multi-disciplinary team to: • Monitor organization’s network/exposure. • Monitor security bulletins (e.g. CERT). • Also applies to the device: • Easier to prioritize where extra controls are needed. • Helps make the case for extra funds to protect the network.
Medium Term SolutionsStandard Assessment • A common set of questions used to assess security components: • Can be used by provider to understand risk. • Can be a qualifier when choosing between otherwise comparable devices. • Examples: • MDS2 http://www.himss.org/content/files/MDS2FormInstructions.pdf 2000 downloads since it was posted! • NCHICA http://www.nchica.org/HIPAAResources/Samples/VendorSecurityMatrix.doc
Long Term SolutionsDevice Design • Security components should be an integral part of the device. • Installed and supported by the manufacturer; the responsibility is clearer. • Strongly supported by UHC members. • Drawbacks: • Defining the “best” security strategy and software. • Security components must not impact the function of the multiple devices. • These even more complex devices must be compatible with an multiple organizational enterprise layered defense strategies. • The length of time to develop a medical device is 5 to 7 years.
Long Term SolutionsIndustry Groups HIMSS has formed a Medical Device Security Workgroup: • Identify both the security issues associated with medical devices and systems and the best practices available to address those issues. • Evaluate the issues of security threats and vulnerabilities that affect medical devices, the provider’s and the equipment manufacturer's responses and responsibilities, and the legal and regulatory framework in which these issues must be addressed. • Coordinate with similar groups and committees to capitalize on existing efforts and realize the economies of collaboration. • Prepare and endorse white papers, guidance documents, comments, and recommendations on medical device security issues and practices for addressing those issues. • Educate HIMSS membership and the industry on the implications of medical device security through publications, tools, resources, and educational programs.
Long Term SolutionsIndustry Groups • North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA): • A nonprofit consortium of more than 250 organizations dedicated to improving health care by accelerating the adoption of information technology. • Developed the NCHICA Vendor RFP Template. There is strength in numbers! Industry groups, such as HIMSS and NCHICA, can wield great influence.
Conclusion • There are a variety of approaches to medical device security. • No single solution stands out over the others and all have merit. • As long as there are computers, there is a potential for compromise and a combination of approaches is necessary. • Providers NEED to protect their environments, however … Vendors and Providers need to work together to define a common approach and resolution to the issue of medical device security!
For more information, contact :Peter Giordano, giordano@uhc.edu (630) 954-2448 Cathy Sprague, sprague@uhc.edu (630) 954-1703 Doug Surch, surch@uhc.edu (630) 954-6725