Earl Reber

Out of Sight, Out of Control: Uncovering Hidden Data Security Risks of Connected Medical Devices

April 11, 2011
This report originally appeared in the April 2011 issue of DOTmed Business News

By Earl Reber

The smartphone that keeps you connected to the office while you’re away? It’s helpful for productivity, but could be carrying a virus that may infect every single device connected to your health system’s network. This situation’s frequent occurrence reveals a collective failure in electronic data protection as it relates to connected medical devices. And it doesn’t just affect your organization’s IT department – an infected network could mean data loss, patient misdiagnosis, hefty financial penalties or even jail time. It’s absolutely crucial that you understand the hidden risks to help safeguard your network.

The common culprit
While every hospital or health system has some level of security protection for its networks, the most common security-related blind spot is software-driven or wireless devices connected to the network. From iPhones to surgical lights, CT scanners, IV pumps and smart beds, any device transmitting data to a network is a potential target or launch pad for security breaches if left unprotected. These breaches are often difficult to identify because many times, no one is keeping track of these devices.

And worse than a compromised network is the potential risk to patients a security breach may cause. It’s one thing for a CT scanner to be down; it’s another if that CT scanner has been impacted in a way that delivers an abnormally high dose of radiation (which really happened). Every device reacts differently when compromised.

Data security “Neverland”
Who at the hospital is responsible for addressing these network security risks? On one side we have biomedical engineers taking care of medical devices. On the other side we have the IT department that takes care of computers, smartphones and the network infrastructure. Neither side is completely equipped to deal with device security risks, and between them, there’s a “neverland” of finger-pointing over software-enabled or wireless devices that could take down both sides.

Taking steps toward security
If your organization has some improvement to do in the area of data security, knowing where to start can seem overwhelming. The following four items will help you begin to explore these issues deeply and work toward a long-term solution, as opposed to applying a Band-Aid. If you feel you can’t afford the time or resources to address these issues, listen:, you can’t afford not to. Here are a few easy steps to consider when addressing the possibility of network security breaches.

• Cover the basics.
At the very least, you must track each device and protect it, and make sure your organization’s policies and procedures cover it. Look at the availability of your equipment. If equipment is vulnerable – if data can’t be executed properly, or you can’t guarantee the device will perform on a consistent basis – you may need a different set of standards, compared to devices that don’t carry patient information, or don’t have the same availability requirement. A different standard for critical care devices may be necessary as well.

• Hold vendors accountable.
Vendors should not be able to sell you things on incompatible levels of software. Some make money by allowing outdated software to expire and requiring you to buy an upgrade – they may not even remember what’s running on it. Make it clear to vendors that you will not buy that equipment if you find out that’s the case, and inventory what you have and what those devices are running on.

• Fill the clinical engineering/IT gap.
As previously discussed, neither group is completely comfortable owning connected device security. One solution to this problem is to implement change management — meaning getting IT, clinical engineering and the device owner working together to achieve data and device security. Recently, one hospital was having medical devices knocked off their network every other week. They saw a pattern but couldn’t understand what triggered it. As it turned out, a mobile imaging lab was pulling up its truck and connecting to the hospital. The truck hadn’t changed the address scheme from the last hospital, so when they got to the new hospital, the addressing conflict kicked devices off the network.

By implementing a change management process between IT, clinical engineering and operations (risk management, quality control, etc.), you allow for a common point of contact. It may also be helpful to ask questions like: How do I get a new static IP address if I’m a clinical engineer or vendor installing a new device? How do I tell you if I need to change that address? How does IT document that request? If IT has to reboot a switch, how do they inform clinical engineering? Answering these questions ahead of time will ensure both groups are proactively monitoring and will be ready to act should there be a security breach.

• Educate individuals on data security.
Prevention begins with education of individuals within a health system. Physicians that run their own practices but are connected to larger health systems are especially important to educate, since they come and go, connect and disconnect from the network frequently. Start with the importance of password policies. You may be surprised at how many physician offices don’t have one, or have passwords taped to a drawer that everyone can access. Start building awareness of these types of risks. Meanwhile, it’s important to develop a culture of reporting problems. In 2009, nearly 80 million health records were breached from threats that were not properly assessed, according to the Privacy Rights Clearinghouse. It’s amazing how much people will tolerate with regard to technical problems – they think they can just hit the reset button to fix them. A problem may persist for weeks or years until something bad happens. Teach people that if it doesn’t look right, report it and call for help.

Earl Reber is the executive director of eProtex, the nation’s first data security company specializing in the hidden risks of connected medical devices. eProtex recently launched ePShield, the first network counterintelligence solution for network data security.