John Wilson, CSX, CRISC, CISSP, CISM, CCSK, Director, IT Risk Management and Assurance, Texas Health Resources
Since the introduction of the HITECH Act, the healthcare industry has made significate changes in many areas, such as digital transformations. For example,Promoting Interoperability (formerly known as Meaningful Use) assisted with the push to move away from paper records tothe digitization of health information. As this began to converge, the official start date of health care information security governance and digital healthcare began. The purpose of this article is to bring a security perspectivein two critical areas in the healthcare domain, starting with medical devices and mobile applications.
Medical devices have increased in many capabilities, including networking, storage, processing and computing. Many medical devices, including hospital beds, now have Bluetooth capability. Medical devices that come with these new networking capabilities introduce the concept of an “unbound medium,” meaning bad actors do not have to be present or close in proximity to do harm.Security that can affect patient safety has become a concern with medical devices’ enhanced capabilities. While many security capabilities should be taken into consideration, a few key areas to consider are asset management and device classification, and assessments.
Medical device asset management should have a lifecycle management approach.This includes processes from new device onboarding and offboarding (e.g., destruction and disposal) as well as processes for whenthe devices are in production (post-onboarding and pre-offboarding). Many technologies in both active asset monitoring (RFID) and passive monitoring (networking SPAN ports) can assist with asset management.Since many medical devices can process and store sensitive data, such as Protected Health Information (PHI), the question becomes when the right time is to identify a device as being lost or, even worse, stolen.
"Security that can affect patient safety has become a concern with medical devices’ enhanced capabilities."
As part of the medical device onboarding process, the devices should be classified. Classification helps assist with determining risk identification, risk response and tolerance. For example, devices can be classifiedwith labels such as “critical network-enabled”or“critical non-network enabled” (to name just a few classification examples).Amedical asset classificationhelps enable a deep understanding of what is inventoried and knowing what the security program is trying to protect.
As mobility continues to advance in many areas from cloud accessibility to smart devices, many clinical applications are starting to use more mobile applications (applications used on smart devices).With mobile applications, most organizations can place these applications in a minimum of two categories. While clinicians and physicians might not really care how these two categories are managed, they are important from a security perspective.For example, the minimum two categories could bea mobile application that is on a corporate-owned device or a mobile application that is placed on a BYOD device.
Mobile applications that are placed on corporate-owned devices have some security advantages. In most organizations, corporate-owned devices are managed through a Mobile Device Management (MDM) software component. The MDM software has many capabilities from building profiles that only allow certain applications to run,such as disabling certain applications such as non-corporate email that could leverage weak security protocols, which could eventually lead to bad outcomes. The ability to profile and publish business-approved applications helps with a reduction in the attack surface. In addition, the MDM software can help assist with asset management and provide capabilities with remote wipe and erase when a smart device has become lost or stolen.
Some healthcare delivery organizations have physicians and clinicians who are not employees and have some expectations with continuation of care and patient safety with mobile applications. Some ED departments and modality clinicians use mobile applications that assist with critical timing of patient care that can become a difference between a good or a bad outcome. When business-facing applicationsmust be placed on a BYOD (non-corporate) device, theusing MDM software becomes a challenge.
When a business-facing application must be placed on a BYOD device, there are a couple of security considerations that should be reviewed.The consideration is, there is a fine line between the privacy of the business application versus the privacy of the BYOD owner.There are solutions that can assist with how mobile applications are used on BYOD devices, such as ensuring that the corporate-owned application/data are isolated from other BYOD applications, such as personal email or browsers.For example, these technologies can assist with the inability to copy and paste data from business-facing applications to personal applications. Also, these technologies can assist with the ability to perform a remote wipe of business-facing applications when the applications are no longer needed or,worse, when a BYOD device is lost or stolen.
As technology continues to advance in the healthcare risk domain, these advancements support better-managed care and patient safety.Enhanced capabilities and technologies are inevitable as technology improves in its abilityto help prolong and save lives. As these advancements continue, security should remain as an integrated process and not a bolted-on approach.