Aaron Miri, chief information officer of the Walnut Hill Medical Center in Dallas, Texas, spoke recently to Medpage Today about an issue of increasing concern for hospitals: the security of medical devices.
The issue, according to Miri, is that many medical device manufacturers can avoid placing basic security provisions like secure logins in their equipment. This can leave devices, including implanted and external devices, pumps, and monitors, vulnerable to hacking.
“Those medical devices . . . are absolutely a risk point because they have to touch a corporate network in some form or fashion” to send data back to the electronic medical records or whatever application the device is using. The device can be hacked, creating a risk for the patient’s health if a hacker changes, say, the dose of a medication or the settings on a cardiac device. The patient could also be at risk if a monitor does not sound the proper alarm at a critical moment.
Under HIPAA (the Health Insurance Portability and Accountability Act, which protects the privacy and security of health information), a “covered entity” as defined by HIPAA must abide by HIPAA provisions to encrypt data. Hospitals are covered entities. A noncovered-entity like a device manufacturer is not bound by HIPAA security regulations.
Miri told Medpage Today that the problem is larger than the functioning of the devices themselves. Hackers could steal patient information or lock health care providers out of the system and demand ransom to return control, as has happened to hospital networks. Because many physicians and facilities use laptop computers, a stolen or lost laptop can put patients in jeopardy and their sensitive health information at risk.
The Windows XP operating system is also a problem in many medical devices, according to Miri. He said he recently encountered a lab instrument in the U.K. with Windows XP ithat was infected with malware and had inadvertently infected an entire National Health Service hospital. Miri also cites the example of devices that dispense medication. In one facility, he said, new machines came from the factory infected with malware and this affected other systems in the hospital when the machines were connected to the network.
Miri likens these medical devices to “little pockets of individual freedom floating out there that must attach to your network because the FDA mandates it must do so, without any ability to get your arms around the product,” according to Medpage Today.
The Healthcare Information and Management Systems Society (HIMSS) and other groups are calling for tougher rules on medical device manufacturers, but Miri notes the difficulty of tightening the rules because the responsibility is divided among the Food and Drug Administration, the Federal Trade Commission and the Health & Human Services Office of Civil Rights. “[O]nce you have multiple agencies playing, they seem to get in each other’s way,” Miri says.
Miri hopes to see a the appointment of a national cybersecurity czar who can coordinate the efforts of competing agencies. For now, however, information officers like Miri have to rely on security software overlaid on their computer networks to detect intrusions and limit the damage to device or to a network, Medpage Today reports.