Networked medical devices have been an integral part of the healthcare world for years. Long before the Internet of Things, connected devices provided monitoring, record-keeping and drug delivery to patients in hospitals, clinics, and research facilities operated by federal agencies. The Department of Veterans Affairs (VA), for instance, operates the country’s largest integrated healthcare system, with more than 1,700 facilities nationwide. The use of networked medical devices is commonplace, with more than 55,000 such devices now in place.
But these devices also pose a growing risk to the security of the networks to which they connect, and put at risk the personal information of the patients they are helping.
The wide variety of wired and wireless devices from multiple manufacturers is part of the risk. “Wireless medical devices can be moved around the building, or even taken to other locations,” said Paul Parker, Chief Technologist, Federal and National Government, at SolarWinds, which develops IT management and cybersecurity technology. “This ‘Internet of Health’ isn’t always treated with the same security mindset as a laptop or cell phone.”
The VA has taken steps to address the problem, including the 2009 launch of the Medical Device Protection Program, a set of protocols to address the security of medical devices on the network, including its Medical Device Isolation Architecture, intended to enhance device security by isolating them.
This alone is not enough – many of these connected devices can store personally identifiable information (PII), yet most have restrictions on software updates and patches, making them vulnerable to attack. A third party could inadvertently release or maliciously steal the data on a device, and it provides a potential entry point to the health networks to which it’s connected.
Enterprise management and cybersecurity tools may not support medical devices, and some older devices can’t be updated to meet new security protocols.
“These devices aren’t always visible to network management tools and, ironically, they can’t be scanned for infection,” Parker said.
SolarWinds is hosting a webinar at 11am Thursday, May 10, that addresses ways to mitigate the security risk posed by medical devices connected to health networks.
SolarWinds’ Chief Technologist, Paul Park and Senior Sales Engineering Manager, Omar Rafik, will discuss compliance with federal and industry security regulations, network access control, and maintenance of Access Control Lists (ACLs), through the use of a Network Configuration Manager. By the end of the webinar you’ll understand how to improve compliance with FISMA, RMF, etc. for your medical devices, standardize ACL configurations to help protect medical devices from hijacking, and learn how to ensure real-time change detection and alerting for your medical device networks.
Don’t forget to register for the webinar! You can do that here.
