In response to the recent alert regarding the security vulnerabilities of an infusion pump, Beth Israel Deaconess Medical Center (BIDMC) CIO John Halamka, MD, posted an entry on his blog about his own experience with such issues.
“My view is that this will be the first of many advisories,” he wrote. All of these devices are computers, “often running un-patched old operating systems, ancient Java virtual machines and old web servers that no one should currently have deployed in production.”
BIDMC has three wireless networks: a guest network for patients and families; a secure network for clinicians and staff; and a device network for medical devices that is not connected to the internet or the other two networks. The facility also uses firewalls around medical devices to prevent them from communicating to outside parties.
Halamka said he’s asked medical device manufacturers in recent years to provide a precise map of the network ports and protocols used by their devices so that he can build a “pinpoint” firewall--only allowing the minimum necessary transactions from/to the device. Many manufacturers, he said, “do not seem to know the minimum necessary communication requirements for their products.”
BIDMC experienced a reportable breach when a medical device manufacturer removed hospital-provided security protections in order to update a device from the internet. “It took about 30 seconds for the unprotected device to become infected and transmit data over the internet,” Halamka wrote. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, responsible for the breach. The hospital was advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital-provided security protections in the future.
“Some manufacturers have claimed that adding operating system patches, intrusion detection/prevention and other cybersecurity defenses will require them to re-certify their devices with the FDA. That is simply not true. The FDA has issued guidance declaring it the responsibility of the manufacturers to secure their devices. No re-certification will ever be needed for adding new protections.”
Halamka recommends that CIOs build “zero day” defenses, creating an electronic fence around vulnerable devices. Manufacturers must update their products and medical devices must be designed from the ground up with security as a foundational component, he added.
“The threat is real, I have experienced it myself, and CIOs must act.”