In this, ‘Ask the Expert Series’, we are joined by medical device security expert, Chuck Brooks, who will address how to secure connected medical devices in today’s hyper-connected hospitals.
“The infusion pump talks to what?” Perhaps the better question might be, “What doesn’t the infusion pump talk to?”
And while we’re at it, you can feel free to replace “infusion pump” in that sentence with your medical device of choice – pacemakers, continuous glucose monitors, wearable insulin pumps, diffusion pumps, bed head units, oxygen appliances, X-rays, MRIs, scanners… All are examples of medical devices that will be connected to back-end servers hosting patient databases and to healthcare applications and front-end interface devices for medical professionals.
But let’s take the infusion pump for our example. In the past, drug catalogs were uploaded to the infusion pump via a local server. If a nurse accidentally punched in the wrong dosage, the pump would search the catalog and upon seeing that the dosage entered was not in the spectrum, it would send an alert. Fast forward to today and the next generation of infusion pumps have interfaces into the EMR. Being connected to the patient’s electronic medical record has its advantages. When a doctor puts a prescription into a medical record, the EMR talks directly to the infusion pump to dispense the correct dosage of medicine to a patient. There is no room for human error due to programming the pump or reading the prescription. And the connections don’t stop there. Bar code scanners also come into play, which allows the clinical staff to scan the wristband of a patient and the infusion pump to associate with the patient and then the prescription is downloaded from the EMR to the infusion pump.
A Brave New World
The infusion pump is just one example of a connected medical device. ABI Research calculates that there will be 154 million connections for healthcare equipment and home and patient monitoring by 2021, up from 70 million by the end of 2016. Everything is becoming connected, and as you saw in our example, in many ways networked devices are improving the manner in which medicine is tracked, developed, sourced and distributed. In addition, medical technology can offset increasing costs, decrease medical errors, improve patient outcomes, improve access to care and deliver specialized knowledge to the bedside.
But, there are always two sides to every story… The downside of the incorporation of connected medical devices into the IT network poses new issues around patient safety and security, and ultimately presents new and unknown threat vectors around the operational side. The concept of a medical Internet of Things (IoT) is quickly emerging. Healthcare professionals must consider confidentiality, integrity and availability mechanisms not just for patient data, but also with respect to medical devices, ensuring that they are protected.
The new challenge for the healthcare industry is to be able to take advantage of the technological benefits of connected technology while minimizing the potential risks. The increased connectivity of medical devices will force both healthcare providers and medical device manufacturers to focus on how best to secure devices remotely. Further, the eventual adoption of a secure development lifecycle will push for continuous monitoring and security maintenance services. OEMs and healthcare providers globally have to start investing in cybersecurity now; with human safety at risk, they cannot afford to wait.
This is where Extreme comes into play. ExtremeControl can allow hospitals to dictate what infusion pumps can and cannot talk to. They want the infusion pump to be able to talk to EMR and bar code scanners, but not anything coming from the guest network or from anywhere else. Using ExtremeControl, hospitals can set policies to segregate devices within the networks to allow only critical care items while blocking everything else. This is just one of many steps that can be taken to ensure that healthcare organizations are reaping the rewards of connected medical devices and the medical IoT while minimizing the risk.
“ABI Research calculates that there will be 154 million connections for healthcare equipment and home and patient monitoring by 2021, up from 70 million by the end of 2016. How are you going to secure your connected medical devices and keep patients safe?”
Want to learn more about medical device security? Read the ABI Healthcare Report: Medical Device Cybersecurity
Got a question? ‘Ask the Experts Series’ continues! Submit your question to Chuck.