Balancing Simplicity With the Exploding Challenges of Medical Device Security

The following is a guest post by Gus Malezis, President and CEO of Imprivata.

The digitization of healthcare has allowed healthcare organizations to utilize robust technology such as network-connected medical devices to help improve both patient care and provider experience across the entire care continuum. Within this Internet of Medical Things (IoMT), medical devices can track and monitor patient stats, provide diagnostic information, help ensure lifesaving care delivery, and even make recommendations on treatment and clinical decision support – all while communicating directly with healthcare IT systems to ensure more complete and accurate patient medical records.

With these benefits of digitally connected medical devices, however, we now must consider and address a series of issues that are introduced with network connectivity and automated data integration; issues that relate to patient health and safety, cybersecurity, and compliance.

Simply put, advanced network-connected technology opens these devices to the risk of exploitation and compromised patient safety from both internal and external threats. Whether it’s an uninformed patient making changes to an unlocked infusion pump, someone stealing valuable protected health information (PHI) stored on an unattended device, or a cybercriminal using a network-connected medical device to gain backdoor access to a hospital’s entire network or disable the function of the devices (for the purpose of extracting ransomware), medical devices are now a source of risk for both healthcare organizations and patients. Compounding this issue is the fact that medical devices frequently run outdated operating systems and applications, all of which are difficult, or even impossible, to patch or otherwise protect with other standard security measures.

By 2020, the number of IoT devices is expected to reach 20.4 billion, and the number of IoMT devices is expected to reach 161 million. These numbers of incremental networked devices are truly staggering, which proportionally increases the risks of hacking, compliance, and health and safety. Clearly, healthcare IT can no longer afford to manage medical devices under current security protocols.

How locking down affects provider workflow

To address this threat and mitigate the risk posed by IoMT devices, organizations naturally look to implement security systems and tools that will safeguard the devices, enable only authorized personnel to interact and adjust/calibrate the devices, and safeguard access to patient records, clinical applications, and other sensitive data. Before implementing such solutions, however, healthcare organizations should consider several factors – particularly those relating to workflow.

Unlike other industries, healthcare can’t simply lock down information by building multi-layer security. Additionally, the focus is always on patient care, so minutes…and even seconds…truly matter, and clinicians need fast, unimpeded access to patient information. Layering in cumbersome security protocols has the potential to introduce new workflows, or create barriers to care. It is therefore critical that healthcare systems designers and architects consider several key factors when evaluating security options.

For starters, think about workflow integration: Any security tool should allow for optimal workflow efficiency among users, and that means the clinical staff and providers should not need to be “trained” on something new, or adopt a new workflow. Ideally, this means finding flexible and easy-to-use security tools that meet current existing workflows and preferences. Choosing easy-to-use options allows for security to be transparent so providers can focus on patient care, not on technology. For example, clinicians are accustomed to Tap-in and Tap-out (TITO) technology as a means of accessing HIT windows-based systems. This same workflow should be integrated and facilitated in anything new, thereby enabling secure and compliant access by utilizing a current and well known and adopted workflow. This is a win-win-win…the clinical staff win by using the same workflow, while IT, Cybersecurity, and Compliance teams also achieve their goals.

Another key factor is extensibility to other workflows: The need for security stretches across a number of different business and clinical workflows and applications. Healthcare organizations should look into a solution that provides the extensibility to meet all workflow needs, with the same consistent and transparent workflow model.

Addressing this challenge requires fast, efficient, and secure authentication for all devices that require security, including medical devices. For medical devices already requiring user authentication, appropriate security tools can improve efficiency by replacing the cumbersome manual entry of usernames and passwords with fast, automated authentication through the simple tap of a badge. Here we want to leverage the same consistent and transparent workflow model.

This way, organizations can optimize their use of interconnected medical devices to improve the delivery of care. They also maintain security and meet regulatory compliance requirements while ensuring efficiency for providers and giving them more time to focus on patient care.

Focusing on physical security and ID/Access control can enable the right balance — something that’s uniquely necessary in healthcare. A healthcare organization’s medical device access security plan should be part of a comprehensive identity and multifactor authentication platform for fast, secure authentication workflows across the healthcare enterprise. The medical device piece should combine security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.

As organizations are tuning in to the unique challenges of the IoMT era, it’s time to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Doing so achieves the balance necessary to ensure both security and flexibility.

About Gus Malezis
Gus Malezis is the President and Chief Executive Officer of Imprivata. Gus is widely recognized as a visionary leader in the information technology security industry where he brings more than 30 years of experience driving innovation and growth while building market leading organizations. Prior to joining Imprivata, Gus was most recently the President of Tripwire, a leading global provider of endpoint detection and response, security and compliance solutions. In his career, Gus has built a strong track record of delivering growth and innovation for leading technology and security companies such as Tripwire, McAfee, and 3Com.