Health Care Organizations Need to Set Device Management Policies
"Imagine a blood pressure monitor, or heart monitor, that transmits the wrong message or simply ceases to function, or a medical decision support system that receives the wrong informationthe result could be very bad," said McMillan. Implantable devices control tasks such as the release of drugs or monitor the vital signs of patients, said Joe Gottlieb, president and CEO of Sensage, a company whose software tracks the presence of mobile devices on networks and uses data mining to monitor data on devices.When networks are misconfigured and companies have lax security practices, the risk of compromised medical devices increases, according to DHS. "Misconfigured systems or network controls can provide inappropriate access to medical devices and make it possible for someone to interfere with their operation, tamper with their settings, etc.," McMillan said. "An insecure network segment such as a wireless LAN not encrypted, or encrypted with a less-than-optimal solution (less than WPA2) can create an avenue for someone to access a device and tamper with its operation." Organizations need to establish acceptable ranges for different device use cases, according to Gottlieb. In a patient's room, doctors may be using a personal tablet or laptop, but at a main workstation, laptops are shared, he noted. "Log-in details can track that someone is using the device outside their approved range," said Gottlieb. Legacy medical devices from before 1976 are a particular concern, DHS noted, while referring to comments from HHS. As employees increasingly bring their own mobile devices onto networks, companies need to be more proactive with their security policies, according to an April 11 report from HIMSS Analytics and Kroll Advisory Solutions, a provider of IT security. Of 250 health care industry professionals interviewed, 31 percent believed mobile devices were a top threat for health care data breaches. To respond to the warning, health care organizations must educate employees about the risks of mobile devices and what constitutes unauthorized usage, said Gottlieb. "Suspicious behaviors should be easy to spot if you have a good understanding of what you consider 'acceptable' mobile activity," Gottlieb explained. Health care organizations must set up mobile-management systems to handle remote provisioning and tracking as well as remote wiping, said Gottlieb. IT departments in hospitals also must have baseline settings for the mobile devices, such as user locations, log-in times and level of activities, he said. "Log events from these devices and ensure that as thresholds are exceeded, you are alerted," Gottlieb advised. Health care organizations must also monitor mobile device activities and adjust security practices based on these activity logs, he said. To address the threat from medical devices, health care organizations should conduct risk analyses, perform policy testing of networks and systems to ensure their integrity, and make sure that security criteria is part of system selection, said McMillan. Companies should also "maintain strict accountability of medical devices," said McMillan.
"As more of these devices come on line and are digitally controlled, the likelihood of them becoming a key attack vector is great," Gottlieb wrote in an email to eWEEK.