Indiana University building a medical device security lab with TRIMEDX

The goal is to help healthcare organizations "remediate vulnerabilities before equipment reaches the patient floor."
By Mike Miliard
10:25 AM

Photo: Thomas Barwick/Getty Images

Indiana University Health is working with TRIMEDX to create a new cybersecurity lab that will assess and test medical device security, in hopes of reducing cybersecurity threats as part of the devices' development process.

WHY IT MATTERS
TRIMEDX, which specializes in clinical engineering and clinical asset management, will bring its technology expertise to the Medical Device Security Lab at IU Health – collaborating on the testing of the health system's medical devices for security vulnerabilities and interoperability. The provider-built company has data on 92% of all active medical device models.

The aim for the security lab is to perform testing on medical equipment in an environment with no risk to patients. Cyber researchers will assess net-new devices in advance of their implementation in the hospital.

Additionally, they'll test configurations and security setups to discover what services need to be turned on and what ports need to be available on the network to ensure operational safety. And they'll scan equipment specific to security testing with no live network or risk of patient impact.

The goal is to eventually share these capabilities with other health systems, according to both organizations.

"Mitigating cybersecurity threats is vital to protecting patient safety and data," said Nick Sturgeon, executive director of information security at Indiana University Health, in a statement. "The cutting-edge device testing lab enhances the ability to remediate vulnerabilities before equipment reaches the patient floor."

THE LARGER TREND
IU Health and TRIMEDX note that nearly 70% of medical devices are projected to be connected devices by 2025.

Meanwhile, reports consistently show that hospitals still don't have a handle on their IoT security strategies. More than half of respondents to one recent survey said their healthcare organizations experienced one or more cyberattacks in the past 24 months involving connected medical devices – many of which, the FBI has warned, are outdated.

Policymakers are trying to get a handle on the challenge with legislation such as the PATCH Act, which would put in place baseline cybersecurity requirements for device manufacturers applying for FDA approval and require plans to monitor and address post-market vulnerabilities.

Ultimately the onus is on provider organizations to build and maintain effective medical device security programs.

ON THE RECORD
"The increase in threats and vulnerabilities is exactly why this collaboration is so important," said Sturgeon in a statement. "The collaboration will allow us to be at the forefront of innovation and to continue to protect the health and security of patients."

"We expect that this Medical Device Security Lab will pave the way in creating a space for devices to be tested before usage and begin to flag common security issues prior to the implementation of the devices in a healthcare setting," added Doug Folsom, chief technology officer and president of cybersecurity at TRIMEDX. 

"The intent is to see an overall decrease in device security threats and eventually make this research open and available to many more organizations," he said.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.