When it comes to medical device security, the greatest challenge is equipment running on outdated systems. The issue then becomes how to protect the data and determine whether the equipment is safe to operate, explained John Houston, vice president of privacy & information security and associate counsel at UPMC.

"Hackers aren't going to differentiate that it's connected to a piece of a medical equipment, but that's not the predominate concern," Houston explained. "If it's hacked for any person, and it makes the equipment unsafe, that's a concern."

At the HIMSS Privacy and Security Forum in Boston on Tuesday, Rick Hampton, wireless communications manager for Partners HealthCare, echoed the sentiment: "The average typical person isn't going to be targeted. ... We do look at what can be hacked, but what we're really terrible at is putting it in context of what is a real risk. "

Hampton treats medical devices like desktop computers and big systems that stay idle for long periods of time: The risk on these are the same. But it's difficult to apply everything you know about security against the broad spectrum of medical devices on the network.

To begin tackling this obvious concern, Mayo Clinic's Director of Clinical Information Security Kevin McDonald handcrafts solutions for the unpatched machines.

But it's costly and time-consuming. And McDonald explained organizations are able to go back to the manufacturers to work on vulnerabilities, but "it's not pretty – and not fun."

Default passwords are standard on medical devices, but are also often left unchecked. McDonald said these passwords can be changed, but most don't want to do it because it's difficult.

To combat safety on a more tangible level, organizations can work on segmentation, monitoring and creating jump boxes between the devices and the network.

"You have to segment that equipment," Houston said. "You typically block, firewall or whitelist traffic in front of the device, which can limit the spread of the issue if there's a problem. ... That's probably the sanest way to do it.

"You can firewall every medical device," he added. "But that would be impractical."

Partners takes it a step further, by educating users on signs the device has an issue and how to report it to the organization. And for Hampton, it's also about asking the tough question:

"We're never going to be able to fully secure it; do we really need this thing connected to our network?

"What scares me the most is not medical devices. It's that doctors want to use consumer-grade devices to track health," he continued. "But no one is going to find a Bluetooth that doesn't connect to every other device that uses Bluetooth."

For Houston, it becomes a challenge to current security models because it's no longer possible to microsegment the equipment, as the attacks are coming from a different avenue. Now UPMC has to look at how the device is going to connect to the network.

And at times that means giving in when a provider insists on a certain piece of equipment.

"We do an evaluation up front when we want to purchase a piece of medical equipment - that helps us improve our security posture," Houston said. "But the need for the equipment often trumps security. Even if we know there's something wrong with it."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn