Security experts to share tips for assessing the risk of medical devices at HIMSS16

Hospital IT shops and security staff need to think of medical devices as computers, but ones with even more vulnerabilities, said Steve Spearman, VP of HIPAA Compliance at Healthicity.
By Deirdre Fulton
01:21 PM

It seems simple enough: If a piece of medical equipment is storing, receiving, transmitting, or processing electronic protected health information, it falls within the category of devices that are covered under HIPAA.

Yet, “for many practitioners, it just hasn’t occurred to them that medical devices are computers or are interfaced with computers,” said Steve Spearman, vice president of HIPAA Compliance Services of Healthicity, an information security consulting and services firm focused exclusively on healthcare.

In turn, they fail to include the security of medical devices in their risk analysis processes. And that, Spearman warned, can be a dangerous and costly mistake. “In addition to the standard problems with computer vulnerabilities, compromised security in medical devices are particularly prone to issues that can affect patient care, even patient safety,” he said.

[Also: 21 awesome photos from past HIMSS conferences]

As recently as November 2015, Lahey Hospital and Medical Center in Massachusetts agreed to pay $850,000 and implement a corrective action plan after settling with the Department of Health and Human Services Office for Civil Rights over a stolen laptop that was used to operate a portable CT scanner.

The nonprofit teaching hospital was cited for failing to conduct an accurate and thorough risk analysis, failing to implement appropriate physical security measures, failure to assign a unique user name to identify and track users and, lastly, for disclosing the ePHI of 599 individuals whose data was stored on the laptop, Spearman said.

“Medical devices pose risks similar to all other computers,” he said. “Vulnerabilities in medical devices can be exploited to gain inappropriate access to network resources.”

Spearman, along with Mary McGuirl, Director of IT at Oneida Healthcare in New York, will present the session, “Assessing the Risk of Your Medical Devices,” at HIMSS16.

[Like Healthcare IT News on Facebook]

With Spearman as a “nuts-and-bolts kind of guy” and McGuirl providing perspective on practical issues such as resource constraints and organizational challenges related to meeting federal requirements at a small regional hospital, the pair hopes participants come away better equipped to include medical devices in their annual risk assessment.

Left out of risk analyses, medical devices “can be a vector for malware,” Spearman said, noting that many run on software or firmware, and are therefore not easily updated to more secure versions.

He pointed to “inappropriate access controls,” such as weak or non-existent credentials, as a common issue that can be exploited “to undermine the integrity of the medical record.”

“Even worse,” he continued, “sometimes these credentials are hard-coded and they can’t be changed! If there are no ‘unique users’ how can you conduct audits, research complaints, respond appropriately to incidents? You can’t.”

The session “Assessing the Risk of Your Medical Device,” will take place from 11:30 a.m.-12:30 p.m. on Thursday, March 3, in Palazzo L.

Twitter: @HealthITNews


This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.