Here is the latest installment from the HIMSS Privacy and Security Committee…called PSST! Keep reading to learn more about the column and this month’s topic – Medical Device Security and Risk Management.
by Dennis M. Seymour, Chief Security Architect, Ellumen, Inc.
The HIMSS Privacy and Security Committee chose the topic of medical device security and risk management as the “PSST” for this month. A hot topic for sure, our committee is fortunate to have a dedicated task force including members of NEMA-MITA, ACCE, vendors and healthcare organizations that have addressed the complexities of the issue over the past eight years.
Let’s begin by describing the issue.
Before initiation by HIMSS, a number of organizations, including the Department of Veterans Affairs (VA), identified medical devices as an issue that might not specifically be addressed in many organizations, even with the implementation of HIPAA requirements. Many organizations did not name these devices as information technology devices.
In 2003, the VA was charged by Congressional oversight committees to address security issues specific to medical devices and medical research activities. At that time the Veterans Health Administration (VHA) opened its Center for Healthcare Information Security (CHIS) with these specific goals in mind. CHIS was a division of the VHA Health Information Security Service that oversaw information assurance requirements for the VHA’s 163 medical centers and enterprise systems, including the Veterans Health Information System and Terminal Architecture (VistA), later changed to Veterans Health Information Systems and Technology Architecture (VistA) with changes in networks and infrastructure.
Recent articles lead the community to believe that medical device vulnerabilities are a new topic; however, HIMSS has been working with the American College of Clinical Engineering (ACCE), National Electronics Manufacturers Association (NEMA) – Medical Imaging and Technology Alliance (MITA), medical device vendors, healthcare organizations, Federal agencies including VA and DoD and National Institutes for Standards and Technology (NIST), and HIMSS members for more than eight years on issues related to medical device security and risk management.
In 2003, the HIMSS Privacy and Security Steering Committee created the Medical Device Security Task Force to develop a risk assessment process for medical device security so that medical device vendors could work collaboratively with healthcare organizations to develop a common document or process for risk management. The result, in early 2004, was the release of the Manufacturers Disclosure Statement for Medical Device Security, known as the MDS2.
The first version of the MDS2 was specifically designed to give medical device vendors a single form they could provide to healthcare organizations, both those already using devices as well as those considering purchase of devices. This document detailed how their devices support the requirements of the Health Insurance Portability & Accountability Act (HIPAA).
The original form was specifically mapped to HIPAA Security and Privacy requirements and included instructions on the completion and use of the form. The HIMSS task force developed the form, but upon its release, a number of organizations, including NEMA-MITA, ACCE, ECRI and others, endorsed the form and provided access through their websites to members. Over the past eight years, medical device vendors have completed thousands of forms for the devices they sell, and the document is now required for many organizations during the purchase process, including the Department of Veterans Affairs, Department of Defense, and others. A quick search of the Internet from any search engine will result in thousands of MDS2 posted on vendor portals.
In March 2007, HIMSS invited its members to join an industry task force to rework the MDS2 to document those changes necessary to meet the requirements of Health Information Technology for Economic and Clinical Health Act or HITECH Act. The goal of the work group was to conduct a review and writing session for the HIMSS Manufacturer Disclosure Statement for Medical Device Security (MDS2) to convert the document into a standard that can be “referenced” in regulations promulgated by agencies of the U.S. government or other national bodies.
HIMSS was seeking representatives from the following example stakeholder groups:
- Covered entity organizations – ePHI risk management per HIPAA. (e.g., Providers, Plans, etc.);
- Medical Device Vendors (e.g., Imaging, Monitoring, Pumps, Ventilators, Analyzers/automation, etc.);
- Federal Government (e.g., DoD, VA, VistA, Biomedical Engineering, Indian Health, FDA , CDC , NIST, HHS, OCR, Homeland Security, etc.);
- IT Security Community (e.g., Center for Internet Security, etc.);
- Industrial Consortia / Interest Groups (e.g., NEMA, ECRI, COCIR, JIRA, ACCE, CLSI, etc.);
- Purchasing and buying organizations (e.g., Group Purchasing Organizations); and
- Third party suppliers to medical devices – COTS.
Last year, HIMSS began working with NEMA-MITA, ACCE, device vendors, and healthcare organization representatives to rework the MDS2 to map to the draft requirements of the IEC 80001-1: Application of risk management for IT-networks incorporating medical devices — Part 1: Roles, responsibilities and activities, including the following attribute areas:
- Automatic Logoff (ALOF)
- Audit Controls (AUDT)
- Authorization (AUTH)
- Configuration of Security Features (CNFS)
- Cyber Security Product Updates (CSUP)
- Data Backup and Disaster Recovery (DTBK)
- Emergency Access (EMRG)
- Health Data De-Identification (DIDT)
- Health Data Integrity and Authenticity (IGAU)
- Health Data Storage Confidentiality (STCF)
- Malware Detection/Protection (MLDP)
- Node Identification (NAUT)
- Person Authentication (PAUT)
- Physical Locks (PLOK)
- Security Guides (SGUD)
- System and Application Hardening (SAHD)
- Roadmap for 3rd Party Components in Device Lifecycle (RDMP)
- Transmission Confidentiality (TXCF)
- Transmission Integrity (TXIG)
- Unique UserID (UUID)
- Other Security Considerations
HIMSS, NEMA-MITA, ACCE, and other organizations anticipate the release of the new MDS2 in late June with the publication of the document and instructions to follow shortly thereafter.
HIMSS, partner organizations and their members are glad to see Congressional attention is being granted to the issue of medical device security, along with the Office of Management and Budget (OMB), the Food and Drug Administration (FDA), and National Institutes of Standards and Technology (NIST).
Recent hearings and requests by House of Representatives members Anna Eshoo (D-CA) and Edward Markey (D-MA) to the Government Accountability Office (GAO) to prepare a report on this situation can only help healthcare organizations to better estimate their risks; however, organizations and medical device vendors should be aware that efforts, such as the MDS2 development, are already in place to help mitigate and reduce risks to healthcare networks that have medical devices connecting to them.
So, when you read articles that the “sky” of medical devices is falling, consider that fellow HIMSS members and other related organizations are doing what they can to be our world’s “Atlas.” The HIMSS Privacy and Security Steering Committee, and our Risk Assessment Work Group, the Mobile Device Security Work Group, and Medical Device Security Task Force continue to develop processes, procedures and best practices in support of reducing your organization’s risks in every way possible.
We continue to evolve the complete suite of HIMSS P&S Toolkits to provide your organization with information and tools.
We hope you found this month’s topic for PSST! worthwhile and will review and use the MDS2 when it is published in the coming months. Whether you are in biomedical engineering, clinical engineering, information technology or other professional supporting healthcare operations, you must agree that having a method for assessing and mitigating risks in our healthcare environments at every point of care should be a central focus.
Have an idea for a future “PSST!?” Contact Sean Murphy; Chair, HIMSS Privacy and Security Committee, email@example.com