alphaspirit - Fotolia

IoT medical device security calls for broader measures

It's a daunting task trying to ensure complete IoT medical device security, and it may even seem impossible. Two industry experts discuss this issue and offer their advice.

One day at Intermountain Healthcare, based in Salt Lake City, an audiology device went missing.

This particular device had come into the hospital via a different channel -- most likely through a different manufacturer -- than many of Intermountain's other devices. And because of this variance, Karl West, CISO at the organization, couldn't verify what operating system the device had, how it came into the hospital and what its lifecycle management was.

"It caused quite a scramble for us," West said. "Those devices have to be monitored and maintained just like our standard PC desktops. We need to know where they're at, what data is on them and what controls are on them."

Furthermore, some devices have the ability to have static information, which means they can store patient information over a prolonged period of time. This was the case with the missing audiology device.

"Having persistent data becomes an issue, because now every patient I have seen has been stored on the audiology device," West said.

Luckily, the audiology device was eventually found. On it, West discovered two-and-a-half years' worth of stored patient data.

Intermountain ensures IoT medical device security

Karl West, CISO, Intermountain HealthcareKarl West, Intermountain Healthcare

With the Internet of Things (IoT) in healthcare becoming a reality, West explained that he and his team realized that simply taking inventory of all devices and applications wasn't enough to ensure IoT medical device security. So, they began to create a data dictionary. This helps West and his team know "where all data resides, where it originates, where it moves [and] what its transmission capabilities are," he said.

"At Intermountain, we're collecting categories of risk," West said. "We now have an inventory of all medical devices that focuses on the data that's inside."

Intermountain has mobile device inventories, server inventories and more.

"We're looking at those to say, 'What data is on the device, and what's the classification of data we would allow on that device?'" West said.

We now have an inventory of all medical devices that focuses on the data that's inside.
Karl WestCISO, Intermountain Healthcare

In addition to creating a data dictionary, Intermountain is also working on putting classifications around devices. For example, if a physician is carrying a device around, what classification is that device and what data is associated with that classification?

"So then, we know what should be on a device and what shouldn't be, and we'd monitor that," West said. He added that tools would be put in place to monitor whether the data is changing and whether it is flowing where it should be.

"It's a sophisticated process [and] a lot of work," West said, adding that it's not so much about understanding the device itself as it is about understanding the data the device has.

Philips Healthcare's responsible disclosure policy

"A component of that is how we handle incidents and potential vulnerabilities that could impact our solutions," said Michael McNeil, global product security and services officer at Philips Healthcare. "We have an entry point or a doorway that says, 'If you do find some information, here is how you need to document it securely and be able to communicate it to our organization.'"

This approach is the core of Philips' responsible disclosure policy, and its purpose is to provide external parties -- whether researchers or healthcare organizations -- access to Philips if they encounter a problem or have discovered vulnerabilities with medical devices.

Michael McNeil, global product security and services officer at Philips HealthcareMichael McNeil, Philips Healthcare

Philips takes that feedback and incorporates it into the company's incident response processes and customer education efforts, McNeil said.

While other industries have already adopted responsible disclosure policies, the healthcare and the medical device industries lag behind, McNeil said.

To catch up, organizations need to ensure that "they are following appropriate sets of standards and policies, that they incorporate internal and external testing of their products and solutions, [and] that they are conducting appropriate risk assessments in their development process," he said.

Advice for healthcare CIOs

To better ensure IoT medical device security, CIOs should make sure they have a good understanding of their inventory of devices and confirm they follow best practices on how those devices should be deployed, McNeil said.

He added that healthcare CIOs should also work closely with manufacturers and the community "to make sure they are aligned on how these devices are being executed in their environments," McNeil said. "I would like to see the manufacturers, and the CIOs and those individuals that manage those environments, be able to work more closely together and adhere to those activities associated with keeping the device up."

Let us know what you think about the story and IoT medical device security; email Kristen Lee, news writer, or find her on Twitter @Kristen_Lee_34.

Next Steps

No compelling healthcare IoT business case yet, one CTO says.

IoT in healthcare is a market disruptor, according to expert.

Emerging healthcare IoT technologies

Dig Deeper on Internet of Things (IoT) in Healthcare