发布时间:2021-11-11
A full understanding of medical device security is vital for healthcare organizations; especially now since the internet of medical things (IoMT) is increasing in popularity. In 2016, the IoMT market stood at $22.5 billion, and is expected to grow at a compound rate of 26.2% to reach $72 billion by 2021 (Medcity News). Medical device software has many features that simplify workflows for clinicians; for example, allowing doctors to constantly view patient information ubiquitously. However, it is important to understand the security concerns about medical device software, like IoMT.
The top IoMT security concerns are data privacy, unsecure device software/firmware, user and device identity and authentication, and unsecure network services. This whitepaper will address the security concerns and ways in which healthcare organizations can combat these concerns.
Data Privacy
Keeping patient data/information safe should be a top priority. However, in the healthcare industry data breaches are pretty common due to the value a medical record is to hackers. Monetary incentives are the primary driver for healthcare breaches. On the black market hackers can obtain up to $1,000 for a stolen medical record (HITECH Answers). With this amount of money involved in the black market, healthcare providers should be concerned. Unsecure device software/firmware Health organizations primary focus are on efficiency, getting a patient in and but of the hospital as safely and quickly as possible. This makes it hard for the healthcare 0rganization to have the time to make sure devices are up to date and include the necessary security features. Some devices may never get any downtime to install a patch or fix a bug since they would be plugged in connected to a patient. The importance of device uptime leads health organizations to the problem of utilizing legacy systems. These systems tend to be out of date and slower than the modern devices available.
User and device identity and authentication
Some health organizations see passwords as a burden for clinicians to use because the time spent remembering and typing usernames and passwords every day for multiple applications quickly adds up and can be frustrating for clinicians if they can’t remember their credentials. This manual process of touching devices can also contribute to hospital acquired infections (HAIs) and requires the clinician to re-focus their time on technology challenges instead of patient interaction.
Unsecure network services
Another technical issue stems at the very backend when organizations don’t have secure network and mobile connections in place. These unsecured connections make it extremely easy for hackers to gain access to the network, eventually leading them to computer/mobile files and patient data.
Access Controls
One easy way to ensure devices stay safe is implementing the correct access controls on medical devices. Access controls consist of the following three things for a clinician: something they know, something they have, and something they are.
Fortunately, there are many different healthcare software solutions to choose from when implementing access controls. In terms of satisfying the “something they know”, health organizations can implement manual usernames and passwords for clinicians to type into the different medical devices. But as we discussed earlier, this can be cumbersome, consume extra time and be frustrating for clinicians.
For satisfying “something they have”, health organizations can purchase a badge to sign into devices. They can also use a token that generates random assortment of numbers and letters for the clinician to type into the medical device to gain access, this is called a “hard” token. This can also be simplified by having a “soft” token, where clinicians can download an app and the code generates on the app and instead of typing in the code, clinicians can just press “approve” and it will give them access to the device.
For satisfying “something they are”, healthcare organizations can invest in different biometric technology. Fingerprint scanners are very common in the healthcare environment. Iris scanners, and palm vein readers are another form of biometric that are used in healthcare organizations. A newer solution, an accessory hand scanner, provides clinicians with the ability to log into medical devices, authenticate their identity as well as collect patient information using their existing hospital ID badges. The scanner is enabled with RFID and barcode technology as well as Imprivata software which helps fully integrate medical devices into a single sign-on workflow, which is preva1ent in healthcare systems worldwide. And the scanner can read both High Frequency (HF) and Low Frequency (LF) badges so regardless of the mix of badges the hospital uses, the scanner can be utilized.
As you can see there are many different types of access controls to choose from. Making sure the most appropriate access controls are put in place are vital for a healthcare organization. For example, imagine if a fingerprint scanner was implemented in a setting where gloves were required to be worn. In many cases this will lead to workflow workarounds, which we’ll talk about in more detail later. It’s important to carefully assess the ideal clinical workflow and then implement a security solution that integrates into that workflow as opposed to hindering it, so staff adheres to protocols.
Educate on operating standards
Everyone working in the healthcare industry needs to understand the importance of security, data protection, and HIPAA compliance. Many times, clinicians don’t fully understand the importance of access controls, so they will find workarounds to avoid them. These workarounds typically save clinicians time but can cost the healthcare organization millions of dollars. A single HIPAA fine can cost the health organization thousands of dollars. In 2017 there were 10 HIPAA violations amounting to $19,393,000 (HIPAA Journal). The most common workarounds are listed below:
Not Requiring Credentials
One of the most popular workarounds is simply not requiring credentials to gain access to a medical device. Although this may seem appealing and reduce workflow cycle times, improper authentication can allow harmful people to gain access to medical devices and patient information and opens the hospital to data security breaches.
Shared Passwords
Even when credentials and passwords are implemented correctly, a simple workaround to entering them in is by sharing information. Instead of logging out after use, a clinician can be tempted to leave it for the next person which then circles back to the first workaround of not requiring credentials. This can also affect data accuracy because audit logs can no longer be trusted.
Not Fully Utilizing IT Investments
Many modern vital sign devices are connected to the hospital network so data can be directly fed into Electronic Medical Records (EMR), improving accuracy, and ensuring the correct patient data is available to make appropriate care decisions. These modern devices typically require a larger investment than non-connected devices and for the device to be fully optimized, the user must be authenticated—ensuring that only qualified staff are accessing the device. Unfortunately, current methods for authenticating clinicians requires staff to manually type in usernames and passwords repeatedly which becomes tedious. Clinicians will eventually find workarounds such as not using connectivity to the network and instead writing down the patient vitals then entering them manually into the EMR. This non-compliance comes with many risks to the hospital including, financial loss since they are not utilizing IT investments to their full potential; patient data not being accurate, assigned to the wrong patient file or not captured at all, resulting in delayed care decision, inappropriate decisions or a decline in patient status.
Conclusion
It is imperative that healthcare organizations understand the risks associated with medical devices used at the point of care and consider them as part of the overall clinical workflow which must be secure end-to-end. As hospitals are under extreme pressure to reduce data breaches and keep patient data secure, they must determine how to integrate medical devices into their existing secure workflows without adding burden or time to clinicians.
Article Co-Sponsors
About Imprivata Medical Device Access: Imprivata Medical Device Access is part of a comprehensive identity and multifactor authentication platform for fast, secure authentication workflows across the healthcare enterprise. Imprivata Medical Device Access combines security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.
For more information please visit https://www.imprivata.com/medical-devices
About Imprivata: Imprivata®, the digital identity company for healthcare, provides identity, authentication, and access management solutions that are purpose-built to solve healthcare’s unique workflow, security, and compliance challenges. Imprivata enables healthcare securely by establishing trust between people, technology, and information across the increasingly complex healthcare ecosystem. For more information, please visit www.imprivata.com.
About JADAK ThingMagic HS-1RS Secure Hand Scanner: The HS-1RS integrates 1D and 2D barcode scanning with RFID proximity card reading functionality in a single, ergonomic, and compact design. This allows clinicians to use their proximity ID badges for seamless and secure user authentication and access to medical devices while also capturing barcode data, such as patient wristbands or medication information, with a single device. For healthcare facilities, the HS-1RS provides simplified workflows, time efficiencies, and infection control, since clinicians can quickly scan their ID badge to log into devices, medicine cabinets and ID patients instead of using a password or other methods that can spread infection and add a significant amount of time to the clinician workflow. And since the scanner was designed specifically for healthcare applications, the plastics are durable against sterilization and disinfectants typically used in hospital settings.
For more information please visit https://www.jadaktech.com/products/thingmagicrfid/flexpoint-hs-1-and-hs-2-handheld-barcode-and-rfid-scanner-series/
About JADAK: JADAK, a business unit of Novanta, is a market leader in machine vision, RFID, barcode, printing, and color and light measurement products and services for original equipment manufacturers. The business designs and manufactures custom embedded detection and analysis solutions that help customers solve unique inspection, tracking, scanning and documenting challenges. JADAK is based in Syracuse, New York, with sales and technical locations across the globe.
ThingMagic is JADAK’s RFID line of products Novanta is a trusted technology partner to OEMs in the medical and advanced industrial technology markets, with deep proprietary expertise in photonics, vision and precision motion technologies. For more information, visit www.novanta.com
