With the recent news by the FDA on cyber security vulnerabilities by a maker of a volumetric infusion pump; I feel that some information needs to be shared both about the how perhaps the vulnerabilities were discovered and what solutions are being developed and currently offered in the enterprise to eliminate or greatly reduce these types of vulnerabilities.
Download Guidance for Industry Cybersecurity
First, this access was proven by an independent researcher and did not actually occur in a clinical site. There were no adverse events noted. This type of intrusion “testing” seems to be a norm for “independent” folks that desire to show the potential vulnerability of IOT (Internet of Things) devices…in this case medical devices.
The critical point I have learned after spending years and years in this space…if you try hard enough networks and devices can and will be breached. It is not only the combination of technology “gotchas”, but also also the “human factor” security practices that come into play. However in spite of this, there are solutions now that in my professional opinion, can substantially improve this situation if not eliminate the issue all together. The addition of back end network real time IDS (intrusion detections systems) and also the use of multi factor biometric authentication to positively identify and link the right user with the right device enables an easy to use and more secure solution for edge IOT devices such as this. This essentially locks down the edge device as a portal to the network and provides “protection as systems of systems” through multiple layers of security.
Second, another key challenge to healthcare systems today is to ensure that they have an end to end security strategy with enforced policies and that it is kept current. This is a moving target that always needs to be kept current. It is highly recommended that the healthcare enterprise test and validate those networked (wired and wireless) medical and non-medical devices before they go live on a network for best security policies.
Additionally, comprehensive Intrusion Prevention 24/7/365 (wired and wireless) should be enforced with the ability to analyze existing and day-zero threats in real time against historical data to accurately detect all wireless attacks and anomalous behavior. Automatic rouge mitigation should be provided that automatically detects and removes them from the network. Forensic analysis should provide the ability to retrace any on all devices steps regardless of the application down to minutes. Finally, reporting tools should be provided for various regulatory mandates such as PCI DSS, DoD 8100.2, HIPPA, GLBA, and Sarbanes-Oxley.
In summary, at the point of care we have the Electronic Healthcare Record using an outdated it seems username & passwords system. The highest incidence of network or device security breaches are simply because of passwords and inadequate identification methodologies. In the healthcare and medical device industry, medical devices currently have virtually no authentication of the user of the particular device. Subsequently, not only could the device itself be potentially be breeched, but that device becomes a back door to the entire network. The solution: use “multi-factor” biometric authentication. However, it is critical that the multi-factor biometric templates be kept separate from the IoT device and out of the cloud so as to insure the biometric template cannot be breached. The biometric template would be held not on the medical device, or in the cloud, but in a highly secure CAC (common access card), that stays with the user. In this way, positive identification and authentication is made directly at the point of care of the approved user to the device. A new company, BluStor (www.blustor.co ), has developed such a platform, enabling positive identification and user authentication preventing both network breaches and fraud. This provides the final link to the end to end security solution needed.
Multi-factor biometrics essentially can now act as internal “firewalls” to outside access to both protect the device and the network, as well as provide an audit trail of activity.
Check out BluStor at www.blustor.co
Check out www.biometricupdate.com
