Connected medical device security: Why it matters - July 2021 By Pamela S. Hrubey, CCEP, CIPP/US, Dr.PH, and Lucas J. Morris, CISSP - Crowe LLP
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
July 2021
Connected medical device
security: Why it matters
By Pamela S. Hrubey, CCEP, CIPP/US, Dr.PH, and Lucas J. Morris, CISSP
Smart decisions. Lasting value.
™
The rapidly increasing use of connected
medical devices is revolutionizing patient and
consumer interactions with health professionals
and health systems. However, the transmission
of sensitive data via such devices carries risks.
Organizations that use connected One rapidly growing subset of the IoT
medical devices should perform includes medical devices, also referred
necessary risk assessments to make to as the internet of medical things
sure that they are in compliance with (IoMT). On average, U.S. hospitals
various regulations, that sensitive report 10 to 15 connected medical
data remains secure, and that hackers devices per patient bed.1 More than
are kept at bay. By understanding 350,000 connected medical devices
the myriad regulations at large and can be running concurrently in larger
by addressing the risks involved in hospital systems, individual patients
using connected medical devices, maintain millions of their own devices,
organizations can mitigate their own and within the next 10 years, more than
risks and support their patients, clients, 50 billion connected medical devices
and consumers with confidence. could be in use globally.2
Clearly, internet connectivity is here
The internet of to stay with medical devices. Whether
medical things
used in hospitals or clinics or at home,
this revolution in medicine is allowing
patients to gather data on their own
Manufacturers are producing more and
health, and many devices offer doctors
more connected devices – commonly
and care providers greater visibility
referred to as smart devices – that
into the health and lifestyles of their
constitute the internet of things (IoT).
patients. Some devices even make
From lightbulbs and kitchen appliances
more precise treatments possible.
to door locks and thermostats,
consumers eagerly have adopted the
smart versions of common technologies.
2 Connected medical device securtiy
While all this connectivity allows various manufacturers that could lead
patients, providers, and medical to the loss of patient data or prevent
professionals to enhance their health devices from functioning.3
and services, it comes with additional
When breaches occur, responsibility
risks. If hackers gain access to medical
is determined in several ways.
devices or their communication
According to the FDA, medical device
channels, they might be able to obtain
manufacturers (MDMs) are responsible
patient data or negatively impact
for the security of the devices
patient health. In fact, compromised
they produce, healthcare delivery
devices potentially could cause severe
organizations (HDOs) are responsible
injury or death. The U.S. Food and
for the security of their hospital
Drug Administration (FDA) has released
systems, and both MDMs and HDOs
several safety communications
share responsibility to address patient
since 2013 highlighting instances in
safety risks and to ensure the proper
which medical devices were found
device performance. Those responsible
to be vulnerable to hackers. The
for the security of the devices could
vulnerabilities included potential
face federal fines and class-action
breach of patient data and risks to
lawsuits, and they ultimately could
patients’ health. For example, in 2019,
suffer from reputational damage if
the FDA warned of a vulnerability
security- and privacy-related issues
affecting a number of devices from
become publicly exposed.
crowe.com 3
Regulatory risks FDA oversees and enforces the
manufacturing requirements of medical
and expectations devices used in the United States.
All these regulations have different
In many jurisdictions, health
impacts on and expectations for
information is a class of data that
the controls and designs of medical
requires regulatory guidance and
devices. Therefore, it is crucial for
control expectations, so MDMs
organizations to understand how the
and HDOs are required to maintain
regulations affect the configurations
some accepted level of control and
and vulnerabilities associated with
risk mitigation strategies specific to
medical devices.
medical devices.
In the United States, one of the main
entities that provides guidance for
HIPAA and
medical information is the Office protected health
information
of Civil Rights (OCR), which is
the main enforcement arm of the
Health Insurance Portability and
The Health Insurance Portability and
Accountability Act (HIPAA). The
Accountability Act is a federal law that
General Data Protection Regulation
requires U.S. medical organizations
(GDPR) focuses on data privacy
to protect patient health information
and protection regulations as well
from disclosure. Under HIPAA,
as control expectations for all
medical device controls are not
companies that handle, process, or
explicitly stated; however, controls
transmit European citizens’ personally
are necessary to safeguard protected
identifiable data. Additionally, the
health information (PHI).
4 Connected medical device securtiyBecause medical devices capture pose to the loss of PHI or to the
and transmit PHI, the manufacturing other devices in their networks.
organization is considered a Performing a risk assessment is
business associate under HIPAA, the main avenue for exploring the
but it is not a covered entity. A risks associated with connected
business associate is defined as medical devices.
“a person or entity that performs
According to the National Institute
certain functions or activities that
of Standards and Technologies
involve the use or disclosure of
protected health information on (NIST), a risk assessment is “the
process of identifying risks to
behalf of, or provides services to,
organizational operations (including
a covered entity.”4 Covered entities
mission, functions, image, reputation),
include healthcare providers that
organizational assets, individuals,
“transmit any information in an
other organizations, and the nation,
electronic form in connection
resulting from the operation of
with a transaction for which [the
an information system.”6 Risk
Department of Health & Human
assessments also include threat and
Services] has adopted a standard,”
vulnerability analyses that can help
health plans, and healthcare
guide the organizational decision-
clearinghouses.5
making process when implementing
HIPAA has no specific controls or controls to address identified risks and
guidelines that business associates potential vulnerabilities. For covered
must adhere to when designing entities, both performing a risk
controls for medical devices within assessment and understanding the
their organizations. However, scope and types of medical devices
when complying with HIPAA, the organization uses are paramount
organizations must understand concerns as they relate to HIPAA.
the risk that medical devices can
crowe.com 5GDPR’s
wide-ranging In addition to protections established
for personal data, the GDPR places
protections special emphasis on information that
is categorized as sensitive personal
The GDPR is considered the most data. Generally, sensitive personal data
stringent set of regulations governing includes personal data concerning health
data use and protection ever information, genetic data, biometric data,
implemented. The GDPR is intended and personal data that reveals racial
to shore up the protections afforded or ethnic origin. The GDPR applies to
to consumer data and reinforce organizations in the United States that
consumers’ fundamental right to control or process personal information
privacy. The European Commission for European citizens. Because medical
defines personal data as “any devices collect information that would
information that relates to an identified fall into the GDPR-defined sensitive
or identifiable living individual.”7 The information category, organizations
GDPR protects personal data of around the world need to consider if
European Union (EU) citizens and their medical devices will be used by
anyone who is in the EU, regardless of European citizens.
citizenship status.
6 Connected medical device securtiyGDPR regulations specifically require evaluate if the risk assessment for
healthcare providers to obtain consent electronic protected health information
from patients for the organization to (a process that should be in place as
be able to process their personal data. per HIPAA guidance) would also cover
The healthcare provider can bypass the definition of personal data, as
the user consent only if a “lawful basis defined in the GDPR.
for processing the personal data”
In one example of a GDPR fine, the
exists. In order to obtain valid consent,
Data Protection Authority (DPA) in the
organizations must meet several
criteria. Consent must be freely given, Netherlands fined a public insurance
agency for not having multiple factors
specific, informed, unambiguous, and
of authentication on an online portal
explicit. Additionally, the burden of
containing personal health data.
proof for consent tracking is placed on
The fined organization provided the
the controller. The controller needs to
online portal to employees to report
have an audit trail around the consent,
employees’ missed work dates due
as consent can be revoked by the user
to general illness or pregnancy. The
at any time.
portal did not contain any information
In terms of technical control about the illnesses or conditions
expectations, GDPR requirements themselves. The DPA, however, ruled
are similar to the HIPAA security that this information constituted
rule. The GDPR is not specific about health data because it still provided
technical controls, and it does not information about employees’ health.
require controllers or processors to The DPA ordered the organization
follow any specific control frameworks to conduct a privacy assessment
or standards. However, the GDPR and implement the results of the
does state that organizations assessment before a certain date, with
should use appropriate technical the threat of additional fines should
and organizational measures. As the implementation not be completed
with HIPAA, the GDPR requires on time. That the DPA considered
that organizations have a good seemingly innocuous data as health
understanding of the level of risk information demonstrates that any
they assume when handling patient connected medical device falls under
information. U.S. organizations the GDPR should the device be used
concerned about GDPR risks should on a European citizen.8
crowe.com 7FDA medical
device regulations
The main focus of both HIPAA and the
GDPR is to safeguard patients’ privacy
and to protect patients from losing data
that belongs to them. But another level of
regulation involves the devices themselves.
The FDA’s Center for Devices and
Radiological Health regulates organizations
that manufacture, repackage, relabel, and
import medical devices sold in the United
States. FDA regulations, as opposed
to HIPAA and GDPR regulations, are
more focused on defining manufacturing
processes to assure the safety of the
patients who use medical devices.
All medical devices sold in the United States
must be registered with the FDA through the
establishment registration process. Medical
devices generally are categorized into three
classes (I, II, and III), and the regulatory
scrutiny increases as the class does.
In general, the basic components of
compliance for medical devices include the
following areas:9
• Establishment registration
• Medical device listing
• Premarket notification 510(k)
(unless exempt)
• Investigational device exemption
• Quality system (QS) regulation
• Labeling requirements
• Medical device reporting
8 Connected medical device securtiyQS medical device manufacturing device malfunctions must be reported
requirements rely on an umbrella to the FDA.11 The primary function
approach, similar to the current good of this regulation is to identify and
manufacturing practices applied to remediate issues that might arise with
most manufacturing companies. medical devices in a timely manner,
Because the regulations apply with the goal of protecting patients
generically to all medical devices, from related risks.
the regulation is not prescriptive in
nature but rather provides a known
good manufacturing practices model
Sensitive data
that organizations must follow.
Broadly, manufacturers should take
storage and
care when developing their QS and transmission risks
consider which sections of the 21
Medical devices house and process
CFR 820.5 QS regulation apply to their
sensitive information, so technical
specific products and operations.
data protection mechanisms are
Manufacturers are responsible
essential components of medical
for establishing requirements and
device security. Because connected
procedures for all devices to ensure
medical devices both transmit and
they are safe and effective and meet
store medical information, protecting
QS requirements.10
health information becomes more
Medical devices that might have difficult when medical devices use
caused or contributed to the death many different mechanisms to send
or serious injury of a patient must and store the data they generate.
be reported to the FDA under its Therefore, particular attention should
medical device reporting program. be paid to sensitive data storage and
The regulation supporting reporting is transmission risks.
21 CFR Part 803. Additionally, certain
crowe.com 9Data storage risks protocols for this sensitive information
to determine if they can gain
Though some medical devices store unauthorized access to the PHI via
patient data, users might not be able vulnerabilities with the transmission
or allowed to gain direct access to protocol. Healthcare providers most
the data files stored on the devices. commonly use the transmission
However, the data might still be standard for sensitive data called
accessed through other means (such Health Level Seven (HL7).
as a website, mobile app, or built-in HL7 was developed by Health Level
interface). HIPAA does not require Seven International, a not-for-profit
patient data to be encrypted, but it organization that provides frameworks
does consider encryption to be an and standards for administering
addressable safeguard. electronic health information. Two
Addressable items must be major versions of HL7 currently are in
implemented by the manufacturer if a use: HL7v2 and HL7v3. HL7 has been
risk assessment deems it necessary. implemented in 35 countries across
Otherwise, manufacturers might not the world, and in the United States,
encrypt patient data while it is stored 95% of healthcare organizations
on medical devices, which could allow use HL7v2.12 HL7v3 is not as widely
a hacker access to patient data if the used, and it has yet to be formally
hacker gains access to the device itself approved by the American National
(physically or remotely). Standards Institute. HL7v2 provides
numerous customizable options
Transmission risks when transmitting data; however,
customization raises interoperability
concerns when sharing data with
One of the most common functions a
other organizations. HL7v3’s main
connected medical device performs
function is to provide more structure
is transmitting sensitive information to
for the process, limiting the amount
another device or dashboard where
of customization needed in order to
that data can be processed in an
transmit the necessary information.13
appropriate manner. Hackers approach
the most common transmission
10 Connected medical device securtiyBecause HL7 is the de facto standard Zigbee, Z-Wave, radio-frequency
for use in healthcare systems to identification, near-field communication,
transport sensitive patient data between and others. These technologies allow
different systems, connected medical devices to share information using
devices need to have the capability application programming interfaces.
to use HL7, even if that capacity is They also can be used to manage
not by default. Organizations should devices from mobile apps or the cloud.
be aware of HL7’s limits, however. Many connected devices, however,
Developed in 1989, HL7v2’s design did do not use the technologies to share
not include encryption as part of the sensitive information in a secure manner,
protocol because the assumption is including medical devices that transmit
that encryption will be performed below patient data or have remote control
the application layer. Therefore, native functions for administering a treatment.
encryption should be implemented
by organizations that adopt HL7
to prevent attackers from sniffing
The importance of
network traffic and extracting sensitive
patient information out of the HL7
risk assessments
communication stream. Ultimately, an ounce of proactive
prevention can help organizations
The HL7 protocol also does not successfully interact with the evolving
perform integrity checking on data IoMT world. By focusing on three
transported between devices. Integrity main areas – penetration testing and
checking is important because it allows red team services, security advisory,
administrators to verify that the data and security operations solution
being transmitted does not change when implementation – organizations
delivered. Without integrity checking, can mitigate the risks involved with
HL7 network traffic potentially could be connected medical devices.
captured and re-sent with incorrect or
modified values of the data that is being Crowe has worked with hundreds of
transmitted. Falsified medical information companies across the United States
sent from a medical device could lead and internationally to improve the
to myriad issues for the patient down quality of their cybersecurity posture
the line, including incorrect medical through risk assessments, penetration
diagnoses or a false sense of security if testing, cybersecurity assessments,
medical data has been modified to make and the implementation of security
it seem that nothing is wrong. and technology solutions. To learn
more about how Crowe can help your
In addition to HL7, connected medical organization, contact us today.
devices can communicate using
technologies such as Wi-Fi, Bluetooth,
crowe.com 11Learn more
Pam Hrubey
Principal
+1 317 208 1904
pam.hrubey@crowe.com
1. Julian Alvarado, “The IoT Within Us: Network-Connected Medical Devices,” Software Integrity Blog, Synopsys, Sept. 14, 2018,
https://www.synopsys.com/blogs/software-security/network-connected-medical-devices/
2. Kelly Rozumalski, “Working Together to Secure Our Expanding Connected Health Future,” HelpNetSecurity, Oct. 6, 2020, https://
www.helpnetsecurity.com/2020/10/06/working-together-to-secure-our-expanding-connected-health-future/
3. “URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of
Certain Medical Devices: FDA Safety Communication,” U.S. Food and Drug Administration, Oct. 1, 2019.
4. “Business Associates,” U.S. Departmen= of Health & Human Services, May 24, 2019.
5. “Covered Entities and Business Associates,” U.S. Department of Health & Human Services, June 16, 2017.
6. “Risk Assessment,” Information Technology Laboratory, Computer Security Resource Center, National Institute for Standards
and Technology.
7. “What Is Personal Data?,” European Commission.
8. Kristof Van Quathem, “Dutch Supervisory Authority Imposes GDPR Security Standard for Processing Broadly Defined Health Data,”
Inside Privacy, Covington, Nov. 21, 2018, https://www.insideprivacy.com/health-privacy-dutch-supervisory-authority-imposes-
gdpr-security-standard-for-processing-broadly-defined-health-data/
9. “Overview of Device Regulation,” U.S. Food and Drug Administration, Sept. 4, 2020.
10. “Quality System (QS) Regulation/Medical Device Good Manufacturing Practices,” U.S. Food and Drug Administration, Sept. 27, 2018.
11. “Medical Device Reporting (MDR): How to Report Medical Device Problems,” U.S. Food and Drug Administration, Oct. 2, 2020.
12. “HL7 Version 2 Product Suite,” HL7 International, https://www.hl7.org/implement/standards/product_brief.cfm?product_id=185
13. “HL7 Version 3 Product Suite,” HL7 International, https://www.hl7.org/implement/standards/product_brief.cfm?product_id=186
crowe.com
“Crowe” is the brand name under which the member firms of Crowe Global operate and provide professional services, and those firms together form the Crowe Global network
of independent audit, tax, and consulting firms. “Crowe” may be used to refer to individual firms, to several such firms, or to all firms within the Crowe Global network. The
Crowe Horwath Global Risk Consulting entities, Crowe Healthcare Risk Consulting LLC, and our affiliate in Grand Cayman are subsidiaries of Crowe LLP. Crowe LLP is an
Indiana limited liability partnership and the U.S. member firm of Crowe Global. Services to clients are provided by the individual member firms of Crowe Global, but Crowe Global
itself is a Swiss entity that does not provide services to clients. Each member firm is a separate legal entity responsible only for its own acts and omissions and not those of any
other Crowe Global network firm or other party. Visit www.crowe.com/disclosure for more information about Crowe LLP, its subsidiaries, and Crowe Global.
The information in this document is not – and is not intended to be – audit, tax, accounting, advisory, risk, performance, consulting, business, financial, investment, legal, or other
professional advice. Some firm services may not be available to attest clients. The information is general in nature, based on existing authorities, and is subject to change. The
information is not a substitute for professional advice or services, and you should consult a qualified professional adviser before taking any action based on the information.
Crowe is not responsible for any loss incurred by any person who relies on the information discussed in this document. © 2021 Crowe LLP.
CLS2299-007AYou can also read
