How Hospitals Can Help Improve Medical Device Data Security

To thwart cybercriminals, medical device manufacturers and hospitals must understand each other's roles and shared responsibilities in protecting health information.

Christophe Dore, Product Security Officer, Philips

February 8, 2024

4 Min Read
Healthcare professional using a tablet
Source: Yuri Arcurs via Alamy Stock Photo

COMMENTARY

Hospitals and medical device manufacturers must team up to help create a secure environment to protect the personal health information derived from patient monitors and other medical devices.

For some time, this notion of shared responsibility for data security has been recognized as a best practice within the larger technology industry. For example, many cloud service providers follow this model to define the mutual security obligations of the cloud providers and their customers.

Within healthcare, a similar model has emerged, with medical researchers, developers, and regulatory bodies agreeing that cybersecurity is, in fact, a shared responsibility. This means medical device manufacturers, hospital software providers, and health organizations must collaborate to shield patient information and medical device systems against cybercriminal activity.

Understanding Roles in Medical Device Data Security

The US FDA requires medical device manufacturers and software providers to follow a process called security by design, which maintains that certain controls must be embedded in a product to make it easier for hospitals to deploy and use them securely.

Features such as configurable encryption, secure login pages, and user authentication requirements are examples of how manufacturers integrate security capabilities into their products. These security features in the product's design often require hospitals to take action to activate them and maintain their viability.

Consider the example of product access control. Typically, a device manufacturer or software provider can implement access controls in product functionalities by verifying or authenticating the identity of a clinical user. Looking at a hospital's Active Directory service and utilizing necessary passwords and protocols can determine if the user belongs to a group the product recognizes through its configuration.

Only the healthcare organization can identify which users are authorized to access the system and configure the product appropriately. Using an inappropriate group, allowing too many users, or being lax about maintaining an up-to-date directory can open a network to unnecessary risk.

Even mobile and cloud-based applications require shared responsibility. Hospitals must ensure that browsers and mobile devices are up to date with security features enabled to optimize the manufacturer's cloud-based security controls, such as multifactor authentication.

Therefore, to facilitate secure product implementation, medical equipment manufacturers must embed security controls using proven algorithms and designs guided by the security-by-design process. At the same time, hospitals have their own share of responsibilities and activities to ensure the product is used securely.

With different products available throughout their facilities, it can be difficult for IT leaders to know how to proceed. For security measures to be successful, hospitals and manufacturers must collaborate to determine what will best meet the hospital's needs. Every hospital has processes and procedures to secure its IT infrastructure, which extend to all products within a system.

Before a hospital deploys a device, its manufacturer must be transparent about the security features that the hospital can use, as well as their expectations of the hospital environment. Hospitals, in turn, should educate themselves about those security features and determine if they meet their expectations.

How Do Hospitals Know Their Role?

Manufacturers usually make it easy for hospitals to understand how to optimize medical data security. They often provide clinical users and system administrators with information and guidelines such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2), software bills of materials (SBOMs), hardening guides, and other security guidance materials.

These documents provide step-by-step blueprints for healthcare providers to follow to do their part to protect medical device data from intrusion. Recommended steps may include restricting login access to specific personnel, securing connections between systems using network segmentation and restricted ports, using trusted certificates to verify the identity of medical devices and clinical data receiving systems, and other actions specific to the hospital's network.

Manufacturers' product documentation and guides tell hospitals how to leverage a medical device or software's embedded security features for optimal use. It's important to review these guides every time a new version of a product or software is deployed because enhanced security controls may require additional measures, such as updated encryption configurations or new private keys.

It's also not uncommon for some security controls, such as systems access needs or password requirements, to degrade over time as clinical users make configuration or access changes. Use these guides regularly to control the effectiveness of the current security configuration.

Cybercriminals only need one weak spot to infiltrate a network for nefarious purposes. To thwart their activity, manufacturers and hospitals need to team up and be clear about each other's roles and shared responsibilities in an end-to-end secure data environment.

About the Author

Christophe Dore

Product Security Officer, Philips

Christophe Dore is a Product Security Officer at Philips, focusing on the products of the Capsule brand. Through a variety of roles including consultancy, sales, software development leadership and product management, he has been constantly answering to the needs of organizations in several industries in understanding and positioning themselves versus cybersecurity challenges since 1996, when he supported the development and deployment of the first web applications in the then nascent Internet as an expert for NeXT Software, a company lead by Steve Jobs

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights