People who are under medical care are often at their most vulnerable. The equipment used to monitor, medicate, diagnose, and treat them can’t be.
In the past, medical device security focused on the endpoint—the device itself. But Tony Magallanez, senior systems engineer for McAfee’s embedded sales group, explains that the days of focusing solely on device-level security is over; today’s medical devices need to be at the center of a web of security with multiple layers. “We advocate that concept because it lets you understand what’s happening on the device, and also what’s going on around the device,” Magallanez says. “It’s important because as threats proliferate through the network that surrounds these systems, they become more vulnerable.”
These connected devices may include monitoring equipment within hospitals or in patients’ homes; bedside (wired) or implanted (wireless) infusion pumps that deliver medication; networked radiology and surgical equipment; nurses’ stations, charting devices, and administrative systems; and telemedicine equipment that brings medical care to remote areas of the world. Entire networks that manage vital data and instructions are associated with these devices.
McAfee looks at the vulnerability aspects of everything the network implies, including the device’s physical security, data protection, and encryption as well as the behavior of the people using it, to make sure that the device and the network that surrounds it are secure. This level of security requires a layered approach that blankets the entire network.
Security in layers
While personal health information can be accessed through sophisticated malware, low-tech risks, such as employees who accidentally or deliberately provide access, are just as dangerous. Securing personal health information to meet HIPAA and other requirements demands access control in situations where the device can be vulnerable. That’s especially important with the proliferation of easily accessed (and misplaced) mobile devices, including laptops, tablets, and smartphones. Security also relates to monitoring network traffic, including the sites that employees access on the Internet. Even legitimate sites can be compromised, which can then compromise sensitive data within the healthcare network.
Both the network and individual devices need to be monitored, maintained, and controlled; ideally using automated, 24/7 processes that don’t require the cost and inefficiency of onsite human intervention. McAfee’s Magallanez says, “We’re finding in the hospital space that margins are thinner and thinner, and administrators are trying to be as efficient as possible. Operating costs can be overwhelming.” Even “green” initiatives that are designed to reduce carbon footprint and make operations more energy-efficient can have security implications. For instance, if a threat is identified on a number of devices on the network, but other devices are powered off, historically there wasn’t a way to identify whether the threat had spread without sending technicians to power up, analyze, and patch those devices onsite.
Now administrators can use McAfee’s ePolicy Orchestrator (ePO) Deep Command. The ePO centralized console shows the network administrator where a security threat manifested and the scope of the problem, and defines resources to mitigate the threat. Deep Command uses the Intel® vPro™ Active Management Technology (AMT) to allow secure remote access, even if the device isn’t powered on, which allows the administrator to remotely patch and reboot even large numbers of infected devices. Deep Command can remotely power systems on, apply security and other maintenance protocols, and power the system back down to ensure safe operation when workers return. This eliminates the need to police employee compliance to security patch instructions, and can work around the 24/7 schedule of healthcare environments.
Balance security and performance in medical devices
The ongoing compromise for device developers is how to balance security and performance requirements. McAfee has successfully deployed new technologies to help developers mitigate risk while optimizing performance. McAfee Embedded Control provides application whitelisting that blocks unauthorized applications and changes on fixed-function devices with very little performance overhead. If the application is attacked or changed, the software locks down the system so the virus is intercepted and terminated before it can run. This provides a high level of security and peace of mind for both the hospital administrator and the device manufacturer. Because of stringent safety certifications (such as the FDA) that restrict changes to certified systems, a change can require the equipment to be sent back to the manufacturer to be reimaged, resulting in service costs as well as loss of revenue while the system is out of use.
Device developers can also take advantage of the Intel® AES New Instructions (Intel® AES-NI) encryption instruction set that accelerates the encryption of data in the Intel® Xeon® processor family and the 3rd-generation Intel® Core™ processor family. Encryption technology historically required the operating system to handle encryption algorithms, which can slow performance. McAfee integrates with the Intel AES-NI to offload the encryption engine to the CPU, with no reduction in performance and with full FIPS 140-2 certification.
Medical Device Innovation, Safety and Security (MDISS) Consortium
Looking ahead, Intel and McAfee, along with leading service care providers, device manufacturers, IT providers, research organizations, and others, are active in working groups of the Medical Device Innovation, Safety and Security (MDISS) Consortium. MDISS is focused on optimizing the relationship between the quality of healthcare and the process of assessing and ensuring that devices and systems are secure and functioning safely and appropriately. While MDISS is not a standards organization, its goals include the development of security best practices for safe, secure medical devices and associated networks.
Solutions in this blog:
- Medical – Top Picks (blogs, white papers, and more)
- Security - Top Picks (blogs, white papers, and more)
McAfee is an Associate member of the Intel® Intelligent Systems Alliance.
Roving Reporter (Intel Contractor), Intel® Intelligent Systems Alliance
Freelance technology writer and editor