The Department of Veterans Affairs boasts what is likely the most advanced, integrated health IT network in the country, but in leading the way into new territory, this federal healthcare provider must deal with a lot of unknowns.
Last year, the VA came face to face with the security challenge posed when computerized medical devices, such as dialysis machines, radiology systems and medication dispensing systems, are fully integrated into the larger healthcare network.
Within 14 months, 122 VA medical devices had contracted viruses and malware infections. Not only were the viruses capable of impairing the operation of the medical device itself, but also — and perhaps more worrisome — they could have spread into the larger network, potentially bringing down a healthcare subsystem or even an entire hospital.
To remedy the problem and guard against the spread of infection, the VA is using virtual local area networks (VLANs) to isolate medical devices from the larger network, says Roger Baker, CIO and assistant secretary for information and technology.
What accounts for this new susceptibility? Baker explains that it’s not the medical devices themselves but their classification as medical equipment that is the real culprit.
“There’s a lot of standard IT that forms the basis for the operation of many of these medical devices,” Baker says, noting that often includes use of the Microsoft Windows operating system. “But because they have to be certified in a certain fashion and according to certain criteria, any changes to the system have to then be recertified by the vendor.”
Those changes can include antivirus software upgrades, virus patches or even the use of virus removal tools. As a result, a major time lag is introduced into the agency’s security tactics.
“Unlike with the rest of our IT systems, we can’t just run a virus [check] and then decide to delete any files we find that are suspect,” Baker continues. “And that’s because you can’t have complete confidence that you haven’t done something that affects the operation of the device.”
The VA’s Medical Device Isolation Architecture separates medical devices from the rest of the network using VLANs and relies on an access control list (ACL) to tightly manage the types of messages the applications can send and the ports they can travel across. The strategy will not only keep viruses from being transmitted between the network and the medical devices and vice versa, but it will also guard against infection between devices.
“What each device is able to communicate with the rest of the enterprise or any other medical device will be limited specifically to the information they need to do their job, so to speak,” Baker explains. “If a dialysis machine needed to access some other part of a medical information system, the IT folks would have to determine what ports they needed to communicate and then open that up and specify it through the ACL.”
The MDIA initiative, says Baker, who testified before Congress about this issue last spring, will secure approximately 50,000 medical devices and is scheduled to be completed by the end of 2010.
The VA may be the most high profile, but it’s not the only healthcare organization dealing with medical device security concerns, and it certainly won’t be the last, according to Dr. Theresa Cullen, CIO of the Indian Health Service.
Number of viruses prevented from infecting the VA’s Network Security Operations Center per year
Her organization, which runs an integrated health network across 400 sites, including small hospitals and rural primary-care facilities, realized this unique security vulnerability in 2009 when 11 medical devices within the IHS network were infected with a host variant of the Conficker worm virus. Her agency has been studying the issue and is now getting ready to implement a VLAN-based solution that largely mirrors the VA’s strategy (though with some modification to account for its unique mission and healthcare environment).
“This is a really important issue that everyone is going to have to deal with,” Cullen says. “Agencies like ours and the VA may confront these things on a bigger scale, but it’s the same issue and as everyone embraces electronic health records and information exchange, they’re going to have to find the funding and the manpower to implement the security that’s necessary. Otherwise you run the risk that a provider is going to plug in a blood pressure cuff that could bring down a whole system because it just happens to have a virus.”
Baker notes that the Food and Drug Administration, which regulates medical devices and oversees the certification process, is acutely aware of the security issue posed by the integration of automated medical devices and is taking steps to come up with a policy solution. Even with the MDIA in place, Baker admits, medical devices remain vulnerable to isolated infections if their security posture cannot be kept up to date with antivirus patches and upgrades.
“In the end, we absolutely have to have the vendors who have certified the equipment give us a positive certification that installation of a security patch will not adversely impact the installation of the equipment, and there’s no way around that,” Baker says. “The key to this, as with any security issue, is to be able to apply a multilayered security approach, and that’s what we’re pursuing.”