The Veterans Affairs Department boasts one of the most integrated health IT networks in the country. Being in the vanguard means VA technologists often deal with the unknown.
Last year, VA came face to face with the security challenge posed when computerized medical devices, such as dialysis machines, radiology systems and medication dispensing systems, are fully integrated into the larger healthcare network.
Within 14 months, 122 VA medical devices had contracted viruses and malware infections. Not only were the viruses capable of impairing the operation of the medical device itself, but they also had the potential to spread into the larger network and bring down a healthcare subsystem or even an entire hospital.
To remedy the problem and guard against such a possibility, the department has been migrating plug-and-play medical equipment to virtual local area networks (VLANs) to isolate the devices from its enterprise backbone, says Roger Baker, CIO and assistant secretary for information and technology.
What accounts for this new susceptibility? Baker explains that it’s not the medical devices themselves but their classification as medical equipment that is the real culprit.
“There’s a lot of standard IT that forms the basis for the operation of many of these medical devices,” Baker says, noting that many use the Microsoft Windows operating system. “But because they have to be certified in a certain fashion and according to certain criteria, any changes to the system have to then be recertified by the vendor.”
Those changes can include antivirus software upgrades, virus patches or even the use of virus removal tools. As a result, a major time lag was introduced into the department’s security tactics.
“Unlike with the rest of our IT systems, we can’t just run a virus [check] and then decide to delete any files we find that are suspect because you can’t have complete confidence that you haven’t done something that affects the operation of the device,” Baker adds.
VA established what it calls the Medical Device Isolation Architecture (MDIA) to separate medical devices from the rest of the network using VLANs. It also relies on an access control list (ACL) for all devices so that it can tightly manage the types of messages a device’s applications can send and the ports those messages travel across. This strategy will not only keep viruses from being transmitted between the network and medical devices and vice versa, but it will also guard against devices sharing infections with one another, Baker says.
“What each device is able to communicate with the rest of the enterprise or any other medical device will be limited specifically to the information they need to do their job, so to speak,” he explains. “If a dialysis machine needed to access some other part of a medical information system, the IT folks would have to determine what ports they needed to communicate and then open that up and specify it through the ACL.”
The MDIA initiative will secure approximately 50,000 medical devices; VA expects to complete its migration of devices to VLANs by the end of the year.
VA is not the only federal healthcare organization dealing with medical device security concerns, says Dr. Theresa Cullen, CIO of the Indian Health Service. IHS, which runs an integrated health network across 400 facilities, including small hospitals and rural primary-care centers, experienced a similar gut check in 2009 when 11 medical devices within the agency network became infected with a host variant of the Conficker worm virus. The IHS tech team has been studying the issue and is preparing to implement a VLAN approach that largely mirrors VA’s strategy (though with some modifications to account for its unique mission and healthcare environment).
“This is a really important issue that everyone is going to have to deal with,” Cullen says. “Agencies like ours and VA may confront these things on a bigger scale, but it’s the same issue. As everyone embraces electronic health records and information exchange, they’re going to have to find the funding and the manpower to implement the security that’s necessary. Otherwise you run the risk that a provider is going to plug in a blood pressure cuff that could bring down a whole system because it just happens to have a virus.”
Number of viruses that VA’s Network Security Operations Center rebuffs each year
Baker points out that the Food and Drug Administration, which regulates medical devices and oversees the certification process, is acutely aware of the security issue posed by the integration of automated medical devices and is taking steps to come up with a policy solution. Even with the MDIA in place, Baker acknowledges, medical devices remain vulnerable to isolated infections if their security posture cannot be kept up through timely antivirus patches and upgrades.
“In the end, we absolutely have to have the vendors who have certified the equipment give us a positive certification that installation of a security patch will not adversely impact the installation of the equipment, and there’s no way around that,” he says. “The key to this, as with any security issue, is to be able to apply a multilayered security approach, and that’s what we’re pursuing.”