Presentation is loading. Please wait.

Presentation is loading. Please wait.

® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague,

Similar presentations


Presentation on theme: "® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague,"— Presentation transcript:

1 ® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague, Senior Business Analyst, UHC April 12, 2005

2 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 2 Who is the University HealthSystem Consortium? The University HealthSystem Consortium (UHC), formed in 1984, is an alliance of academic health centers situated mainly in the United States. As a membership organization, UHC provides its 90 full members and 123 associate members with a variety of helpful resources aimed at improving performance levels in clinical, operational, and financial areas. The mission of the University HealthSystem Consortium is to advance knowledge, foster collaboration, and promote change to help members succeed in their respective markets.

3 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 3 Background  Early in 2004, The UHC CIO Steering Committee asked UHC to investigate the issue of medical device security and suggest ideas to mitigate the problem.  The UHC Medical Device Security Team: Pete Giordano, MCSA/MCSE - Security, CISSP, Senior Security Analyst; Catherine Sprague, Senior Business Analyst; and Doug Surch, PMP, CISSP, Director, Project Management Office

4 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 4 Background  Interviews with: - Medical device vendors/manufacturers - Government Agencies - Industry Groups - Members, members, and more members! Lots of research, culminating in a… White Paper published in January 2005, available at: http://public.uhc.edu/uhcmail/Push_Emails/MedicalDeviceWhitePaper.pdf

5 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 5 The Problem  Medical device security is a significant issue for healthcare organizations.  The problems are related to the complex and sensitive nature of the devices.  Security solutions are often invasive, requiring patches or updates to the device software and/or OS. Not the FDA! Must usually be applied by the manufacturer! There is often a disconnect between the manufacturers and providers as to what “secure” actually means, as well as the length of time that is acceptable for a medical device to be exposed to risk before a patch can be applied!

6 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 6 The Solution must:  Accommodate the providers’ need, timing, and sense of urgency;  Accommodate the vendors’ time and resource constraints;  Fix an identified vulnerability or provide an extra measure of protection for the device and/or network, without compromising the performance and/or integrity of the device.

7 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 7 Short Term Solutions FDA/MedSun Reporting  The FDA encourages health care organizations to report any and all problems.  There is a notable lack of formal reporting on the part of the providers.  Without formal evidence, the FDA is limited to act.  This is something that providers can and should start doing immediately!

8 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 8 Short Term Solutions Incident Response An effective incident management plan can: 1. Minimize the damage from a security event. 2. Provide important lessons for improving security. Incident response plans must: 1. Include network medical devices. 2. Provide feedback to regulatory agencies and device manufacturers.

9 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 9 Short Term Solutions Risk Management  Requires a vigilant methodology  A multi-disciplinary team to: 1. Monitor organization’s network/exposure. 2. Monitor security bulletins (e.g. CERT).  Also applies to the device: 1. Easier to prioritize where extra controls are needed. 2. Helps make the case for extra funds to protect the network.

10 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 10 Medium Term Solutions Standard Assessment  A common set of questions used to assess security components: 1. Can be used by provider to understand risk. 2. Can be a qualifier when choosing between otherwise comparable devices.  Examples: 1. MDS 2 http://www.himss.org/content/files/MDS2FormInstructions.pdf 2000 downloads since it was posted! 2. NCHICA http://www.nchica.org/HIPAAResources/Samples/VendorSecurityMatrix.doc

11 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 11 Long Term Solutions Device Design  Security components should be an integral part of the device. 1. Installed and supported by the manufacturer; the responsibility is clearer. 2. Strongly supported by UHC members.  Drawbacks: 1. Defining the “best” security strategy and software. 2. Security components must not impact the function of the multiple devices. 3. These even more complex devices must be compatible with an multiple organizational enterprise layered defense strategies. 4. The length of time to develop a medical device is 5 to 7 years.

12 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 12 Long Term Solutions Industry Groups HIMSS has formed a Medical Device Security Workgroup: 1. Identify both the security issues associated with medical devices and systems and the best practices available to address those issues. 2. Evaluate the issues of security threats and vulnerabilities that affect medical devices, the provider’s and the equipment manufacturer's responses and responsibilities, and the legal and regulatory framework in which these issues must be addressed. 3. Coordinate with similar groups and committees to capitalize on existing efforts and realize the economies of collaboration. 4. Prepare and endorse white papers, guidance documents, comments, and recommendations on medical device security issues and practices for addressing those issues. 5. Educate HIMSS membership and the industry on the implications of medical device security through publications, tools, resources, and educational programs.

13 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 13 Long Term Solutions Industry Groups  North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA): 1. A nonprofit consortium of more than 250 organizations dedicated to improving health care by accelerating the adoption of information technology. 2. Developed the NCHICA Vendor RFP Template. There is strength in numbers! Industry groups, such as HIMSS and NCHICA, can wield great influence.

14 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 14 Conclusion  There are a variety of approaches to medical device security.  No single solution stands out over the others and all have merit.  As long as there are computers, there is a potential for compromise and a combination of approaches is necessary.  Providers NEED to protect their environments, however … Vendors and Providers need to work together to define a common approach and resolution to the issue of medical device security!

15 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 15 For more information, contact : Peter Giordano, giordano@uhc.edu (630) 954-2448 Cathy Sprague, sprague@uhc.edu (630) 954-1703 Doug Surch, surch@uhc.edu (630) 954-6725 giordano@uhc.edusprague@uhc.edusurch@uhc.edugiordano@uhc.edusprague@uhc.edusurch@uhc.edu

16 ©2005 University HealthSystem Consortium UHC PowerPoint.ppt 16 Questions? Thank You!


Download ppt "® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague,"

Similar presentations


Ads by Google