12 security questions to ask about medical devices
Key factors help thwart hackers from getting patient information or access to networks.
12 security questions to ask medical device manufacturers about their products
Healthcare providers know medical devices can pose a weak link in their data networks. Most organizations have hundreds of devices, some of which have limited security protection to hacking, which could put protected health information at risk.
A feature story in the May issue of Health Data Management examines how providers are confronting the cybercrime war on medical devices. John Fowler, deputy information security officer at Henry Ford Health System in metro Detroit, offers questions that providers should ask before signing the contract.
1. Security patches
Can anti-virus/malware and security patch updates be applied to the medical device as soon as they become available?
2. Logoffs
Does the medical device auto-logoff screen lock the user after a period of inactivity?
3. Audit trails
Can the medical device create an audit trail? If so, can it list the events that are logged, such as logons, transactions, transmissions and file name access?
4. Access control
Can the medical device offer access to unauthorized users through user login requirements or another mechanism? Require a description of the configurations available for access control.
5. Communication ports
Are all communication ports that are not required for the intended use of the medical device closed/disabled?
6. Encryption
Is private data encrypted in transmission via a network, or does the medical device encrypt private data at rest? Ask for a detailed explanation about the encryption approach of the device.
7. User ID and passwords
Does the medical device support unique user/operator-specific IDs and password(s) for multiple users?
8. Data storage
Does the medical device store sensitive data in a system cache, registers, main memory or secondary storage after a user session is terminated?
9. Account lock outs
Is an account automatically locked out after a set amount of attempts?
10. Identification/authentication
Does the medical device use managed AD/LDAP services for identification and authentication? If not, require a manufacturer to detail user identification and authentication.
11. Data communication
Is there documentation on what information is communicated with the medical device, how it is transferred and how the data is secured?
12. Network management
Does the medical device use SNMP? Is it configured to use Version 3.0 with encryption, or is it disabled?