Security of medical devices remains critical question in buying decision
Healthcare organizations looking to purchase medical devices are doing their homework and starting to ask manufacturers more questions about security than in the past, says George Gray, chief technology officer and vice president of software and information systems at Ivenix, a manufacturer of infusion pumps.
That’s a good start, according to Gray. But, many potential buyers are not aware that pumps are small computers and prospective customers should be asking the same questions they would ask when assessing any other type of information system.
They need to challenge vendor assertions that their pumps and other devices are secure by asking what types of vulnerabilities the devices have as well as the plan and schedule for reducing vulnerabilities. Because pumps are small computers facing all the threats that other computers face, providers must not tolerate hedging by vendors on security answers, Gray advises.
Prospective customers should expect vendors to come clean on any current vulnerabilities and resolution plans. In particular, buyers should ask if they can manage user access, roles, credential and permissions on a device, which gives the user more control over security. Also, they should ask if the vendor contracts with ethical hackers to assess vulnerabilities as its products are being built; the hired help will find vulnerabilities the vendor never knew, Gray asserts.
Vendors may say their pumps can’t be hacked because they are running on a proprietary operating system and not Linux or Windows. However, Gray says the pumps remain vulnerable because whatever operating system is being used still can be hit by a denial of service attack where a ping, or message, is sent to a device or web site asking permission to enter and the pings just keep coming until the device is overwhelmed. “A proprietary operating system can be hacked as easily as any other operating systems,” he adds.
In addition, vendors should be asked if they can ensure that patient data is locked down and encrypted when being sent as a message or being stored. Gray recommends asking what the vendor will do the day it is hacked and to explain the resources it has to identify and fix problems, and processes to quickly get the fix out to customers. Further, he advises asking if a vendor can download software to the customer on a daily basis just as Microsoft can.
“At this stage of the game it’s important to have a straight talk and lay cards on the table,” Gray advises.
He observes that customers often are coming in with a series of questions ready and vendors may be more focused on answering the questions in a way to protect the sales position with the customer, which can turn into a heated discussion with the customer starting to distrust the vendor.
If a vendor’s current product is not as up to speed on security as it should be, the vendor should be candid with the customer and also giving some options, such as falling back on use of a private network until the new product comes out, Gray adds.