IT security for medical devices a problem, officials say

The Veterans Affairs Department has problems fully protecting its networks while also maintaining network links with proprietary medical devices, according to senior VA officials.

The medical products and devices, including monitors and sensors, are regulated by the Food and Drug Administration. Their design and operation cannot be modified by the end user.

Network engineers are often blocked from using network security tools on the medical devices, Roger Baker, VA's chief information officer, and Steph Warren, the department's principal deputy assistant secretary for the Office of Information and Technology, said in a statement issued at a federal health IT panel meeting Nov. 19.

The problem stems from the “inability to enforce enterprise security policies” on the devices, the VA officials said. For example, the medical devices “can restrict the application of operating system patches and malware protection updates,” according to the statement.

To cope with the problem, the VA is currently implementing a Medical Device Isolation Architecture that uses firewalls to allow the medical devices to communicate while also maintaining network security practices. The VA’s Health Information Security Division and Veterans Health Administration’s Biomedical Engineering unit are segregating the medical equipment on virtual local area networks.

However, the solution isn't perfect. “VA faces challenges when facilities do not keep this separation of duties,” according to the statement. For example, the VA recently discovered that a medical device was compromised and needed to be isolated, cleaned, and recertified.

The VA has published an isolation architecture guideline with a six-step process for identifying, grouping and migrating networked medical devices to a LAN.

Another information security concern is that VistA, the VA’s electronic health record (EHR) system, currently is operating at near capacity, according to the VA officials.

“The agency has faced challenges in building data centers using VistA because it was not designed for the capacity for which we currently use it," Baker and Warren said in the statement  "For example, VistA was never designed to provide seamless support for large-scale disasters such as Hurricane Katrina. VA staff constantly needs to modify back-up systems and applications, as well as send data feeds to remote rehost sites, to ensure uninterrupted data availability.”

The VA also is trying to meet bandwidth demands that have been increasing from the growth of virtualization and cloud computing.

“The amount of bandwidth needed by security products and tools to communicate with management consoles and [security management systems] across the network is also a concern. Log retention, network scanning, and real-time monitoring systems all need increasing amounts of bandwidth which could ultimately affect network performance and safety of live IT resources,” Baker and Warren said.

The Health IT Standards Committee is considering IT security issues as it prepares recommendations for standards for EHRs. It will issue advice to the Health and Human Service Department’s Office of the National Coordinator for Health IT.

HHS, at year’s end, is expected to issue rulemaking for certification and meaningful use of electronic health records. The department is distributing $19 billion in economic stimulus law payments to doctors and hospitals that buy and meaningfully use such records for their patients.