Networking Medical Devices: Carilion Clinic Addresses the Challenge

Abstract

With the increase in networked medical devices, healthcare institutions are challenged with balancing the security and integrity of the information technology (IT) network and integrating that data available from medical devices so it may be more readily available and disseminated to disparate systems. Carilion Clinic Health System—an independent delivery network (IDN) of seven hospitals and more than 200 ambulatory clinics and departments—has developed a policy and process for addressing the secure network connectivity of the medical devices in its inventory. Using a combination of industry best practices based upon Information Technology Infrastructure Library version 2 (ITILv2), and International Electrotechnical Commission (IEC) 80001 guidelines, Carilion's Technology Services Group (TSG) has interfaced more than 700 patient monitors, 200+ point-of-care medical devices to their electronic medical record (EMR), as well as networked other medical device systems and subsystems.The increased utility and adoption of the electronic medical record (EMR) along with the improved interoperability of medical devices has created a high demand for both interfaced medical devices and remote access to clinical systems. However, this demand is counterbalanced by network security and integrity considerations as well as Health Insurance Portability and Accountability Act (HIPAA) privacy requirements.These challenges were met at Carilion by reviewing guidelines in the draft version of the IEC 80001 standard document, which addresses risk management in medical devices, and ITILv2 documentation for IT management and service. Analysis of this documentation led to these two initial action steps:These early discussions with a focus group of engineers and analysts served as educational sessions, which allowed the different teams to become familiar with the challenges each has in performing its assigned duties.One of the first tasks of this team was to establish and define a “Carilion standard,” i.e., a minimum set of parameters for a device to be able to reside on the Carilion network infrastructure. The standard? Any device that is connected to the network must be able to support and have installed the current enterprise version of antivirus software and a plan must be in place to apply appropriate patches from Microsoft.A policy was then drafted stating that for a medical device or medical system to establish a connection to a Carilion network, it must meet the Carilion standard. An objective has been to incorporate this standard as part of any contractual language for the purchase of new equipment. This process is ongoing with draft language in review by the Carilion Contracting Group.The second action item was to provide a detailed inventory list of all medical devices that are currently networked. The data elements on that list included: vendor; application; hostname; public or private virtual lan (VLAN); VLAN comments; device type (server/desktop/embedded); device operating system and service pack level; facility name; device location; Microsoft domain/workgroup name; whether the device or system is FDA regulated; vendor MS patch polices/antivirus instructions (including folders and files to be excluded from patch scanning); and hours of operation.The medical device list was categorized into five distinct groups with an associated process to ensure the security and integrity of the network:The project execution involved touching all inventoried networked medical devices and establishing a standard administrative account for all medical devices, which differed from the standard nonmedical device administrative account. It also involved installing (where applicable) enterprise virus protection; settings to patch from Carilion's standard enterprise WSUS (where applicable); and a standard remote-control application that uses the standard administrative account for access.The execution phase of the project extended over six months. Staffing challenges, competing projects, finding open windows to work on devices, and lengthy discussions with some vendors accounted for the longer timeframe.Discussions with the vendors involved requesting and implementing “nonstandard” medical device features, such as common administrative accounts using the Carilion antivirus software, and reviewing MS patching protocols. This nonstandard approach required technical discussions with some of the vendors to identify common ground so that we work within their guidelines to accomplish the goal of meeting the Carilion network standards.Six months after the project was closed, the project team regrouped to discuss the ongoing support of the process and did not identify any changes to the process or support model.Carilion has a number of additional devices technically on private networks, but integration with other systems and remote access demands often results in a “gateway device” that sits on the Carilion intranet with a second network card connected to the private network. If the gateway device is compromised, the protections of a private network are negated. In addition, private network ports are clearly labeled and color coded in wiring closets, but they are not physically segmented. There is the rare possibility that a technician could inadvertently take an infected device and connect it to a private network. Carilion's response to this challenge was to use a multitiered approach so that in the event the integrity of a VLAN or private network is compromised, there would still be security measures in place to ensure the integrity of the network and device. This observation supports one of the leading motivations behind the creation of the IEC 80001 standard, which was to mitigate risks associated with connecting segregated networks.A second observation was the frequent practice from Microsoft of upgrading the security threat on security bulletins after they are released. Carilion initially discussed only deploying critical patches to medical devices, but the shifting priorities off-cycle from the monthly release of patches from Microsoft drove the decision to deploy all security patches regardless of their initially published priority. This approach avoids the risk of missing an upgraded threat, but results in applying more patches on medical devices. Like most large integrated delivery network systems across the country, Carilion viewed the potential of compromised and infected medical devices as a real possibility. The certainty of virus and malware infected devices being on the same network as a medical device made the decision to accept the risk of applying more patches than were potentially necessary an easy decision.Results from Carilion's process improvement have been overwhelmingly positive. For the enterprise, Carilion's system analysts have been able to identify potentially infected medical devices in a matter of minutes using the device inventory. Implementing the patching and virus protection measures and improving the reliability of medical devices from the project has cut down on threat detections and assisted systems analysts in better predicting and responding to new threats.Implementing a standard administrative account and remote-control technologies as part of the project implementation has improved daily support of Carilion's medical devices.The primary next step to improve the process is converting the existing inventory into an online repository that can be queried and updated using a web interface that supports mobile devices and remote access. This step would improve accessibility to the database, promote prompt updates, and assist staff troubleshooting issues remotely in a more convenient method than is currently in place.Further internal focus is needed to adjust the mindset of the organization as a whole to address and discuss medical device security and risk assessment as part of the vendor selection and purchasing process. Educating others about the IEC 80001 standard and adjusting the vendor selection and contracting process is underway. The proposed contractual language will proactively address the network security requirements by obligating the vendors to adhere to Carilion medical device security standards.With an established standard approach to securing medical devices, Carilion is well poised to meet the intent of the IEC 80001 guidelines. By identifying the responsible parties, performing an assessment of current status, then completing a multitiered action plan which resulted in policy and process development, Carilion was able to implement improvements in the management of medical devices and systems.As new technologies and security threats emerge, Carilion's Technology Services Group will be able to adjust processes and policies via the cross-disciplinary medical device security team. New technology will be able to be implemented, as well as requests to increase the connectivity of existing medical systems, by adhering to the policies and procedures developed as part of this initiative.The authors wish to express their gratitude to Jason Kirsch, Spence Robertson, Tony Koliba, and Greg Lane for sharing their technical expertise, talents and time in working through the technical and implementation challenges of this project at Carilion.