Medical Devices – New Focal Point of OIG Audits

Health care providers—and patients—enjoy the benefits of an ever-improving medical device industry. These devices—dialysis machines, monitors, radiology systems, medication dispensing systems and others—provide invaluable services and information for patient care and treatment. Integration of these devices with health care information systems was the next logical step for device manufacturers, caregivers and software developers.

However, this integration capability creates another security concern for patient safety and the protection of electronic patient health information. Devices communicating over wired or wireless IP networks become susceptible to malware and hackers. To further complicate matters, device manufacturers and the U.S. Food & Drug Administration typically have restrictions on modifying these devices, which includes patching the operating system (OS) running the device. Some devices have proprietary operating systems for which OS-level patching isn’t possible.

Concern about medical device security is not new. However, for the first time, the Office of Inspector General (OIG) will include security controls regarding medical devices in FY2014 audits.

Multilayered security measures are the cornerstone of any health care organization’s IT security posture. Firewalls, network segmentation, user training, intrusion prevention systems, spam filters, antivirus solutions and OS hardening and patching are common tools of the trade. But with most medical devices, one of the key layers—OS hardening and patching—often is out of the hands of IT administrators. Here are some areas to consider enhancing the security posture around these devices:

  • Consider available Data Loss Prevention solutions (inspecting all outbound data for protected information and ensuring the validity of the target sending location)
  • Maintain accurate inventories of devices and detailed network segmentation and network monitoring of these segments
  • Review third-party management controls with device manufacturers and obtain security documentation from these entities
  • Consider strong network access control systems, ensuring only known devices have access to the network

For more information, contact your BKD advisor.

Print Friendly, PDF & Email
The following two tabs change content below.

Rod Walsh

Rod provides leadership for BKD’s SSAE 16 efforts. He has more than 30 years of experience and provides services in security and risk management, SSAE 16 examinations and readiness engagements, information technology (IT) control reviews, Health Insurance Portability and Accountability Act of 1996 (HIPAA) program assessments and system selection and acquisition consulting. He speaks regionally and nationally on IT management, security, IT governance and HIPAA compliance.

Latest posts by Rod Walsh (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *