Adventist Health System CISO: Cut med device security red tape

Federal regulators should set some "minimal necessary" security protections for medical devices, but too much regulation could hamper vendors' efforts to improve them, according to Sharon Finney, chief information security officer at Adventist Health System.

In an interview at HealthcareInfoSecurity, Finney related some of the security practices at Adventist, a 44-hospital system based in Altamonte Spring, Fla. While Adventist treats medical devices the same as any other system that connects with its network, she said, its security precautions begin in the procurement process.

"We actually analyze each system as it comes through our door," Finney said. "We have a formalized security questionnaire that we ask of the vendors to complete. … Then we have certain standards that we like for the vendors to be able to adhere to when they're going to be placing [devices] on our network. When they can't adhere to those standards for [what] could be any number of reasons, then we have a set of established ... compensating controls that we try to put around these various systems."

The system also works closely with manufacturers to spell out who will apply patches and how often. And the particular departments using the devices are part of its access-control plan, "because nobody knows better when users are going to come on and when they're going to come off more so then the department that's actually running the software," Finney told HealthcareInfoSecurity

The U.S. Food and Drug Administration approval process is long and complex for vendors, with companies growing more likely to build better security precautions into their products, Finney said.  She urged vendors to better engage their user community to get feedback to more closely align security capabilities with those who use their products.

Mobile devices in particular are a major security worry for healthcare organizations--too many healthcare breach stories involve a laptop that was lost or stolen. But the prevalence of malware on hospital equipment poses another problem. Beth Israel Deaconess Medical Center in Boston, for instance, has noted fetal monitors for women with high-risk pregnancies that have been slowed by malware to the point that they become inoperable.

Beth Israel CIO John Halamka, a member of FierceHealthIT's Editorial Advisory Board, has written that hospital policy alone for mobile devices is not enough to protect patient data. Password protection, anti-malware protection and a timeout policy that resets any mobile device not used after 15 minutes are among the strategies that organization uses.

To learn more:
- read the article

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses.

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.