How the VA addresses medical device security

The Department of Veterans Affairs uses a two-pronged "defense in depth" strategy to secure its systems, including its networked medical devices, according to an article at HealthcareInfoSecurity.

The VA had about 65,000 medical devices on its network at last count in April, yet only two currently infected with malware, CIO Stephen Warren recently told reporters.

Warren pointed out the two key aspects of the VA's efforts to keep medical devices clean:

  • Clear delineation of responsibility between the two groups responsible for medical devices: the biomedical staff, which helps safeguard devices in use at its sites, and Warren's information systems team, which ensures data is flowing where it should, yet protects it at the boundaries.
  • Addressing the human factor: It looks for pathways to infection and locking devices down with processes and controls.

With the Food and Drug Administration's recent warning about the vulnerabilities in computerized infusion pumps and the news from the Ponemon Institute that criminal attacks currently are the leading cause of data breaches, healthcare organizations now more than ever are concerned about securing medical devices. Security experts have said that these devices used in hospitals increasingly are riddled with malware, potentially providing criminals with a way into the network--not to mention posing safety threats to patients.

The VA has identified USB drives used by vendors to update software as one route to infection. It also makes sure vendor technicians aren't surfing the web through medical devices' network connectivity; VA staff aren't allowed to do so, either.

"It's important to put the discipline and controls in place to make sure that people don't do silly things that end up causing significant damage to those medical devices," Warren said.

To learn more:
- read the article