Like a team working toward a goal, hospitals and medical device manufacturers each have distinct parts to play to help create a secure environment for the personal health information derived from patient monitors and other medical devices.
For some time, this notion of a shared responsibility for data security has been recognized as a best practice within the larger technology industry. For example, cloud service providers such as Amazon Web Services, Microsoft Azure and Google follow this shared responsibility model to define the mutual security obligations of the cloud providers and their customers.[1]
Within healthcare, a similar model has emerged for medical device data. In guidance released in September 2023, the U.S. Food and Drug Administration assert, “FDA recognizes that medical device cybersecurity is a shared responsibility among stakeholders throughout the use environment of the medical device system, including healthcare facilities, patients, healthcare providers, and manufacturers of medical devices.”[2]
Medical industry researchers and developers concur. An article in Medical Product Outsourcing (MPO) states, “Cybersecurity in general, actually, is a shared responsibility, as neither hospitals nor medical device manufacturers can ward off the rising number of healthcare-targeted attacks on their own. They must join forces to protect both products and patients from harm.”[3]
It is clear medical device manufacturers, hospital software providers and health organizations must team up to shield patient information and medical device systems against cybercriminal activity. To be a successful team, each of the players must know and understand their role.
The U.S. FDA requires medical device manufacturers and software providers to follow a process called “security by design,” which maintains that certain controls are to be embedded into a product to make it easier for hospitals to deploy and use the product securely.[2] Features such as configurable encryption, secure login pages and user authentication requirements are examples of how manufacturers integrate security capabilities into their products.
To function optimally, however, these features providing security in the design of the product often require action on the part of the hospital to activate and maintain viability.
Let’s take the example of a product access control. A device manufacturer or software provider can typically implement access control to product functionalities by verifying, or authenticating, the identity of a clinical user based on the hospital’s Active Directory service, through passwords and protocols, then check this user belongs to an Active Directory group the product knows from its configuration. Now, only the healthcare organization can identify which users should have authorization to access the system and can configure the product appropriately, and sometimes configure its own Active Directory by creating a group if it cannot be reused. Using an inappropriate group, such as authorizing too many users, or being lax about maintaining an up-to-date directory, can open a network to unnecessary risk. The manufacturer brings in the security control, the hospital the optimal control configuration.
Data encryption, another strong security feature, also requires action on the part of the hospital as well as the manufacturer. When encryption is used to ensure data confidentiality, network node authentication is also necessary to make sure data arrives at the expected destination. For instance, manufacturers can deliver security controls such as robust data encryption algorithms and certificate verification for information in transit between a medical device and a hospital’s electronic medical record (EMR). Now, to enable this security feature, the hospital provides the authentication certificate and a strong private key to its EMR, and a copy of the EMR certificate to the medical device – which will use it for authenticating the EMR. The hospital is also in charge of managing these assets – expiration, revocation. For hospitals to realize the full benefits of encryption and mutual authentication, the manufacturer must offer related strong security controls in the product; however, these features are not operational until they are configured properly by the hospital. If not, the encryption security feature cannot work, or even worse, can make it appear as if security is being provided when it’s not.
Even mobile and cloud-based applications require a shared responsibility, as hospitals will need to ensure that browsers and mobile devices are up-to-date and enabled with security features such as multi-factor authentication to optimize the manufacturer’s cloud-based security controls.
Thus, to ensure a secure implementation of a product, the manufacturers need to embed in this product security controls using proven algorithms and designs, guided by the “security by design” process. At the same time, hospitals always have their share of responsibilities and activities to ensure the product is actually used securely.
Then, each product being different, how can a hospital know what to do? Hospitals have their own overall processes and procedures to keep secure their IT infrastructure, which apply to all deployed products. But to allow hospitals to consider and leverage the specificities of each product, manufacturers need to be transparent about the security features that can be used by the hospitals as well as their expectations on the hospital environment. Hospitals in turn should make themselves aware of those security features and expectations. Last but not least, both need to team up to enable successful implementation.
Fortunately, manufacturers can make it easy for hospitals to understand what they can do to optimize medical data security. Manufacturers often provide clinical users and system administrators with information and guidelines in documents such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2), hardening guides and other security guidance materials.
These documents provide a step-by-step blueprint for healthcare providers to follow for ensuring that they’re doing their part to protect medical device data from cyberattacks or other intrusions. Recommended steps may include restricting login access to specific personnel; securing connections between systems via network segmentation and restricted ports; using trusted certificates to verify the identity of medical devices and clinical data receiving systems; and many other actions specific to the hospital’s network.
Manufacturers’ product documentation and hardening guides tell hospitals how they can leverage a medical device or software’s embedded security features in order to provide an optimally secure use. It’s important to review these guides every time a new version of a product or software is deployed, because enhanced security controls may require, for example, updated encryption configurations or new private keys.
In addition, it’s not uncommon for some security controls — such as who requires system access or what a password should be — to degrade over time as clinical users make configuration changes or access requirements change. Therefore, it is also recommended to use these guides on a regular basis to control the effectiveness of the current security configuration.
Cybercriminals only need one weak spot to infiltrate a network for nefarious purposes. To thwart their activity, manufacturers and hospitals need to team up and be clear about each other’s roles and shared responsibilities in an end-to-end secure data environment.
Philips provides documentation, including system hardening guides with recommended actions, for hospitals to follow to leverage security features that are embedded within Philips medical devices and software solutions. The recommendations are revised with each new Philips hardware or software release and can help hospitals take the right steps to fulfill their shared responsibility for medical device data security.
To verify that your network security environment meets your shared responsibility, ask your security system administrator to check the hardening guides and security documents available in your Philips customer portal.
In addition, please contact your Philips representative to learn more about the enhanced data encryption and security features available in Philips solutions, and how you and Philips can mutually help protect the security and privacy of your patients’ personal health information. Together, we can make a winning team for data security.
Christophe Dore is a Product Security Officer of Philips Capsule.
Learn how Philips Capsule Medical Device Information Platform (MDIP) supports interoperability between devices, while safeguarding the data that flows through them.
Download