11 December 2018

A clinician reviews a patient’s radiology images. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks. Photo Credit: Sgt. Cecilio M. Ricardo Jr.

[View more images]

Army Medical Device Cyber Team Balances Benefits and Risks of Technology
Ellen Crown, U.S. Army Medical Materiel Agency Public Affairs
Access to advanced medical care directly supports the readiness of the Army’s Warfighters by ensuring troops are fit and healthy on and off the battlefield.
Modern medical devices help the Army provide and sustain essential Soldier support; however, this same technology also poses an inherent risk.
Almost all newer medical devices contain some type of computer technology. If a medical device doesn’t connect directly to a network, it is remotely or wirelessly accessible. These factors make medical devices potentially susceptible to intrusion from an invisible adversary – a hacker.
Experts warn hackers could exploit technology vulnerabilities within medical devices to either harm patients, steal private health care information and data, or gain “back door” entry to the wider DOD network.
At the U.S. Army Medical Materiel Agency, a subordinate organization of the U.S. Army Medical Research and Materiel Command, a team of medical technology experts comprise a cybersecurity cell created in early 2017. This team, part of the Integrated Clinical Systems (ICS) Program Management Office, focuses on ensuring medical devices used by the military comply with strict Department of Defense cybersecurity standards.
“The frequency and severity of cybersecurity attacks against the medical community will continue to rise until medical device manufacturers make security a top priority,” explained USAMMA’s Medical Device Cybersecurity Chief Andrew McGraw.
McGraw said that simply not connecting medical devices to the network isn’t the best solution. Most modern medical devices, such as computed tomography (CT) scanners, are designed to connect to hospital networks. Network connection allows clinicians to access previous test results or upload images directly to the patient’s electronic health records.
To maintain those capabilities, McGraw and his team work to ensure each medical device passes a robust security certification process to reduce the security vulnerabilities of commercially developed medical devices purchased and used by the Army.
“We believe in taking a proactive approach to cybersecurity,” said McGraw. “We work with medical device manufacturers to reduce cybersecurity risks, so we can continue to leverage advanced medical technology.”


To protect the network, DOD officials enforce strict cyber standards on all information technology. Medical devices, however, are not “information technology,” explained McGraw. Rather, they are “medical technology.” It is a subtle yet significant difference.
Information technology (IT) includes computers and supporting equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services and related resources.
Medical technologies are single purpose systems intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.
Understanding this difference is important, said McGraw, because Federal Acquisition Regulation (FAR) 2.1 excludes medical equipment from being classified as information technology. However, often medical technology is still held to the same strict standards as IT.
McGraw said that cybersecurity in health care delivery must be a balancing act. Too strict of a security requirement results in the continued use of antiquated and technologically outdated medical devices. Too lax of a security requirement results in greater risk.
“The requirement to secure the network and patient data needs to be weighed against the medical mission and the ability to provide best in class medical care to the Warfighter,” McGraw said.
One process that helps the Army navigate through that balancing act is the Risk Management Framework process. While well-known within the DOD as the gold standard for information security, RMF wasn’t actually developed by the DOD.
In fact, experts at the National Institute of Standards and Technology (NIST) developed RMF and introduced it as a process that integrates information security and risk management activities into the system development life cycle.
The RMF approach to security control considers effectiveness, efficiency and constraints due to applicable laws, directives, executive orders, policies, standards or regulations.
In 2014, the DOD began adopting RMF as a replacement to the DOD Information Assurance Certification and Accreditation Process (DIACAP). Army networks began getting Authority to Operate (ATO) under RMF in 2016.
By 2017, the Army received ATO under RMF for its first medical device – a portable digital radiography (imaging) system designed for use on the battlefield.
“This was a huge win for the Army, USAMRMC, and USAMMA,” said ICS Project Manager Terri Pryor, who manages the medical device cybersecurity cell. “However, it is not a quick, simple or low-cost process.”
Under current policy, RMF is a mandatory process for all medical devices on the DOD network, which includes not only new purchases but also all medical devices already in use.
Pryor and others are concerned that the current process could create a significant issue for military medical care – forcing some devices off the network.
Additionally, if a device can’t pass the process, the Army might have to replace medical devices – which would otherwise be in good working order – before the end of their lifespans, which are typically 10 – 12 years.
“Is cybersecurity of medical devices important? Absolutely. Is there possibly a more streamlined approach to achieve our end goals? We think so,” said McGraw.
To that end, USAMMA’s medical device cybersecurity cell has been exploring the possibility of a “black box” solution that they believe could greatly reduce the number of security steps they have to take to gain ATO under RMF. The solution they are exploring works through a process called microsegmentation, which would allow an organization to isolate mini-networks within the larger network.
“Traditional security firewalls work like a fence to protect critical assets. But hackers have gotten pretty good at defeating these perimeters,” said McGraw. “With microsegmentation, instead of one fence, we would have hundreds or thousands of smaller fences.”
“Some people call this a ‘black box’ solution but there is actually no physical box,” clarified USAMMA’s Medical Device Cybersecurity Deputy Chief William Martin. “The term just refers to the concept that we can create boundaries or fences where only devices within a specific group that we designate – we call this a ‘community of interest’ – can see and talk to each other.”
Martin explained that this option would be layered on top of the existing network, microsegmenting the connected medical devices to limit their access and reduce risk to the network. Additionally, microsegementation could actually help protect medical devices from DOD networks.
McGraw explained that actions such as running vulnerability scans or pushing IT updates on medical devices while they are in use could shut them down and affect patient care. Experts are also concerned that some security patches, designed and tested for DOD computers and not medical technology, could cause medical devices to malfunction.
“We don’t just look at this from the perspective of protecting the network because we have to consider the potential impact to patient care,” said McGraw. “So, in many ways, we have to protect the network from the device and, at the same time, we have to protect the device from the network.”
The “black box” solution is one of many solutions being explored by McGraw and his team, who work closely with network security experts throughout DOD and the Defense Health Agency. While no specific solutions has been agreed upon just yet, the team remains focused on their mission.
McGraw added, “We take great pride in knowing that the work we do helps put life-saving tools into the hands of Soldiers, ultimately saving lives.”
Posted by Webmaster

For more Fort Detrick News, vist "The Standard"
   - the official newspaper for Fort Detrick.
For the full archive, visit http://www.dcmilitary.com/standard/

The Standard

Site Helpers

FAQ

The Standard

Categories
Archives
February 2019 (4)
December 2018 (5)
October 2018 (4)
September 2018 (4)
August 2018 (2)
June 2018 (5)
May 2018 (5)
April 2018 (4)
March 2018 (6)
February 2018 (4)
January 2018 (4)
December 2017 (4)
November 2017 (5)
October 2017 (6)
September 2017 (5)
August 2017 (4)
July 2017 (6)
June 2017 (3)
May 2017 (6)
March 2017 (6)
February 2017 (6)
January 2017 (6)
December 2016 (14)
November 2016 (10)
October 2016 (11)
September 2016 (8)
August 2016 (2)
July 2016 (5)
June 2016 (15)
May 2016 (1)
April 2016 (4)
February 2016 (4)
January 2016 (3)
December 2015 (5)
November 2015 (2)
October 2015 (5)
September 2015 (4)
August 2015 (2)
July 2015 (5)
June 2015 (5)
May 2015 (5)
April 2015 (2)
March 2015 (5)
February 2015 (7)
January 2015 (4)
December 2014 (3)
November 2014 (8)
October 2014 (8)
September 2014 (8)
August 2014 (1)
July 2014 (1)
June 2014 (3)
April 2014 (1)
March 2014 (2)
February 2014 (1)
January 2014 (1)
December 2013 (8)
November 2013 (2)
October 2013 (21)
September 2013 (2)
August 2013 (8)
July 2013 (8)
June 2013 (16)
May 2013 (6)
April 2013 (9)
March 2013 (10)
February 2013 (8)
January 2013 (10)
December 2012 (24)
November 2012 (19)
October 2012 (4)
September 2012 (7)
August 2012 (8)
July 2012 (10)
June 2012 (5)
May 2012 (4)
April 2012 (3)
March 2012 (1)
February 2012 (4)
January 2012 (11)
December 2011 (5)
November 2011 (6)
October 2011 (9)
September 2011 (15)
August 2011 (24)
July 2011 (10)
June 2011 (4)
May 2011 (12)
April 2011 (11)
March 2011 (6)
February 2011 (10)
January 2011 (16)