Health News

Indiana University building a medical device security lab with TriMedX

Indiana University Health is working with TriMedX to create a new cybersecurity lab that will  assess and test medical device security, in hopes of reducing cybersecurity threats as part of the devices development process.

TriMedX, which specializes in clinical engineering and clinical asset management, will bring its technology expertise to the Medical Device Security Lab at IU Health – collaborating on the testing of the health system’s medical devices for security vulnerabilities and interoperability. The provider-built company has data on 92% of all active medical device models.

The aim is for the security lab to perform testing on medical equipment in an environment with no risk to patients. Cyber researchers will assess net-new devices in advance of them being implemented in the hospital.

Additionally, they’ll test configurations and security setups to discover what services need to be turned on and what ports need to be available on the network to ensure operational safety. And they’ll scan equipment specific to security testing with no live network or risk of patient impact.

The goal is to eventually share these capabilities with other health systems, according to both organizations.

“Mitigating cybersecurity threats is vital to protecting patient safety and data,” said Nick Sturgeon, executive director of information security at Indiana University Health, in a statement. “The cutting-edge device testing lab enhances the ability to remediate vulnerabilities before equipment reaches the patient floor.”

IU Health and TriMedX note that nearly 70% of medical devices are projected to be connected devices by 2025.

Meanwhile, reports consistently show that hospitals still don’t have a handle on their IoT security strategies; more than half of respondents to a one recent survey say their healthcare organizations experienced one or more cyberattacks in the past 24 months involving connected medical devices – many of which, the FBI has warned, are outdated.

Policymakers are trying to get a handle on the challenge, with legislation such as the PATCH Act, which would put in place baseline cybersecurity requirements for device manufacturers applying for FDA approval and require plans to monitor and address post-market vulnerabilities.

But ultimately, the onus is on provider organizations to build and maintain effective medical device security programs.

“The increase in threats and vulnerabilities is exactly why this collaboration is so important,” said Sturgeon in a statement. “The collaboration will allow us to be at the forefront of innovation and to continue to protect the health and security of patients.”

“We expect that this Medical Device Security Lab will pave the way in creating a space for devices to be tested before usage and begin to flag common security issues prior to the implementation of the devices in a healthcare setting,” added Doug Folsom, chief technology officer and president of cybersecurity at TriMedX. 

“The intent is to see an overall decrease in device security threats and eventually make this research open and available to many more organizations,” he said.

Twitter: @MikeMiliardHITN
Email the writer: [email protected]

Healthcare IT News is a HIMSS publication.

Source: Read Full Article