Uncle Sam Makes Mobile, Medical Device Security a Priority in 2014

The U.S. Department of Health and Human Services (HHS) says that it will make the security of mobile devices containing personal health information and networked medical devices areas of intense scrutiny in 2014.

The security of networked medical devices will face scrutiny in 2014, according to a report from the Department of Health and Human Services.
The security of networked medical devices will face scrutiny in 2014, according to a report from the Department of Health and Human Services.

 

The security of a wide range of devices, from laptops and USB ‘jump drives’ to networked medical devices like dialysis machines and medication dispensing systems will be under review, according to a 2014 Work Plan issued by HHS’s Office of the Inspector General (OIG). (PDF)

Among other projects, the  OIG will review hospitals’ plans to protect the loss of protected health information (PHI), as well as similar plans put in place by Medicare and Medicaid contractors in the next year.  OIG will also scrutinize security controls at hospitals that protect networked medical devices. OIG wants to determine if the controls in place are adequate to secure electronic protected health information stored on medical devices. Links between networked medical devices and newer Electronic Medical Records (EMR) systems required by law “post a growing threat to the security and privacy of personal health information,” the OIG said.

[Read more Security Ledger coverage of attacks on medical devices here. ]

The security of medical devices and mobile devices used in medical settings are just a small part of the HHS plan for 2014. Also on the agenda is the security of health exchanges set up under the Affordable Care Act (ACA). OIG said it will be scrutinizing them to make sure information security controls have been set up at state based marketplaces in line with Centers for Medicare and Medicaid Services (CMS) guidelines, the report says.

The security of medical devices is getting more attention in the wake of high-profile attacks on hospitals including a CMS contractor, as well as the continued expansion of intelligent and networked devices within medical settings.  In June of last year, the U.S. Food and Drug Administration (FDA)  issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments. The FDA has also issued guidelines to mobile application developers indicating that some mobile apps will be treated as medical devices – and regulated as such.