READ TIME | 5 MINUTES
Best Practices: Access Controls for Medical Devices (Part 3)
This three-part series explores key challenges, considerations, technologies and workflows related to providing secure frontline medical device access and use. Previously, in part two of the series, we uncovered common security and compliance workarounds used in the healthcare industry today.
Securing Medical Devices in the Care Setting
Undoubtedly, the best way to help ensure security and compliance is to map out an access control strategy that is specifically tailored to the unique needs of the healthcare environment. While NIST, the FDA and the Cybersecurity Task Force recognize many authentication modalities as approved and secure, not all of them make sense at the point of care.
When selecting an authentication modality or workflow to secure your medical devices, it’s important to understand the care setting in which the authentication will happen. For example, FIPS-compliant biometric authentication may make sense in some areas of the hospital, such as shared workstations or nurse stations, but may not be as practical in care settings where gloves are required. Similarly, while proximity cards are convenient and easily accessible during regular patient interactions, they may not be the best approach in operating rooms. Therefore, flexible authentication that gives the user the option of more than one modality can help account for varying scenarios.
Single-Factor vs. Two-Factor Authentication
Another aspect to take into consideration when securing medical devices is when and where to employ single-factor authentication and two-factor authentication. The FDA stresses the importance of ensuring that authentication not interfere with patient care. It’s important to consider what level of security is required and practical for each situation.
Some workflows, such as transmitting blood pressure or temperature readings, may only require one level of security, whereas other workflows may require multiple factors, either due to internal mandates or government regulations (e.g., medication dispensing in certain states). Consult with both clinical and compliance teams to understand which option makes the most sense for your medical devices and care settings.
Importance of Grace Periods
One of the largest roadblocks to securing medical devices is the burden put on clinicians to repeatedly enter user credentials throughout the day. Consider implementing grace periods to further streamline authentication once a user has established trust. In selecting the proper timeframe for a grace period for a medical device, it’s imperative to understand how clinicians are using each device in the field. A grace period for one type of device, such as a spot check vitals monitor, may need to be different than that for an infusion pump or other medical device.
When securing medical devices, you must consider multiple modality options to ensure that trusted clinicians can access devices through various methods in the event that one is not available. For example:
- A patient vitals monitor may be configured to accept a proximity badge for a trusted user as well as the manual entry of username and password in the event a clinician does not have his or her badge.
- A vitals monitor may be configured to only transmit data after authentication, but still allow for vitals to be taken quickly to asses any immediate patient health concerns
By enabling fast, secure authentication for accessing and transacting with patient information on medical devices, security and auditing capabilities can be improved without compromising clinician efficiency and patient care. For clinicians, this means a faster, more efficient login to the device, helping them to focus on their primary business of patient care.
Interested in obtaining more information on securing medical devices? Be sure to check out part one and two of our medical device security series to learn more about how to keep your organization safe.
1. FDA, October 2014, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf
2. NIST: National Institute of Standards and Technology
3. Health Care Industry Cybersecurity Task Force, June 2017, Report on Improving Cybersecurity in the Health Care Industry, https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
4. NIST, June 2017, NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Life Cycle Management, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
This article provided courtesy of Imprivata.