The Army uses modern medical devices to provide and sustain essential support for the troops, but at the same time, the use of technology can pose risks. If a medical device doesn’t connect directly to a network, it is then remotely or wirelessly accessible. This makes medical devices potentially susceptible to intrusion from an invisible adversary such as a hacker.
Hackers can exploit technology vulnerabilities within medical devices to harm patients, steal private healthcare information and data, or gain “back door” entry to the wider Department of Defense (DOD) network.
The Army Medical Materiel Agency’s https://www.usamma.army.mil, housed within the Army Medical Research and Materiel Command’s https://mrmc.amedd.army.mil, team of medical technology experts have created a cybersecurity cell. This team, part of the Integrated Clinical Systems Program Management Office, focuses on ensuring that medical devices used by the military comply with strict DOD cybersecurity standards.
“The frequency and severity of cybersecurity attacks against the medical community will continue to rise until medical device manufacturers make security a top priority”, according to Army’s Medical Device Cybersecurity Chief Andrew McGraw. He explained, “Simply not connecting medical devices to the network isn’t the best solution. Most modern medical devices, such as computed tomography scanners, are designed to connect to hospital networks. Network connections allow clinicians to access previous test results or upload images directly to the patient’s EHR.”
“To protect the network, DOD enforces strict cyber standards on all Information Technology (IT), however, medical devices are not information technology,” as explained by McGraw. “IT includes computers and supporting equipment designed to be controlled by the central processing unit of a computer, software, firmware, and related resources.
Medical technologies however, are single purpose systems intended for use to diagnose diseases or other conditions, while the patient is in care, being treated, or working to prevent the disease. According to McGraw “Understanding the difference between information technology and medical devices is important “.
One process that helps the Army navigate is the Risk Management Framework (RMF) process. RMF was introduced as a process to integrate information security and risk management activities into the system development life cycle. The RMF approach to security control considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations.
Under the current policy, RMF is mandatory for all medical devices on the DOD network, which includes not only new purchases but also all medical devices already in use. However, there is concern that the current process could create an issue for military medical care which may force some services off the network or the Army might have to replace medical devices before the end of their lifespan.
McGraw notes, “Actions such as running vulnerability scans or pushing IT updates on medical devices while they are in use could shut them down and affect patient care. There is also concern that some security patches, designed and tested for DOD computers and not for medical technology could cause medical devices to malfunction.”