Back to Top Skip to main content

Army medical device cyber team balances benefits and risks of technology

An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez) An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez)

Recommended Content:

Technology

Access to advanced medical care directly supports the readiness of the Army's Warfighters by ensuring troops are fit and healthy on and off the battlefield.

Modern medical devices help the Army provide and sustain essential Soldier support; however, this same technology also poses an inherent risk.

Almost all newer medical devices contain some type of computer technology. If a medical device doesn't connect directly to a network, it is remotely or wirelessly accessible. These factors make medical devices potentially susceptible to intrusion from a hacker.

Experts warn hackers could exploit technology vulnerabilities within medical devices to either harm patients, steal private health care information and data, or gain "back door" entry to the wider DoD network.

At the U.S. Army Medical Materiel Agency, a subordinate organization of the U.S. Army Medical Research and Materiel Command, a team of medical technology experts comprise a cybersecurity cell created in early 2017. This team, part of the Integrated Clinical Systems Program Management Office, focuses on ensuring medical devices used by the military comply with strict DoD cybersecurity standards.

"The frequency and severity of cybersecurity attacks against the medical community will continue to rise until medical device manufacturers make security a top priority," explained USAMMA's Medical Device Cybersecurity Chief Andrew McGraw.

McGraw said that simply not connecting medical devices to the network isn't the best solution. Most modern medical devices, such as computed tomography (CT) scanners, are designed to connect to hospital networks. Network connection allows clinicians to access previous test results or upload images directly to the patient's electronic health records.

To maintain those capabilities, McGraw and his team work to ensure each medical device passes a robust security certification process to reduce the security vulnerabilities of commercially developed medical devices purchased and used by the Army.

"We believe in taking a proactive approach to cybersecurity," said McGraw. "We work with medical device manufacturers to reduce cybersecurity risks, so we can continue to leverage advanced medical technology."

To protect the network, DoD officials enforce strict cyber standards on all information technology. Medical devices, however, are not "information technology," explained McGraw. Rather, they are "medical technology." It is a subtle yet significant difference.

Information technology includes computers and supporting equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services and related resources.

Medical technologies are single purpose systems intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.

Understanding this difference is important, said McGraw, because Federal Acquisition Regulation 2.1 excludes medical equipment from being classified as information technology. However, often medical technology is still held to the same strict standards as IT.

McGraw said that cybersecurity in health care delivery must be a balancing act. Too strict of a security requirement results in the continued use of antiquated and technologically outdated medical devices. Too lax of a security requirement results in greater risk.

"The requirement to secure the network and patient data needs to be weighed against the medical mission and the ability to provide best in class medical care to the Warfighter," McGraw said.

One process that helps the Army navigate through that balancing act is the Risk Management Framework process. The RMF approach to security control considers effectiveness, efficiency and constraints due to applicable laws, directives, executive orders, policies, standards or regulations.

In 2014, the DoD began adopting RMF as a replacement to the DoD Information Assurance Certification and Accreditation Process. Army networks began getting Authority to Operate (ATO) under RMF in 2016.

By 2017, the Army received ATO under RMF for its first medical device – a portable digital radiography system designed for use on the battlefield.

"This was a huge win for the Army, USAMRMC, and USAMMA," said ICS Project Manager Terri Pryor, who manages the medical device cybersecurity cell. "However, it is not a quick, simple or low-cost process."

Under current policy, RMF is a mandatory process for all medical devices on the DoD network, which includes not only new purchases but also all medical devices already in use. Pryor and others are concerned that the current process could create a significant issue for military medical care – forcing some devices off the network. Additionally, if a device can't pass the process, the Army might have to replace medical devices – which would otherwise be in good working order – before the end of their lifespans, which are typically 10 - 12 years.

"Is cybersecurity of medical devices important? Absolutely. Is there possibly a more streamlined approach to achieve our end goals? We think so," said McGraw.

To that end, USAMMA's medical device cybersecurity cell has been exploring the possibility of a "black box" solution that they believe could greatly reduce the number of security steps they have to take to gain ATO under RMF. The solution they are exploring works through a process called microsegmentation, which would allow an organization to isolate mini-networks within the larger network.

"Traditional security firewalls work like a fence to protect critical assets. But hackers have gotten pretty good at defeating these perimeters," said McGraw. "With microsegmentation, instead of one fence, we would have hundreds or thousands of smaller fences."

McGraw explained that actions such as running vulnerability scans or pushing IT updates on medical devices while they are in use could shut them down and affect patient care. Experts are also concerned that some security patches, designed and tested for DoD computers and not medical technology, could cause medical devices to malfunction.

"We don't just look at this from the perspective of protecting the network because we have to consider the potential impact to patient care," said McGraw. "So, in many ways, we have to protect the network from the device and, at the same time, we have to protect the device from the network."

The "black box" solution is one of many solutions being explored by McGraw and his team, who work closely with network security experts throughout DoD and the Defense Health Agency. While no specific solutions has been agreed upon just yet, the team remains focused on their mission.

McGraw added, "We take great pride in knowing that the work we do helps put life-saving tools into the hands of Soldiers, ultimately saving lives."

Disclaimer: Re-published content may have been edited for length and clarity. Read original post.

You also may be interested in...

Personal responsibility is key to cybersecurity

Article
2/23/2017
Servio Medina, one of the Defense Health Agency’s Health Information Technology leaders on cybersecurity, implores his audience to practice positive cyber hygiene. (MHS photo)

Leader in cybersecurity discusses the risks of human error in cybersecurity at HIMSS

Recommended Content:

Technology

MHS IT director explains to HIMSS how recent updates will deliver more from less

Article
2/21/2017
Air Force Col. Richard Terry, the acting chief information officer for the MHS, enjoys a brief moment of levity as he spoke at the Healthcare Information and Management Systems Society (HIMSS) 2017 conference in Orlando, Florida, Feb. 20, 2017. (MHS photo)

In a time of tightening budgets, information technology serves as a critical component in the delivery of the best health care for Military Health System beneficiaries

Recommended Content:

Technology | MHS GENESIS

Tiny life-saving device receives FDA clearance

Article
2/3/2017
U.S. Army Institute of Surgical Research senior scientist, Victor Convertino, Ph.D. (right), demonstrates the functions and capabilities of the Compensatory Reserve Index to Army Maj. Gen. Barbara Holcomb, commanding general, U.S. Army Medical Research and Material Command. (U.S. Army photo by Steven Galvan)

The ability to measure the body's capacity to compensate for blood loss has been the focus of researchers at the USAISR for years

Recommended Content:

Research and Innovation | Technology

Hospital goes low, high tech to ensure patient safety

Article
1/19/2017
Evans Army Community Hospital operating room nurse Regina Andrews performs a diagnostic test on the RFID wand. The wand is used to locate surgical sponges embedded with an RFID chip. (U.S. Army photo by Jeff Troth)

To ensure the count of medical sponges is correct in its operating rooms, Evans Army Community Hospital has started using radio-frequency ID sponges

Recommended Content:

Patient Safety | Military Hospitals and Clinics | Multi-Service Markets | Quality and Safety of Health Care (for Healthcare Professionals) | Innovation | Technology

BLAST: Greater speed, accuracy in recognizing brain injury

Article
1/18/2017
Marines shield themselves from a detonated explosive charge during a breaching exercise. Modern body armor better protects warfighters against shrapnel from explosive blasts. However, they still face the resulting blast pressure and shock wave that could cause traumatic brain injury. (U.S. Marine Corps photo by Sgt. Emmanuel Ramos)

The Office of Naval Research is sponsoring the development of a portable, three-part system that can measure blast pressure, establish injury thresholds for the brain and analyze potential TBI symptoms

Recommended Content:

Technology | Research and Innovation | Traumatic Brain Injury

WBAMC introduces robotic-assisted tubal re-anastomosis

Article
1/17/2017
Dr. Jennifer Orr, urogynecologist, William Beaumont Army Medical Center, stands in front of WBAMC's robotic surgical system which was used to perform the first robotic-assisted tubal re-anastomosis at WBAMC. The introduction of robotic assisted tubal re-anastomosis, commonly known as tubal ligation reversal, provides eligible beneficiaries with a third option for the procedure, an option studies show produces higher success rates for post-operation pregnancy. (U.S. Army photo by Marcy Sanchez)

William Beaumont Army Medical Center recently performed its first robotic-assisted surgery for tubal re-anastomosis

Recommended Content:

Technology | Women's Health

DARPA provides groundbreaking bionic arms to Walter Reed

Article
12/28/2016
Dr. Justin Sanchez, director of the Defense Advanced Research Projects Agency’s Biological Technologies Office, fist-bumps with one of the first two advanced “LUKE” arms to be delivered from a new production line during a ceremony at Walter Reed National Military Medical Center in Bethesda, Maryland.

DARPA is collaborating with Walter Reed to make bionic arms available to service members and veterans who are rehabilitating after suffering upper-limb loss

Recommended Content:

Technology | Innovation | Warrior Care | Military Hospitals and Clinics

Air Force supports improved method for transporting TBI patients

Article
11/28/2016
Cornerstone Research Group’s aeromedical evacuation stretcher is shown during a compatibility test on a KC-135 aircraft. (Courtesy photo)

Air Force School of Aerospace Medicine scientists are testing and evaluating a novel aeromedical evacuation stretcher designed to safely transport traumatic brain and spinal injury patients in air and ground vehicles

Recommended Content:

Traumatic Brain Injury | Warrior Care | Innovation | Technology

Virtual health extends Army Medicine reach

Article
11/21/2016
Army Lt. Col. Robert Cornfeld, Pediatric Gastroenterologist at Landstuhl Regional Medical Center, conducts the first in-home virtual health visit within Regional Health Command Europe. In-home virtual health provides patients with the option to conduct a doctor's visit without having to go into a clinic. (U.S. Army photo by Ashley Patoka)

In-home virtual health provides patients with the option to conduct a doctor's visit without having to go into a clinic

Recommended Content:

Access to Health Care | Military Hospitals and Clinics | Innovation | Technology

Classifying the Histomorphology of Prostatic Adenocarcinoma with Deep Neural Networks

Presentation
11/1/2016

Classifying the Histomorphology of Prostatic Adenocarcinoma with Deep Neural Networks

Recommended Content:

Research and Innovation | Technology

Enterprise Intelligence Branch/MHS Population Health Portal

Presentation
8/9/2016

The first part of this presentation discusses the Enterprise Intelligence Branch, which supports the MHS strategic goals through delivery of timely, relevant, and actionable information toa ll levels of the organization. The second part describes the MHS Poulation Health Portal and shows examples.

Recommended Content:

Technology | Research and Innovation

Long Range Technical Architecture Strategy Accessible Version

Technical Document
7/28/2016

The Long Range Technical Architecture (LRTA) Strategy is a dynamic technology investment roadmap to help guide and optimize the MHS’ investments over the next decade, based on data-driven analyses. The LRTA links business needs to technical solutions and provides enterprise 'knowledge' through data democratization.

Recommended Content:

Technology

Vendor Information Form

Form/Template
7/27/2016

The Vendor Information Form provides a standard way to collect your ideas, problem statements, and/or proposed solution sets for defense health IT.

Recommended Content:

Technology

Center for Wireless and Population Health Systems

Presentation
2/10/2016

Center for Wireless and Population Health Systems Briefing

Recommended Content:

Technology

Improving Defense Health Program Medical Research Processes Update

Presentation
2/10/2016

Recommended Content:

Research and Innovation | Technology
<< < ... 6 7 8 > >> 
Showing results 76 - 90 Page 6 of 8

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing: Download a PDF Reader or learn more about PDFs.