Back to Top Skip to main content

Army medical device cyber team balances benefits and risks of technology

An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez) An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez)

Recommended Content:

Technology

Access to advanced medical care directly supports the readiness of the Army's Warfighters by ensuring troops are fit and healthy on and off the battlefield.

Modern medical devices help the Army provide and sustain essential Soldier support; however, this same technology also poses an inherent risk.

Almost all newer medical devices contain some type of computer technology. If a medical device doesn't connect directly to a network, it is remotely or wirelessly accessible. These factors make medical devices potentially susceptible to intrusion from a hacker.

Experts warn hackers could exploit technology vulnerabilities within medical devices to either harm patients, steal private health care information and data, or gain "back door" entry to the wider DoD network.

At the U.S. Army Medical Materiel Agency, a subordinate organization of the U.S. Army Medical Research and Materiel Command, a team of medical technology experts comprise a cybersecurity cell created in early 2017. This team, part of the Integrated Clinical Systems Program Management Office, focuses on ensuring medical devices used by the military comply with strict DoD cybersecurity standards.

"The frequency and severity of cybersecurity attacks against the medical community will continue to rise until medical device manufacturers make security a top priority," explained USAMMA's Medical Device Cybersecurity Chief Andrew McGraw.

McGraw said that simply not connecting medical devices to the network isn't the best solution. Most modern medical devices, such as computed tomography (CT) scanners, are designed to connect to hospital networks. Network connection allows clinicians to access previous test results or upload images directly to the patient's electronic health records.

To maintain those capabilities, McGraw and his team work to ensure each medical device passes a robust security certification process to reduce the security vulnerabilities of commercially developed medical devices purchased and used by the Army.

"We believe in taking a proactive approach to cybersecurity," said McGraw. "We work with medical device manufacturers to reduce cybersecurity risks, so we can continue to leverage advanced medical technology."

To protect the network, DoD officials enforce strict cyber standards on all information technology. Medical devices, however, are not "information technology," explained McGraw. Rather, they are "medical technology." It is a subtle yet significant difference.

Information technology includes computers and supporting equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services and related resources.

Medical technologies are single purpose systems intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.

Understanding this difference is important, said McGraw, because Federal Acquisition Regulation 2.1 excludes medical equipment from being classified as information technology. However, often medical technology is still held to the same strict standards as IT.

McGraw said that cybersecurity in health care delivery must be a balancing act. Too strict of a security requirement results in the continued use of antiquated and technologically outdated medical devices. Too lax of a security requirement results in greater risk.

"The requirement to secure the network and patient data needs to be weighed against the medical mission and the ability to provide best in class medical care to the Warfighter," McGraw said.

One process that helps the Army navigate through that balancing act is the Risk Management Framework process. The RMF approach to security control considers effectiveness, efficiency and constraints due to applicable laws, directives, executive orders, policies, standards or regulations.

In 2014, the DoD began adopting RMF as a replacement to the DoD Information Assurance Certification and Accreditation Process. Army networks began getting Authority to Operate (ATO) under RMF in 2016.

By 2017, the Army received ATO under RMF for its first medical device – a portable digital radiography system designed for use on the battlefield.

"This was a huge win for the Army, USAMRMC, and USAMMA," said ICS Project Manager Terri Pryor, who manages the medical device cybersecurity cell. "However, it is not a quick, simple or low-cost process."

Under current policy, RMF is a mandatory process for all medical devices on the DoD network, which includes not only new purchases but also all medical devices already in use. Pryor and others are concerned that the current process could create a significant issue for military medical care – forcing some devices off the network. Additionally, if a device can't pass the process, the Army might have to replace medical devices – which would otherwise be in good working order – before the end of their lifespans, which are typically 10 - 12 years.

"Is cybersecurity of medical devices important? Absolutely. Is there possibly a more streamlined approach to achieve our end goals? We think so," said McGraw.

To that end, USAMMA's medical device cybersecurity cell has been exploring the possibility of a "black box" solution that they believe could greatly reduce the number of security steps they have to take to gain ATO under RMF. The solution they are exploring works through a process called microsegmentation, which would allow an organization to isolate mini-networks within the larger network.

"Traditional security firewalls work like a fence to protect critical assets. But hackers have gotten pretty good at defeating these perimeters," said McGraw. "With microsegmentation, instead of one fence, we would have hundreds or thousands of smaller fences."

McGraw explained that actions such as running vulnerability scans or pushing IT updates on medical devices while they are in use could shut them down and affect patient care. Experts are also concerned that some security patches, designed and tested for DoD computers and not medical technology, could cause medical devices to malfunction.

"We don't just look at this from the perspective of protecting the network because we have to consider the potential impact to patient care," said McGraw. "So, in many ways, we have to protect the network from the device and, at the same time, we have to protect the device from the network."

The "black box" solution is one of many solutions being explored by McGraw and his team, who work closely with network security experts throughout DoD and the Defense Health Agency. While no specific solutions has been agreed upon just yet, the team remains focused on their mission.

McGraw added, "We take great pride in knowing that the work we do helps put life-saving tools into the hands of Soldiers, ultimately saving lives."

Disclaimer: Re-published content may have been edited for length and clarity. Read original post.

You also may be interested in...

Cyberfit family: Making cybersecurity understandable for all ages

Article
10/30/2018
By making cyber fitness a part of daily routines, families can protect their online information and personal well-being.

Protecting the homefront against cybersecurity issues

Recommended Content:

Technology

PEO DHMS celebrates National Health IT Week

Article
10/19/2018
The Program Executive Office Defense Healthcare Management Systems logo

Leaders and staff from the PEO DHMS shared their stories about why health IT is important

Recommended Content:

Technology | Military Health System Electronic Health Record | Electronic Health Record Modernization & Interoperability

Robotics key to medical Airmen recruitment, retention, readiness

Article
10/2/2018
U.S. Air Force Maj. Scott Thallemer (foreground), 81st Surgical Operations Squadron Institute for Defense Robotic Surgical Education program coordinator, Keesler Air Force Base, Miss., and Air Force Maj. Joshua Tyler, InDoRSE program director, provide instruction to students during a robotics surgery training session at Keesler Air Force Base’s clinical research lab. (U.S. Air Fore photo by Kemberly Groue)

Robotics has been the standard for years in the private sector

Recommended Content:

Military Hospitals and Clinics | Technology

D2D lays down road ahead for MHS GENESIS rollout

Article
7/27/2018
Mark Goodge, chief technology officer for the Defense Health Agency, speaks to attendees of the Defense Health Information Technology Symposium about the agency Desktop to Datacenter initiative.

As military treatment facilities prepare for MHS GENESIS, the Military Health System’s new electronic health record, patients and providers will soon embrace more access and better delivery of care.

Recommended Content:

Defense Health Agency | Technology | DHITS 2018

Cyber fitness is everyone's responsibility today

Article
7/27/2018
Servio Medina from the Cyber Policy Branch of the Defense Health Agency speaks at DHITS 2018 on the need for exercising cyber fitness practices in today's technology driven life.

Taking care of our physical self and personal hygiene – working out, eating well, and washing up – is a normal part of our daily lives. If we put the same effort into making sure we’re ‘in shape’ in the cyber world, we could make a big difference in protecting our personal information.

Recommended Content:

Defense Health Agency | Technology | DHITS 2018

MHS GENESIS: Continuing to make progress

Article
7/25/2018
Vice Adm. Raquel C. Bono, director of the Defense Health Agency, and Ms. Stacy Cummings, Program Executive Officer for Defense Health Management Systems, answer questions about the progress of MHS GENESIS electronic Health record during the 2018 Defense Health Information Technology Symposium July 24 in Orlando, Florida.

Senior Military Health System leaders met at the Defense Health Information Technology Symposium in Orlando, Florida, to discuss progress with MHS GENESIS

Recommended Content:

Defense Health Agency | Defense Healthcare Management Systems | Technology | DHITS 2018 | Military Health System Electronic Health Record | MHS GENESIS

Helping the healers through the power of mobile technology

Article
7/23/2018
The Provider Resilience app offers health care providers tools to guard against emotional occupational hazards, including compassion fatigue and burnout. An updated version of the app is expected to be released in the fall. (Courtesy photo)

App guards against emotional occupational hazards

Recommended Content:

Technology | Innovation

Soldiers test Army's newest transport telemedicine technology

Article
7/20/2018
Soldiers test MEDHUB during an exercise at Camp Atterbury, Indianapolis. (U.S. Army photo by Greg Pugh)

MEDHUB is really about life-saving situational awareness

Recommended Content:

Technology | Innovation

Navy Care app enables medical appointments from work, home

Article
7/13/2018
A Sailor uses the Navy Care app on her cell phone for a virtual health visit with a Naval Hospital Jacksonville provider. Navy Care enables patients to have a live video visit with a clinician on a smartphone, tablet, or computer. It’s private, secure, and free. (U.S. Navy photo by Petty Officer 1st Class Jacob Sippel)

The app delivers convenient care with the quality of a face-to-face visit

Recommended Content:

Technology | Innovation

Navy clinic first MHS GENESIS site to complete accreditation

Article
7/3/2018
The official image of the MHS Genesis Logo

Navy clinic first MHS GENESIS site to complete accreditation

Recommended Content:

Technology | MHS GENESIS

MHS GENESIS focal point for Defense Health Agency Director visit at Naval Hospital Bremerton

Article
7/3/2018
Navy Vice Adm. Raquel C. Bono, director of the Defense Health Agency, is welcomed by Hospital Corpsman 3rd Class Stephanie Manamon, assigned to Naval Hospital Bremerton's (NHB) Northwest Beginnings Family Birth Center, during a fact-finding visit to the military treatment facility. The visit provided the opportunity to focus with NHB leadership and staff on MHS GENESIS and exchange frank and candid assessment on both positive and negative experiences, process improvement, and deployment application of the new electronic health record. NHB deployed the new electronic health record on Sept. 23, 2017 for service members, veterans and their families as one of the four sites in the Pacific Northwest along with U.S. Air Force 92nd Medical Group at Fairchild Air Force Base, Naval Health Clinic Oak Harbor and Madigan Army Medical Center (Official Navy photo by Douglas H Stutz, Naval Hospital Bremerton Public Affairs Officer)

The trip included candid conversations regarding implementation, best practices, lessons learned, issues and improvements.

Recommended Content:

Technology | MHS GENESIS

Project Sea Raven delivers cutting-edge pathogen detection technology

Article
5/31/2018
U.S. Navy Petty Officer 1st Class James Bowes, senior preventive-medicine technician, places mosquitoes on a dish to view under a microscope. Project Sea Raven’s capabilities are not limited to just insects – it can test anything from blood to soil and water. (U.S. Navy photo by Petty Officer 1st Class Tom Ouellette)

Project Sea Raven is now an integral part of USNS Mercy’s microbiology capacity

Recommended Content:

Global Health Engagement | Technology | Military Hospitals and Clinics

Air Force lab puts medical devices through their paces

Article
4/10/2018
A 10-bed Expeditionary Medical Support Hospital (EMEDS+10) set up at the Air Force Medical Evaluation Support Activity testing facility at Fort Detrick, Maryland. AFMESA tests medical devices to ensure they will work in the field and survive the rigors of deployment. Many devices tested by AFMESA are used in EMEDS facilities, making it a critical testing location. (U.S. Air Force photo by Shireen Bedi)

Lab’s mission is unique within the Air Force, and across the U.S. military

Recommended Content:

Technology

Advancements in telehealth improve access to healthcare

Article
2/23/2018
Air Force Medical Service Seal

Telehealth brings a range of services all working together to improve access

Recommended Content:

Access to Health Care | Military Hospitals and Clinics | Technology

Air Force robotic surgery training program aims at improving patient outcomes

Article
2/9/2018
Air Force Col. Debra Lovette (left), 81st Training Wing commander, receives a briefing from Air Force 2nd Lt. Nina Hoskins, 81st Surgical Operations squadron room nurse, on robotics surgery capabilities inside the robotics surgery clinic at Keesler Medical Center, Mississippi. The training program stood up in March 2017 and has trained surgical teams within the Air Force and across the Department of the Defense. (U.S. Air Force photo by Kemberly Groue).

Robotic surgery is becoming the standard of care for many specialties and procedures

Recommended Content:

Technology | Innovation | Military Hospitals and Clinics
<< < 1 2 3 > >> 
Showing results 1 - 15 Page 1 of 3

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing: Download a PDF Reader or learn more about PDFs.