Back to Top Skip to main content

Army medical device cyber team balances benefits and risks of technology

An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez) An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez)

Recommended Content:


Access to advanced medical care directly supports the readiness of the Army's Warfighters by ensuring troops are fit and healthy on and off the battlefield.

Modern medical devices help the Army provide and sustain essential Soldier support; however, this same technology also poses an inherent risk.

Almost all newer medical devices contain some type of computer technology. If a medical device doesn't connect directly to a network, it is remotely or wirelessly accessible. These factors make medical devices potentially susceptible to intrusion from a hacker.

Experts warn hackers could exploit technology vulnerabilities within medical devices to either harm patients, steal private health care information and data, or gain "back door" entry to the wider DoD network.

At the U.S. Army Medical Materiel Agency, a subordinate organization of the U.S. Army Medical Research and Materiel Command, a team of medical technology experts comprise a cybersecurity cell created in early 2017. This team, part of the Integrated Clinical Systems Program Management Office, focuses on ensuring medical devices used by the military comply with strict DoD cybersecurity standards.

"The frequency and severity of cybersecurity attacks against the medical community will continue to rise until medical device manufacturers make security a top priority," explained USAMMA's Medical Device Cybersecurity Chief Andrew McGraw.

McGraw said that simply not connecting medical devices to the network isn't the best solution. Most modern medical devices, such as computed tomography (CT) scanners, are designed to connect to hospital networks. Network connection allows clinicians to access previous test results or upload images directly to the patient's electronic health records.

To maintain those capabilities, McGraw and his team work to ensure each medical device passes a robust security certification process to reduce the security vulnerabilities of commercially developed medical devices purchased and used by the Army.

"We believe in taking a proactive approach to cybersecurity," said McGraw. "We work with medical device manufacturers to reduce cybersecurity risks, so we can continue to leverage advanced medical technology."

To protect the network, DoD officials enforce strict cyber standards on all information technology. Medical devices, however, are not "information technology," explained McGraw. Rather, they are "medical technology." It is a subtle yet significant difference.

Information technology includes computers and supporting equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services and related resources.

Medical technologies are single purpose systems intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.

Understanding this difference is important, said McGraw, because Federal Acquisition Regulation 2.1 excludes medical equipment from being classified as information technology. However, often medical technology is still held to the same strict standards as IT.

McGraw said that cybersecurity in health care delivery must be a balancing act. Too strict of a security requirement results in the continued use of antiquated and technologically outdated medical devices. Too lax of a security requirement results in greater risk.

"The requirement to secure the network and patient data needs to be weighed against the medical mission and the ability to provide best in class medical care to the Warfighter," McGraw said.

One process that helps the Army navigate through that balancing act is the Risk Management Framework process. The RMF approach to security control considers effectiveness, efficiency and constraints due to applicable laws, directives, executive orders, policies, standards or regulations.

In 2014, the DoD began adopting RMF as a replacement to the DoD Information Assurance Certification and Accreditation Process. Army networks began getting Authority to Operate (ATO) under RMF in 2016.

By 2017, the Army received ATO under RMF for its first medical device – a portable digital radiography system designed for use on the battlefield.

"This was a huge win for the Army, USAMRMC, and USAMMA," said ICS Project Manager Terri Pryor, who manages the medical device cybersecurity cell. "However, it is not a quick, simple or low-cost process."

Under current policy, RMF is a mandatory process for all medical devices on the DoD network, which includes not only new purchases but also all medical devices already in use. Pryor and others are concerned that the current process could create a significant issue for military medical care – forcing some devices off the network. Additionally, if a device can't pass the process, the Army might have to replace medical devices – which would otherwise be in good working order – before the end of their lifespans, which are typically 10 - 12 years.

"Is cybersecurity of medical devices important? Absolutely. Is there possibly a more streamlined approach to achieve our end goals? We think so," said McGraw.

To that end, USAMMA's medical device cybersecurity cell has been exploring the possibility of a "black box" solution that they believe could greatly reduce the number of security steps they have to take to gain ATO under RMF. The solution they are exploring works through a process called microsegmentation, which would allow an organization to isolate mini-networks within the larger network.

"Traditional security firewalls work like a fence to protect critical assets. But hackers have gotten pretty good at defeating these perimeters," said McGraw. "With microsegmentation, instead of one fence, we would have hundreds or thousands of smaller fences."

McGraw explained that actions such as running vulnerability scans or pushing IT updates on medical devices while they are in use could shut them down and affect patient care. Experts are also concerned that some security patches, designed and tested for DoD computers and not medical technology, could cause medical devices to malfunction.

"We don't just look at this from the perspective of protecting the network because we have to consider the potential impact to patient care," said McGraw. "So, in many ways, we have to protect the network from the device and, at the same time, we have to protect the device from the network."

The "black box" solution is one of many solutions being explored by McGraw and his team, who work closely with network security experts throughout DoD and the Defense Health Agency. While no specific solutions has been agreed upon just yet, the team remains focused on their mission.

McGraw added, "We take great pride in knowing that the work we do helps put life-saving tools into the hands of Soldiers, ultimately saving lives."

Disclaimer: Re-published content may have been edited for length and clarity. Read original post.

You also may be interested in...

Dummies for doctors

Air Force Col. Christine Kress (center) observes use of a medical canine mannequin designed to create training environments that prepare medical professionals for events they may face in the field. (MHS photo)

How technology is preparing the next generation of docs for the battlefield

Recommended Content:


Military to bring eye care to front lines with mobile app

Air Force Lt. Col. Peter Carra, 379th Expeditionary Medical Group optometry officer in charge, performs an eye exam for a Soldier at Camp As Sayliyah, Qatar. (U.S. Air Force photo by Tech. Sgt. Christopher Hubenthal)

Air Force and Army medical researchers are developing a smart phone application to connect providers downrange with on-call ophthalmologists either in-theater or at a clinic

Recommended Content:

Technology | Vision Loss

Airmen perform in-flight Transportation Isolation System training

A C-17 Globemaster III is prepped to transport a Transportation Isolation System during a training exercise that allows Airmen to practice the most effective and safest form of transportation for patients and their medical professionals. Engineered and implemented after the Ebola virus outbreak in 2014, the TIS is an enclosure the Defense Department can use to safely transport patients with highly contagious diseases. (U.S. Air Force photo by Senior Airman Cody Miller)

This mission capability is the only one of its kind in the Department of Defense

Recommended Content:

Health Readiness | Technology

Mobile app aids ‘truly informed’ contraception conversations between patients, providers

A new app provides information about contraception with the goal of helping patients make informed decisions with their providers. The app includes a module to address the unique needs of servicewomen around deployment. (Photo by Sgt. Barry St. Clair)

Decide + Be Ready, an app that provides information on contraception for men and women, is designed to help patients make informed decisions with their providers. The app also includes a module to address the unique needs of service women around deployment and duties.

Recommended Content:

Men's Health | Women's Health | Technology

Gone in a flash: ‘Floaters’ in field of vision can warn of vision issue

Seeing flashes of light or floating debris-like shapes appear in your field of vision should be reason to visit a provider, experts say. These symptoms can indicate retinal issues, which may lead to retinal detachment. (U.S. Air Force photo by Staff Sgt. Perry Aston)

Jane Acton was familiar with vision issues and her quick action after experiencing the onset of retinal detachment was vital in recovering her vision

Recommended Content:

Technology | Vision Loss

Fairchild's 92nd Medical Group celebrates MHS GENESIS 2-year anniversary

A cake celebrating the second year anniversary of Military Health System GENESIS' arrival to Fairchild's 92nd Medical Group at Fairchild Air Force Base, Washington, Feb. 8, 2019. MHS GENESIS is a Department of Defense-wide electronic health record and management system that combines health records from base, civilian and Veteran’s Affairs primary care providers, pharmacies, laboratories and dental clinics into one network. (U.S. Air Force photo/Airman 1st Class Lawrence Sena)

MHS GENESIS is a DoD-wide electronic health record combing records from base, civilian and Veteran’s Affairs primary care providers, pharmacies, laboratories and dental clinics into one network

Recommended Content:

Military Health System Electronic Health Record | MHS GENESIS | Technology

Call for abstracts open for 2019 Military Health System Research Symposium

More than 3,000 people attended the 2018 MHSRS meeting. Attendees participated in a wide range of sessions targeting combat casualty care, military operational medicine including psychological health and resilience, clinical and rehabilitative medicine, medical simulation and health information sciences, and military infectious diseases. (DoD photo)

MHSRS is the DoD’s premier scientific meeting and addresses the unique medical needs of the Warfighter

Recommended Content:

Research and Innovation | Technology | Medical Research and Development | MHSRS 2018

Virtual training platform maintains, improves military surgeon’s skills

Airmen assigned to the 99th Medical Group perform in an orthopedic spine surgery at Nellis Air Force Base, Nevada. (U.S. Air Force photo by Airman 1st Class Andrew D. Sarver)

The DoD’s surgeons are talented and qualified, but it takes experience and time to become proficient

Recommended Content:


Gaining new perspective through vision-correcting surgery

The Warfighter Refractive Eye Surgery Program, available to active duty service members, provides an opportunity to correct vision with ease thanks to advancing technology. (Department of Defense photo by Reese Brown)

Once deemed a disqualifying factor for service, refractive surgery is now available to active duty service members through a Department of Defense approved program

Recommended Content:

Technology | Innovation | Vision Loss

Military Health System, industry allies work together to improve health care technology

Air Force Maj. Gen. Lee Payne, assistant director for combat support at Defense Health Agency, dual-hatted as the Defense Health Agency assistant director for Combat Support and MHS EHR functional champion, and Air Force Col. Thomas Cantilina, chief health informatics officer and EHR deputy functional champion at the DHA, visit the Tiger Institute Jan. 17. (Courtesy photo by University of Missouri Health Care)

Air Force Maj. Gen. Lee Payne visits University of Missouri’s Tiger Institute for Health Innovation

Recommended Content:

Innovation | Secure Messaging | MHS GENESIS | Military Health System Electronic Health Record | Technology | Patient Safety Reporting | Combat Support

Wrap your mind around this

Army Spc. Anne Veiman, 452d Combat Support Hospital, demonstrates the capabilities of the InfraScanner handheld TBI detector on Kuwaiti army Col. Raed Altajalli, assistant director of Kuwait North Military Medical Complex in Al Jahra, Kuwait City, Kuwait. (U.S. Army photo by Sgt. Connie Jones)

This tool would be particularly helpful in a combat environment

Recommended Content:

Technology | Building Partner Capacity and Interoperability

Cyber fitness, awareness key during ‘season of shopping’

Making cyber security a priority while shopping or browsing online can help you protect yourself from more than you bargained for during this ‘season of shopping.’

During a popular time of year for shopping, consumers should be aware of scams or fraudulent activity targeting shoppers and email users, experts say. Taking small steps every day to protect information online can make a big difference in the long-term future.

Recommended Content:

Technology | Secure Messaging

Cyberfit family: Making cybersecurity understandable for all ages

By making cyber fitness a part of daily routines, families can protect their online information and personal well-being.

Protecting the homefront against cybersecurity issues

Recommended Content:


PEO DHMS celebrates National Health IT Week

The Program Executive Office Defense Healthcare Management Systems logo

Leaders and staff from the PEO DHMS shared their stories about why health IT is important

Recommended Content:

Technology | Military Health System Electronic Health Record | Electronic Health Record Modernization & Interoperability

Robotics key to medical Airmen recruitment, retention, readiness

U.S. Air Force Maj. Scott Thallemer (foreground), 81st Surgical Operations Squadron Institute for Defense Robotic Surgical Education program coordinator, Keesler Air Force Base, Miss., and Air Force Maj. Joshua Tyler, InDoRSE program director, provide instruction to students during a robotics surgery training session at Keesler Air Force Base’s clinical research lab. (U.S. Air Fore photo by Kemberly Groue)

Robotics has been the standard for years in the private sector

Recommended Content:

Military Hospitals and Clinics | Technology
<< < 1 2 3 > >> 
Showing results 1 - 15 Page 1 of 3

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing. Download a PDF Reader or learn more about PDFs.