Back to Top Skip to main content

Army medical device cyber team balances benefits and risks of technology

An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez) An Army medic positions a patient for a CT scan, which helps radiologists diagnose different types of disease and injuries. Medical devices, such as radiology imaging systems, must now go through a cybersecurity validation process in order to connect to military networks (U.S. Army photo by Staff Sgt. Evelyn Chavez)

Recommended Content:

Technology

Access to advanced medical care directly supports the readiness of the Army's Warfighters by ensuring troops are fit and healthy on and off the battlefield.

Modern medical devices help the Army provide and sustain essential Soldier support; however, this same technology also poses an inherent risk.

Almost all newer medical devices contain some type of computer technology. If a medical device doesn't connect directly to a network, it is remotely or wirelessly accessible. These factors make medical devices potentially susceptible to intrusion from a hacker.

Experts warn hackers could exploit technology vulnerabilities within medical devices to either harm patients, steal private health care information and data, or gain "back door" entry to the wider DoD network.

At the U.S. Army Medical Materiel Agency, a subordinate organization of the U.S. Army Medical Research and Materiel Command, a team of medical technology experts comprise a cybersecurity cell created in early 2017. This team, part of the Integrated Clinical Systems Program Management Office, focuses on ensuring medical devices used by the military comply with strict DoD cybersecurity standards.

"The frequency and severity of cybersecurity attacks against the medical community will continue to rise until medical device manufacturers make security a top priority," explained USAMMA's Medical Device Cybersecurity Chief Andrew McGraw.

McGraw said that simply not connecting medical devices to the network isn't the best solution. Most modern medical devices, such as computed tomography (CT) scanners, are designed to connect to hospital networks. Network connection allows clinicians to access previous test results or upload images directly to the patient's electronic health records.

To maintain those capabilities, McGraw and his team work to ensure each medical device passes a robust security certification process to reduce the security vulnerabilities of commercially developed medical devices purchased and used by the Army.

"We believe in taking a proactive approach to cybersecurity," said McGraw. "We work with medical device manufacturers to reduce cybersecurity risks, so we can continue to leverage advanced medical technology."

To protect the network, DoD officials enforce strict cyber standards on all information technology. Medical devices, however, are not "information technology," explained McGraw. Rather, they are "medical technology." It is a subtle yet significant difference.

Information technology includes computers and supporting equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services and related resources.

Medical technologies are single purpose systems intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.

Understanding this difference is important, said McGraw, because Federal Acquisition Regulation 2.1 excludes medical equipment from being classified as information technology. However, often medical technology is still held to the same strict standards as IT.

McGraw said that cybersecurity in health care delivery must be a balancing act. Too strict of a security requirement results in the continued use of antiquated and technologically outdated medical devices. Too lax of a security requirement results in greater risk.

"The requirement to secure the network and patient data needs to be weighed against the medical mission and the ability to provide best in class medical care to the Warfighter," McGraw said.

One process that helps the Army navigate through that balancing act is the Risk Management Framework process. The RMF approach to security control considers effectiveness, efficiency and constraints due to applicable laws, directives, executive orders, policies, standards or regulations.

In 2014, the DoD began adopting RMF as a replacement to the DoD Information Assurance Certification and Accreditation Process. Army networks began getting Authority to Operate (ATO) under RMF in 2016.

By 2017, the Army received ATO under RMF for its first medical device – a portable digital radiography system designed for use on the battlefield.

"This was a huge win for the Army, USAMRMC, and USAMMA," said ICS Project Manager Terri Pryor, who manages the medical device cybersecurity cell. "However, it is not a quick, simple or low-cost process."

Under current policy, RMF is a mandatory process for all medical devices on the DoD network, which includes not only new purchases but also all medical devices already in use. Pryor and others are concerned that the current process could create a significant issue for military medical care – forcing some devices off the network. Additionally, if a device can't pass the process, the Army might have to replace medical devices – which would otherwise be in good working order – before the end of their lifespans, which are typically 10 - 12 years.

"Is cybersecurity of medical devices important? Absolutely. Is there possibly a more streamlined approach to achieve our end goals? We think so," said McGraw.

To that end, USAMMA's medical device cybersecurity cell has been exploring the possibility of a "black box" solution that they believe could greatly reduce the number of security steps they have to take to gain ATO under RMF. The solution they are exploring works through a process called microsegmentation, which would allow an organization to isolate mini-networks within the larger network.

"Traditional security firewalls work like a fence to protect critical assets. But hackers have gotten pretty good at defeating these perimeters," said McGraw. "With microsegmentation, instead of one fence, we would have hundreds or thousands of smaller fences."

McGraw explained that actions such as running vulnerability scans or pushing IT updates on medical devices while they are in use could shut them down and affect patient care. Experts are also concerned that some security patches, designed and tested for DoD computers and not medical technology, could cause medical devices to malfunction.

"We don't just look at this from the perspective of protecting the network because we have to consider the potential impact to patient care," said McGraw. "So, in many ways, we have to protect the network from the device and, at the same time, we have to protect the device from the network."

The "black box" solution is one of many solutions being explored by McGraw and his team, who work closely with network security experts throughout DoD and the Defense Health Agency. While no specific solutions has been agreed upon just yet, the team remains focused on their mission.

McGraw added, "We take great pride in knowing that the work we do helps put life-saving tools into the hands of Soldiers, ultimately saving lives."

Disclaimer: Re-published content may have been edited for length and clarity. Read original post.

You also may be interested in...

DHA IPM 18-018: Physical Custody and Control of the DoD Health Record

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) and (b), and in accordance with the guidance of References (c) through (p): • Establishes the Defense Health Agency’s (DHA) procedures for the physical custody and control of DoD Health Records at all DoD Military Treatment Facilities (MTFs) and the management, monitoring, review, and evaluation of DoD Health Record availability at MTFs. • This DHA-IPM is effective immediately and will expire effective 12 months from the date of issue. It must be incorporated into the forthcoming DHA-Procedural Instruction, “Health Records Management”.

DHA IPM 18-017: Military Health System (MHS) Information Technology (IT) Investment Management Framework

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) through (c), and in accordance with the guidance of References (d) through (v), establishes Defense Health Agency’s (DHA) procedures to: • Establish the overarching guidance to implement policies and procedures for managing DHA Deputy Assistant Director, Information Operations (DAD IO)/J-6 Defense Health Program (DHP) IT resources. The DHA Investment Management Framework is used as an enabler for MHS leadership to make informed transparent financial decisions associated with the DHA DAD IO/J-6 systems, services, and capabilities and will continue to be used in the foreseeable future. • Provide full and total awareness of all IT across the enterprise ensuring all MHS healthcare-related IT investments are accounted for and integrated both operationally and financially. This includes all IT systems, applications, and devices and all their funding identified to manage a coherent and integrated healthcare capability across the enterprise. • Provide and supersede guidance and instructions previously provided through the Services. As Military Medical Treatment Facilities (MTFs) transition to DHA management and responsibility, procedures in this DHA-IPM will supersede IT systems guidance and instructions previously provided through the Services; including IT systems in all MTFs, clinics, and enterprise services provided to Other Lines-of-Business (OLB), such as training and research, etc. In addition, it supports a coherent and comprehensive catalog of IT capability investments encompassing all IT used to support the MHS mission. • Require that all funding sources, type and Budget Activity Group (BAG), purchasing or supporting any IT must be identified for inclusion in the DHA portfolio of IT capability investments. • Provide superseding guidance and instruction, through this DHA-IPM until a DHA-Procedural Instruction is issued previously provided by the Services in References (w) through (ad), for the MTFs as they are transitioned to DHA management and responsibility. • This DHA-IPM is effective immediately and it will be converted into a DHA-Procedural Instruction. This DHA-IPM will expire effective 12 months from the date of issue.

  • Identification #: 18-017
  • Date: 11/6/2018
  • Type: DHA Interim Procedures Memorandum
  • Topics: Technology

DHA IPM 18-016: DHA IPM 18 016 Medical Coding of the DoD Health Records

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) and (b), and in accordance with the guidance of References (c) through (s): • Establishes the Defense Health Agency’s (DHA) procedures for centralized oversight, standardized operations, and ensured quality and performance for the coding of DoD Health Records. • This DHA-IPM is effective immediately; it will be converted into a DHA-Procedural Instruction. This DHA-IPM will expire 12 months from the date of issue.

DHA IPM 18-015: Cybersecurity Program Management

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) through (c), and in accordance with the requirements of References (d) through (y): • Establishes the Defense Health Agency’s (DHA) procedures to implement and maintain a DHA Cybersecurity Program for the Military Health System (MHS) to protect and defend DHA information and Information Technology (IT). • Is effective immediately; it will be converted into DHA-Procedural Instruction (DHA-PI), “Cybersecurity Program Management.” This DHA-IPM will expire effective 12 months from the date of issue.

  • Identification #: 18-015
  • Date: 10/17/2018
  • Type: DHA Interim Procedures Memorandum
  • Topics: Technology

DHA IPM 18-013: Risk Management Framework (RMF)

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) through (c), and in accordance with the guidance of References (d) through (ac): • Incorporates cybersecurity strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation. • Aligns with the Deputy Assistant Director, Information Operations (DAD IO) J-6/Chief Information Officer’s (CIO) key concept of increasing cybersecurity of Defense Health Agency’s (DHA) Information Technology (IT); therefore, robust risk assessment and management is required. • Encompasses lifecycle risk management to determine and manage the residual cybersecurity risk. • This DHA-IPM is effective immediately; it will be converted into a DHA-Procedural Instruction. This DHA-IPM will expire effective 12 months from the date of issue.

  • Identification #: 18-013
  • Date: 10/10/2018
  • Type: DHA Interim Procedures Memorandum
  • Topics: Technology

DHA IPM 18-011: Video Network Center (VNC) Endpoint Standards

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) through (c), and in accordance with the guidance of References (d) through (g): - Provides guidance for video network endpoint standards required for sites to connect to the Defense Health Agency (DHA) VNC network. These standards will help ensure security compliance, efficiency, and best practices are maintained across the DHA network. Meeting certification requirements brings many benefits, including: increased assurances of a successful video teleconference (VTC) experience, full access to bridge and point-to-point calls, and access to peer video networks, including the Department of Veterans Affairs, academia, and industry partners. Compliance with stated standards does not preclude users connecting to other DoD approved networks. - This DHA-IPM is effective immediately; it will be converted into a DHA-Procedural Instruction. This DHA-IPM will expire effective 12 months from the date of issue.

  • Identification #: 18-011
  • Date: 9/27/2018
  • Type: DHA Interim Procedures Memorandum
  • Topics: Technology

DHA IPM 18-007: Service Delivery Management Program

Policy

This Defense Health Agency-Interim Procedures Memorandum (DHA-IPM), based on the authority of References (a) and (b), and in accordance with the guidance of References (c) through (e): - Establishes the Defense Health Agency’s (DHA) procedures for implementing and managing high quality information technology (IT) services by the Chief Information Officer (CIO), Deputy Assistant Director Information Operations (DAD IO/J-6), Military Health System (MHS). The DHA Service Delivery Management program provides customers requesting IT services from the DAD IO/J-6 or Defense Information Systems Agency service catalogs with an on-demand, automated system that provides a single-entry point to submit service requests. The automated system enables DAD IO/J-6 to align business needs and use repeatable and scalable processes to holistically track, manage, and report on customer submitted requests for IT services from submission to fulfillment. - Is binding on DoD Components and supports the Director’s, DHA, responsibility to develop appropriate management models to maximize efficiencies in the activities carried out by the DHA. - This DHA-IPM is effective immediately; it will be converted into a DHA-Procedural Instruction (DHA-PI). This DHA-IPM will expire effective 12 months from the date of issue.

  • Identification #: 18-007
  • Date: 9/19/2018
  • Type: DHA Interim Procedures Memorandum
  • Topics: Technology

DHA PI 8140.01: Acceptable Use of Defense Health Agency Information Technology (IT)

Policy

This Defense Health Agency-Procedural Instruction (DHA-PI), based on the authority of References (a) and (b), and in accordance with the guidance of References (c) through (m), establishes the Defense Health Agency’s (DHA) procedures for acceptable use of DHA IT by authorized and privileged users.

  • Identification #: DHA PI 8140.01
  • Date: 8/14/2018
  • Type: DHA Procedural Instruction
  • Topics: Technology

Waiver of Restrictive Licensure and Privileging Procedures to Facilitate the Expansion of Telemedicine Services in the Military Health System 12-010

Policy

In order to facilitate the expansion of telemedicine services in the Military Health System, this memorandum waives selective provisions of Department of Defense 602S.13-R, "Clinical Quality Assurance in the Military Health System," June 11 , 2004. This waiver is conditioned on the specific provisions of this memorandum, and shall remain in effect, unless modified or revoked, until the cancellation and reissuance of DoD 602S.13-R, or the issuance of a Department of Defense Instruction for or including telemedicine.

MHS Enterprise Architecture Signed Memo and Guide 20120730

Policy

Announcement of the release of the Military Health System (MHS) Enterprise Architecture (EA) Guide. The guide supports the MHS CIO’s responsibilities for development and maintenance of EA, which complies with the Department of Defense’s responsibilities under the Clinger-Cohen Act of 1996, Public Law 104-106.

  • Identification #: 00-memo-2012-07-30
  • Date: 7/30/2012
  • Type: Memorandums
  • Topics: Technology

Guidance on the Establishment of a Human Cell, Tissue, and Cellular and Tissue Based Products Program

Policy

This memorandum requests the Services resource a Human Cell, Tissue, and Cellular and Tissue Based Products (HCT/Ps) Program that complies with regulatory standards for management and oversight of HCT/Ps, according to the best fit for their Service.

Standard Enterprise Architecture Requirements for Acquiring Information Management/Information Technology Products and Services

Policy

The Military Health System (MHS) Information Management/Information Technology (IM/IT) Strategic Plan established enterprise-wide interoperability and common architecture goals for MHS 1M/IT products and services that promote agility and interoperability within MHS and externally with Federal and industry partners.

  • Identification #: 00-memo-2012-06-19
  • Date: 6/19/2012
  • Type: Memorandums
  • Topics: Technology

MHS Cloud First Adoption Directive and Policy Guidance Signed Memo and Attachment

Policy

The National Defense Authorization Act for Fiscal Year (FY) 2012 mandates that the Department of Defense (DoD) and its agencies develop a strategy to migrate to using Cloud computing services. Against this backdrop, DoD released an IT Enterprise Strategy and Roadmap plan in September 2011 developed by the DoD CIO, Teri Takai. This memorandum is consistent with Federal and DoD strategies, directives, and plans as they relate to implementation of a Military Health System (MHS) Cloud First policy aligning with the MHS mission

  • Identification #: 00-memo-2012-05-22
  • Date: 5/22/2012
  • Type: Memorandums
  • Topics: Technology
<< < 1 > >> 
Showing results 1 - 13 Page 1 of 1

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing: Download a PDF Reader or learn more about PDFs.