Journal:Information technology and medical technology personnel’s perception regarding segmentation of medical devices: A focus group study

From LIMSWiki
Revision as of 19:33, 24 February 2020 by Shawndouglas (talk | contribs) (Saving and adding more.)
Jump to navigationJump to search
Full article title Information technology and medical technology personnel’s perception regarding segmentation of medical devices: A focus group study
Journal Healthcare
Author(s) Johansson, David; Jönsson, Patrik; Ivarsson, Bodil; Christiansson, Maria
Author affiliation(s) Edith Cowan University, Embry-Riddle Aeronautical University
Primary contact Email: david dot a dot johansson at skane dot se
Year published 2020
Volume and issue 8(1)
Article # 23
DOI 10.3390/healthcare8010023
ISSN 2227-9032
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/2227-9032/8/1/23
Download https://www.mdpi.com/2227-9032/8/1/23/pdf (PDF)
Emblem-important-yellow.svg This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Objective: Segmentation is one way of improving data protection. The aim of this study was to investigate information technology (IT) and medical technology (MT) personnel’s perception in relation to ongoing segmentation of medical devices and IT infrastructure in the healthcare sector.

Methods: Focus group interviews with nine IT and nine MT personnel in a county council in southern Sweden were conducted. The interviews focused on two areas: positive expectations and misgivings. Digital recordings were transcribed verbatim and analyzed using qualitative content analysis.

Results: Responses related to two main areas: information security and implementation of segmentation. Informants stated that network segmentation would increase the overall level of cybersecurity for medical devices, addressing both insider and outsider threats. However, it would also increase the need for administration and the need for knowledge of the communication patterns of medical devices from the manufacturer’s perspective.

Conclusion: IT and MT personnel in a county council in southern Sweden believed that segmentation would increase cybersecurity but also increase administration and resource needs, which are important opinions to take into consideration. The present study can be used as a model for others to increase awareness of opinions of healthcare organizations.

Keywords: cybersecurity, healthcare technology, patient safety, staff attitudes

Introduction

Medical technology (MT) devices—as defined by the European Union's directive on medical devices[1] and information technology (IT) and device developers—serve an increasingly central role in clinical practice, improving patient health, safety, and quality of life. And the number of such medical devices that are connected to a network continues to grow.[2][3][4]

Networked medical devices can also cause substantial harm since they have not historically been designed with a focus on cybersecurity.[5] Errors that underlie device-related injuries are often categorized into three types: manufacturer-related errors, use or design errors, and user errors.[6] It has been said that the weakest link in the process is the user, who must understand how to configure and use medical technology products correctly to achieve a high level of security in computing infrastructure.[7][8]

Cybersecurity is today one of the most important security-related challenges for all countries, but its visibility and awareness are still limited to the public, although almost everyone has heard something about it.[9] There is a substantial security risk posed by outsiders identifying potential interactions between the interconnected elements in hospital systems and computing infrastructures, and then taking advantage of poor cybersecurity to steal medical health records, deny access to health services, or cause intentional harm with these.[10][11] For medical devices specifically, it may be possible for hackers to use them in order to gain access to confidential patient data and to reprogram them to send harmful commands.[12] This could mean, for example, altering blood groups or test results, or taking control of pumps that regulate the administration of potent drugs.[13] Other harmful activities that could be enacted include disrupting the parameter values used in the scanning protocols, tampering with the radiation exposure levels, causing mechanical disruption, and creating denial-of-service attacks.[14]

Other researchers have also investigated the subject of cybersecurity in medical devices and have concluded that there is a relationship between the increase in network connectable medical devices and increased cybersecurity risks.[15] As such, segmenting the network into multiple layers, with security gates such as firewalls in between them, could be an effective way to contain network problems and reduce the impact of a breach in network security.[16][17] This is comparable to dividing a building into fire zones to delay fire spreading, and enabling firefighting in sections rather than in the building as a whole.[18]

Applying the concept of network segmentation to medical devices may reduce the associated risks and prevent intrusion. This entails separating elements such as computers, servers, routers, data, and healthcare personnel into groups, thereby restricting access and better protecting vital services.[19][20] Segmentation of medical devices is described as a good method for ensuring data security and is recommended to be used to whatever extent is feasible.[21] In order to increase understanding of innovations in healthcare organizations, such as segmentation of medical devices, Länsisalmi et al.[22] argue that health innovations should be investigated from the perspectives of stakeholders, in this case IT and MT personnel. Therefore, the aim of this study was to investigate IT and MT personnel’s perception of segmentation of medical devices and IT infrastructure in the healthcare sector.

Highlights of this study:

  • Medical devices can cause substantial harm.
  • The user of medical devices must understand how to achieve a high level of security.
  • Hackers might be able to reprogram medical devices to send harmful commands.
  • One way to reduce the risk of hackers and prevent intrusion is network segmentation.
  • MT and IT personnel must be positive about and open to the improvement of cybersecurity.

Materials and methods

Design and setting

A qualitative methodology design was employed with focus group sessions in order to gain a deeper insight into the views and experiences of IT segmentation. This descriptive study was conducted at Region Skåne, one of the 21 county councils/regions in Sweden. Region Skåne employs around 34,000 people, mostly in healthcare, and has the main responsibility for public healthcare and medical services in the region.[23] Much of the healthcare is conducted in a high-tech environment, which includes devices such as patient monitoring equipment, medical imaging systems, and laboratory instrumentation. A number of cybersecurity-related incidents prompted a decision to implement network segmentation for all devices in Region Skåne. The study was performed during the ongoing implementation of the network segmentation of medical devices.

Informants

Informants were strategically recruited from IT and MT personnel based on their experience working with medical devices such as patient monitoring equipment, medical imaging systems, and laboratory instrumentation in Region Skåne to ensure maximal variation in socio-demographic data and service positions.[24] The following variables were taken into account to ensure a broad selection: age, time in the profession, and competence in (1) segmentation, (2) MT device systems, (3) firewall-based traffic filtering, and (4) IT security.

Ethics

The study conformed to the principles outlined in the Declaration of Helsinki, and according to Swedish legislation (SFS 2003:460) no ethical approval was required as the study did not involve patients. The project was approved by the directors of the participating departments. All informants were informed of the aims and procedures of the study through a short written presentation included in an email invitation. Informed consent was considered implied when informants signed up voluntarily for the focus group interviews. The data processing was carried out in accordance to the General Data Protection Regulation (GDPR).

Data collection

Three mixed MT and IT focus group interviews [25] were held with five to eight informants in each group and included a total of 18 informants (nine MT personnel and nine IT personnel; see Table 1 for demographic and other characteristics). Interviews were conducted in a conference room and took about 90 minutes each. The discussions were digitally recorded (with the informants’ consent) and independently transcribed by a trusted agency.

Table 1. Demographic data and other characteristics
Gender # of informants
Women 3
Men 15
Statistical measure of age Result
Mean standard deviation 52 ± 10
Median (range) 51 (33–67)
Statistical measure of years
of professional experience 		Result
Mean standard deviation 18 ± 12
Median (range) 17 (2–40)
Highest level of education # of informants
High school (n) 3
University (n) 15


References

  1. European Commission (14 June 1993). "Council Directive 93/42/EEC of 14 June 1993 concerning medical devices". EUR-Lex. https://eur-lex.europa.eu/eli/dir/1993/42/2007-10-11. Retrieved 20 January 2020. 
  2. Abernethy, A.P.; Wheeler, J.L.; Bull, J. (2011). "Development of a health information technology-based data system in community-based hospice and palliative care". American Journal of Preventative Medicine 40 (5 Suppl. 2): S217–24. doi:10.1016/j.amepre.2011.01.012. PMID 21521597. 
  3. McCaffery, F.; Burton, J.; Richardson, I. (2010). "Risk management capability model for the development of medical device software". Software Quality Journal 18: 18. doi:10.1007/s11219-009-9086-7. 
  4. Tulasidas, S.; Mackay, R.; Craw, P. et al. (2013). "Process of Designing Robust, Dependable, Safe and Secure Software for Medical Devices: Point of Care Testing Device as a Case Study". Journal of Software Engineering and Applications 6 (9A): 1–13. doi:10.4236/jsea.2013.69A001. 
  5. Arney, D.; Venkatasubramanian, K.K.; Sokolsky, O.; Lee, I. (2011). "Biomedical devices and systems security". Conference Proceedings of the IEEE Engineering in Medicine and Biology Society 2011: 2376-9. doi:10.1109/IEMBS.2011.6090663. PMID 22254819. 
  6. Jha, A.K.; Prasopa-Plaizier, N.; Larizgoitia, I. et al. (2010). "Patient safety research: an overview of the global evidence". Quality and Safety in Health Care 19 (1): 42–7. doi:10.1136/qshc.2008.029165. PMID 20172882. 
  7. Ivarsson, B.; Wiinberg, S.; Svensson, M. et al. (2016). "Information and/or medical technology staff experience with regulations for medical information systems and medical devices". Health Policy and Technology 5 (4): 383–88. doi:10.1016/j.hlpt.2016.07.008. 
  8. Nurse, J.R.C.; Buckley, O.; Legg, P.A. et al. (2014). "Understanding Insider Threat: A Framework for Characterising Attacks". 2014 IEEE Security and Privacy Workshops: 214-228. doi:10.1109/SPW.2014.38. 
  9. de Brujin, H.; Janssen, M. (2017). "Building Cybersecurity Awareness: The need for evidence-based framing strategies". Government Information Quarterly 34 (1): 1–7. doi:10.1016/j.giq.2017.02.007. 
  10. Fischbacher-Smith, D.; Fischbacher-Smith, M. (2013). "The Vulnerability of Public Spaces: Challenges for UK hospitals under the ‘new’ terrorist threat". Public Management Review 15 (3): 330–43. doi:10.1080/14719037.2013.769851. 
  11. Coventry, L.; Branley, D. et al. (2018). "Cybersecurity in healthcare: A narrative review of trends, threats and ways forward". Maturitas 113: 48–52. doi:10.1016/j.maturitas.2018.04.008. PMID 29903648. 
  12. Leavitt, N. (2010). "Researchers Fight to Keep Implanted Medical Devices Safe from Hackers". Computer 43 (8): 11–14. doi:10.1109/MC.2010.237. 
  13. Martin, G.; Martin, P.; Hankin, C. et al. (2017). "Cybersecurity and healthcare: How safe are we?". BMJ 358: j3179. doi:10.1136/bmj.j3179. 
  14. Mahler, T.; Nissim, N.; Shalom, E. et al.. "Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices". arXiv. https://arxiv.org/abs/1801.05583. 
  15. Schwartz, S.; Ross, A.; Carmody, S. et al. (2018). "The Evolving State of Medical Device Cybersecurity". Biomedical Instrumentation and Technology 52 (2): 103-111. doi:10.2345/0899-8205-52.2.103. PMID 29558182. 
  16. Reichenberg, N. (20 March 2014). "Improving Security via Proper Network Segmentation". Security Week. https://www.securityweek.com/improving-security-proper-network-segmentation. Retrieved 20 January 2020. 
  17. Hagland, M. (26 February 2018). "A New Era in Network Segmentation?". Healthcare Innovation. https://www.hcinnovationgroup.com/cybersecurity/article/13029865/a-new-era-in-network-segmentation. Retrieved 20 January 2020. 
  18. Hiemstra, H. (2016). "Influence of Building Structure and Building Content on Residential Fires". Master's Thesis. Lund University. https://lup.lub.lu.se/student-papers/search/publication/8876361. 
  19. Genge, B.; Graur, F.; Haller, P. (2015). "Experimental assessment of network design approaches for protecting industrial control systems". International Journal of Critical Infrastructure Protection 11: 24–38. doi:10.1016/j.ijcip.2015.07.005. 
  20. Sitting, D.F.; Singh, H. (2016). "A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks". Applied Clinical Informatics 7 (2): 624–32. doi:10.4338/ACI-2016-04-SOA-0064. PMC PMC4941865. PMID 27437066. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4941865. 
  21. Todinov, M. (2015). "Reducing Risk through Segmentation, Permutations, Time and Space Exposure, Inverse States, and Separation". International Journal of Risk and Contingency Management 4 (3): 1–21. doi:10.4018/IJRCM.2015070101. 
  22. SLänsisalmi, H.; Kivimäki, M.; Aalto, P.; Ruoranen, R. (2006). "Innovation in healthcare: A systematic review of recent research". Nursing Science Quarterly 19 (1): 66–72. doi:10.1177/0894318405284129. PMID 16407603. 
  23. Anell, A.; Glenngård, A.H.; Merkur, S. (2012). "Sweden health system review". Health Systems in Transition 14 (5): 1–159. PMID 22894859. 
  24. Fridlund, B. (1998). "Qualitative methods in healthcare research: Some issues related to utilisation and scrutiny". Care of the Critically Ill 14 (6): 212–14. http://urn.kb.se/resolve?urn=urn:nbn:se:hj:diva-12022. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:Information_technology_and_medical_technology_personnel’s_perception_regarding_segmentation_of_medical_devices:_A_focus_group_study&oldid=37992"