Choosing the Right Strategy for Secure, Reliable Wireless Healthcare


By Areg Alimian, Senior Director, Solutions Marketing, Ixia

ixia_logo_3C-JPG-300x139Primum non nocere, or ‘First, do no harm’ is the guiding principle of modern healthcare. And advances in wireless connectivity are helping to deliver better care for patients, and more efficient working for clinicians and staff within hospitals. More medical devices and applications are attached hospital-wide Wi-Fi networks to automate updates of electronic health records and clinical information systems. Medical device connectivity is used to remotely monitor and manage patient care, from medication administration via wireless infusion pumps, to collecting patients’ vital signs via wireless blood pressure sensors and EKGs.

In fact, a recent report on medical device connectivity market1 states that various hospitals that have implemented CPOE (Computerised Physician Order Entry) systems have demonstrated a 20% decrease in hospital wide mortality rates.

However, while relying on technology to improve care delivery is a critical strategy for hospitals, it also places a priority on medical device security, as well as network security uptime and performance. We recently saw how hospital chains in the US and Europe were targeted by ransomware campaigns, taking critical systems and applications offline, postponing operations and forcing medical staff to revert to handwritten notes and patient records. And as Wi-Fi becomes the primary communication medium for connected mobile devices, a disruption in network communications or poor device reliability could lead to misdiagnosis of symptoms, or even loss of life, creating potential liabilities to healthcare facilities and caregivers.

Connected medical devices need secure and reliable connectivity with various applications. They have to co-exist in an increasingly dense wireless ecosystem of healthcare workers’ own devices (BYOD) such as tablets, smartphones and laptops, along with the facilities own network-connected equipment ranging from diagnostic equipment like X-rays, CT scanners and MRIs to mobile workstations, infusion pumps, patient monitors and smart beds which are growing in use and have become a large part of an enterprise healthcare network.

This hyperconnected hospital environment is creating new and escalating security concerns. Such concerns are increasingly justified, as it can be embarrassingly easy to hack these devices, which are often protected only by a simple password. The most vulnerable devices include those directly connected to patients and wireless networks such as drug infusion pumps, which could be hacked to deliver a lethal dose, and pacemakers. In response, the FDA has issued draft guidance for security for managing cyber devices making cybersecurity a regulatory consideration for device manufacturers and healthcare organisations.

But security considerations go wider than just the device itself: it’s also critical to evaluate the security of the wider enterprise networks used within the hospital or care setting. The design and implementation of the technical architecture, following best practices for continuous test and validation – from initial network design to live operation – are essential to ensuring that connected devices and mission-critical applications work reliably, quickly and securely. Healthcare enterprises leveraging such well-defined testing best practices and methodologies can lower costs, minimise risk, and establish a competitive advantage.

Testing times for healthcare IT
The wireless healthcare ecosystem is a complex market. While the Wi-Fi Alliance2 provides standards of interoperability, it’s only the first step. Healthcare mobility requirements demand a high degree of secure roaming, while ensuring a persistent connection to core systems. Data sheets specifications might show compliance with standards such as 802.113, but it’s only proprietary manufacturer testing that validates the reliability of roaming in the device.

As such, medical device manufacturers should stress-test their products under enterprise roaming conditions, with the full range of security applications that would be deployed in normal usage. The best way to accomplish this is to conduct proactive testing using an ecosystem-testing model that mirrors the healthcare enterprise. The testing programme for medical client devices should include controlled lab tests, as well as assessment of field performance that is validated in a typical healthcare ecosystem. It should also include a mixed-use environment with data-, voice-, video- and WLAN-enabled medical devices.

In Wi-Fi patient monitoring, it is essential that vital signs and alarms be transmitted with 100% reliability. Validation testing for roaming handoffs from access point to access point, while maintaining the enterprise security connection is imperative. Continuous testing lifecycles should commence during device or application development, then continue through live deployment. Testing will also be needed for each software and/or firmware update in the WLAN vendor of choice. This is known as optimisation testing, ensuring that the device, application performance, and security has improved or at a minimum, not changed after updates have been applied.  Validating that the medical device application still performs as intended as an FDA-regulated product, is critical.

And with ongoing advancements in Wi-Fi technology, any updates to device software and applications also require testing. A continuous testing lifecycle should start during device or application development, then continue through live deployment. A WLAN-enabled medical device has to initially obtain a FDA 510(k) approval, and changes to firmware and software should not affect the device’s performance, reliability or security. So continuous testing ensures that the device or application will still meet approved use requirements, after launch.

Testing best practices
Here’s a checklist of testing best practices for the development of healthcare devices that are exposed to a patient and a healthcare facility network.

  • Testing should occur at the earliest point during design to verify that the WLAN or network technology chosen works as promised
  • Up-front testing will serve as the foundation for regulatory submission, and also help to develop the correct deployment guidelines and support requirements in the field
  • Continuous testing must be part of the internal regulatory process. Such validation is also needed throughout the product lifecycle to meet security and quality of service requirements of many life-critical applications

WLAN deployments for healthcare environments should also include a site assessment to measure the performance of multiple client devices and quantify the end-user experience in real-world network environments, including:

  • Measuring the wireless experience from the user or client perspective
  • Creating a live network ecosystem to assess how devices and applications perform and co-exist in real world environments
  • Modeling “what if” scenarios as new users, devices, applications, and technologies are added to the network over time

Healthcare is still on a learning curve for leveraging wireless technology for medical devices. Security and reliability of such devices are a major concern. Following best practices resulting from hospitals that have successfully deployed reliable wireless networks will help to accelerate adoption, and improve the quality of healthcare – while ensuring it does no harm.

3 Postmarket Management of 4 1 2 Cybersecurity in Medical Devices 3 4 Draft Guidance for Industry and 5 Food and Drug Administration Staff, January 22, 2016