As our world is increasingly more security aware the issue of cybersecurity is front and center. The private medical device and integrated delivery network should learn from both the Department of Defense and the Veterans Healthcare System. For example it was one very astute VA nurse from Kansas years ago that while visiting a car rental facility thought that maybe the bar code scanner could have applicability in a healthcare center. Her observations and work resulted in the first BCMA (bar code medication administration) application rolled out first in a VA healthcare setting. This then led to the integration of wireless technology in infusion pumps and now the result are the “smart infusion pumps”. No doubt this has saved a lot of lives by ensuring the right medication got to the right person and well as the correct dose. A lot of innovation in the military has direct applicability to the private sector.
So what is FIPS what does this mean for wireless security in medical devices?
The Federal Information Processing Standard 140-2 (RPS 140-2) is a security standard developed by the National Institutes of Standards and Technology (NIST) for testing and validating the cryptographic capabilities of systems used with government networks in the United States and Canada. FIPS validation demonstrates that the cryptographic module built into the system can help maintain the confidentiality and integrity of the electronic data.
How do you obtain FIPS?
Receiving FIPS validation is not an easy process. There are several phases a company must accomplish.
- Phase I is initiated by the manufacturer, of which includes the preparation or the updating of the design of the product and documenting those changes to meet FIPS requirements.
- Phase II is independent laboratory testing to verify the manufacturer claims
- Phase III consists of the test results being reviewed by the Cryptographic Module Validation Program (CMVP), a governmental agency that reviews all test reports for compliance. Once it is determined that the product is in compliance, the product is validated
What is the value of FIPS for a wireless medical device?
The standard for wireless security today is WPA2 enterprise. FIPS 140-2 is a United States government security standard developed for Federal facilities. It is provides the highest level of wireless security beyond standard IEEE 802.11 or commercially available enterprise solutions.
DIACAP and RMF and the management of risk
The Department of Defense (DoD) information Assurance Certification and Accreditation Process (DIACAP) is a process by which information systems are certified for compliance with DoD security requirements and accredited for operation on the DoD network to ensure security and protection of sensitive information.
How do you obtain DIACAPP Accreditation?
This is an extremely complex process and consists of five major steps.
1. Initiating and planning Information Assurance (IA) certification and accreditation.
2. Implementing and validating IA controls.
3. Making of the certification determination and accreditation decision
4. Maintaining the authorization to operate and conduct reviews.
5. Decommissioning the system
DIACAPP has already started to be replaced by (RMF), Risk Management Framework of which will be applied to federal facilities. Once the transition to RMF is made, it will also apply to all Military Treatment Facilities (MTFs), and all hospitals in the Department of Veteran Affairs (VA), through the reciprocity provisions of RMF.
Medical Device Isolation Architecture (MDIA) Guidance
This defines the basic design and common sense architecture for securing networked medical devices. From a basic networking perspective it puts forward criteria such as limiting TCP/UDP inbound and outbound ports, the creation of VLANs for each medical device service protected by a MDIA Access Control List (ACL), and in the case of 802.11 additional separation by ESSIDs.