Devices & Diagnostics, MedCity Influencers

Managing medical device security risk: It takes a village

In an ideal situation, all three parties - clinical engineering, IT, and the vendor - need to use their expertise to work together and assist the healthcare organization when vulnerabilities are discovered that could affect patient safety.

This year, there will be an estimated 14.2 billion connected devices used in hospitals and healthcare provider offices across the country. This includes a vast amount of legacy medical equipment which typically requires frequent operational updates and presents a greater vulnerability to security threats.

Even with an increasing number of network connected medical devices, many hospitals are still operating without a coordinated medical device security management plan, creating compliance and security gaps as devices go missing or become overdue for patch management and periodic maintenance.

These devices are essential for patient care delivery, however, due to their high susceptibility to technical exploits combined with a weak security management plan, hospital operations and patient safety are at an increasingly high level of risk.

What makes managing medical devices unique?
Due to the distinctive clinical nature of most medical devices, there are several challenges involved in the identification, evaluation, and eventual remediation of these devices. While medical devices come with a “one size does not fit all” disclaimer, they generally share the same features as other devices connected to an organization’s network, including:

  • A potentially vulnerable operating system
  • ePHI transmitted across the network to multiple other devices
  • Wired and wireless technologies capabilities
  • Internet access availability

However, it is important to understand that there are also some unique differences between medical devices and other hosts on the internal network:

  • There are usually no protections installed such as anti-virus or end-point encryption – and many medical devices do not have the capability for third-party software installation.
  • There are typically no procedures to patch security vulnerabilities or those procedures are inconsistent in process and application. Often, the original equipment manufacture’s (OEM) approval is required prior to the installation of security patches.
  • These devices are often connected directly to patients and can put patient care at risk.
  • The devices’ operating systems tend to be older than current supported operating systems.
  • Upgrading or patching the devices could render them inoperable, placing patient care (and data) at risk.

In fact, according to a new cybersecurity report, 70 percent of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020. But, between the medical device vendor, clinical engineering (CE), and IT departments– a challenge with collaboration remains regarding their roles when it comes to medical device security. Information security teams are at a disadvantage since an organization’s customary vulnerability scanning process can’t be performed for medical devices the way it is done for traditional IT systems.

A medical device may not require access to the organization’s network except when it is being utilized for direct patient care and active vulnerability scans present the risk of causing a device to malfunction and cause patient harm. Luckily, a vulnerability management solution utilizing passive scanning capabilities to discover connected medical devices available on the network won’t present this same risk. Any information collected from medical devices connected to the network can be used to continuously identify threat and vulnerability data, including recommendations for remediating vulnerabilities and threats.

However, once a vulnerability has been discovered in a medical device, who is responsible for implementing and overseeing the remediation activities associated with these vulnerabilities? In an ideal situation, all three parties (CE, IT, and the vendor) would use their expertise to work together to address any issue that may arise and assist the healthcare organization in determining what the clinical workflow impact may be if equipment downtime is required, should an update or patch be available.

Adopting Flexible Defenses and Scalable Solutions

Near the end of 2018, CHIME released a benchmarking report, “Medical Device Security 2018,” with nearly all respondents citing patient safety as their top concern associated with unsecured medical devices. However, organizations that responded with confidence about their medical device security program cited solid security policies and procedures as the leading reason for the confidence, followed by strong technology. The emergence of new threats and vulnerabilities as well as the development of new technologies require an organization to adopt flexible and scalable defenses as well as solutions that can be tailored to meet these rapidly changing conditions.

Part of this solution includes the use of standardized compensating controls for medical device risks that cannot be remediated. Compensating controls provide protection for a medical device such that it is not necessary for the original security control to be implemented within the device itself. Healthcare providers should develop key criteria for determining acceptable levels of risk for medical devices as well as compensating controls as an effective security measure for devices with high levels of risk.

Unfortunately, due to the lack of security controls incorporated into the design and functionality of medical devices, most of the time, managing security risks at the network level is the next best option. Organizations should carefully consider its current network structure and how network segmentation, firewalls, access controls, and network monitoring solutions can be used to manage compensating controls for medical device risk mitigation.

Another concern for successful medical device security management is the ability of an organization to continuously assess and evaluate how connected medical devices currently impact the environment of care, how that impact could be affected by a security threat or vulnerability, and any security controls currently in place or applicable for risk mitigation purposes.

While the Office for Civil Rights (OCR) recommends an organization’s security risk assessment should be conducted thoroughly for all potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the healthcare organization, less than 50 percent of respondents in the 2019 HIMSS Cybersecurity Survey indicated that their organization conducts medical device security risk assessments. While these findings are a notable increase over the 2018 survey results, where just 32 percent of respondents reported the same, more and more medical devices are entering the healthcare market and transmitting ePHI.

Ultimately, medical device security risks coupled with impacting patient safety aren’t a novel concept. In fact, between 1985 and 1987, a computer-controlled radiation therapy machine called the Therac-25 was involved in at least six incidents in which patients were given massive overdoses of radiation. Due to concurrent programming errors in the equipment software, the device periodically gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury. These incidents highlighted the dangers of software control of safety-critical systems.

Fast forward to 30 years later, and as an industry, we have learned how to manage these security risks, leveraging the resources and expertise accessible to us through our ordinary, everyday operational security processes. However, the healthcare industry as a whole must continue to pressure medical equipment manufacturers to enhance inherent security features within the design of new medical devices and to provide continuous support for technical vulnerabilities in order to stop the bleeding when it comes to medical device security impacting patient safety.

Photo: Getty Images, weerapatkiatdumrong

 

 


Cory Blacketer

Cory Blacketer is an Information Security Consultant for CynergisTek, Inc., who assists clients in performing risk assessments specific to biomedical devices and mitigating the security risks posed by these devices. While entering the healthcare industry working in the clinical engineering field, Cory has held clinical engineering and information security operations roles with Ascension Health prior to CynergisTek. The unique experience of operating in environments has allowed her to better understand the distinct qualities between the two functions and how to efficiently develop a medical device security program incorporating both functions in a collaborative and manner.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares1
Shares1