MedCity Influencers, Devices & Diagnostics

How hospitals can address medical device vulnerabilities

Historically, medical devices weren’t connected, and too often security is still an afterthought for manufacturers. But make no mistake: they are cyber assets, and often riddled with vulnerabilities and recalls.

Hospitals rely heavily on medical devices and Internet of Medical Things (IoMT) devices to deliver high-quality patient care and improve outcomes. With an average of 10-15 medical devices per bed in a U.S. hospital, a 1,000-bed hospital could have up to 15,000 medical devices to manage. Unfortunately, with the proliferation of medical devices and IoMT comes an ever-increasing attack surface.

Cyberattacks on medical devices can lead to misdiagnosis or missed treatments, resulting in serious injury, or loss of life, as well as significant loss of business and reputational damage. Since these assets are critical to their mission, healthcare organizations must work diligently to secure them.

Cybersecurity challenges 

Medical device and IoMT vulnerabilities strike fear in clinicians, biomedical engineers, CISOs and network security administrators alike, for good reason. Securing these assets poses many challenges.

  • Clinical networks are not the same. IoMT and medical devices are difficult to manage because they’re “headless” — that is, a security agent can’t be installed on them to monitor and enforce compliance. Many of these devices are sensitive to active probing and scanning, which can cause business disruption or, worse, harm the assets. Moreover, they share information and communicate with diverse endpoints, making them powerful vectors for damage.
  • Separate management from other cyber assets. Medical devices and IoMT are managed separately from other connected devices by clinicians and bioengineers whose primary concern is medical safety, including recall tracking. To gather the data needed to update the CMMS, biomed managers still move room by room, floor by floor, carrying clipboards and counting. As a result, security teams have a fragmented view into their digital landscape, marred with blind spots and risks.
  • Supply chain vulnerabilities and third-party maintenance. Not only are medical devices and IoMT not managed by IT; often they’re not managed within the health system. Typically, FDA-regulated medical devices must be maintained by the manufacturer or a specialized service company. As a result, the hospital’s IT team doesn’t know when such devices have security vulnerabilities, or when a patch will be available (Example – Access:7)
  • Escalating data breaches. The wealth of sensitive personal and financial data managed by hospitals and health systems, coupled with known cybersecurity vulnerabilities, makes the healthcare sector an inviting target for cyberattacks. In the last three years, 93% of healthcare organizations have experienced a data breach, and 57% have had more than five breaches.
  • Underinvestment in cybersecurity Healthcare organizations typically allocate 5% to 6% of their IT budget to cybersecurity versus 11-12% for more mature industries. This makes it harder to recruit skilled talent, who command high pay and want access to the latest technology.

Recommended approach

A complete solution requires continuous, automated discovery, assessment, and governance of ALL cyber assets in your environment, including medical devices and IoMT, without disrupting patient care.

  1. Know what’s on your network. The core issue is fully understanding what’s connected to your network. You can’t protect what you can’t see. Visibility requires discovery, classification and assessment of every asset upon connect, and continuously thereafter. Sensitive, un-agentable devices must be visible and managed.
  2. Design context-aware segmentation policies.  Segmentation limits the attack surface by restricting communications among assets to only what should be communicating with each other and isolating vulnerable devices until they can be patched. This is especially important for legacy devices that are essential to patient care but are no longer supported by the manufacturer. Without segmentation, an attack on one part of the network spreads laterally. The vast majority of threats can be mitigated with proper segmentation, so you don’t have to stress over the next vulnerability and the one after that.
  3. Automate repetitive tasks. Given scarce resources, IT teams lack the ability to assess, in real time, all devices and confirm that each one complies with security policies and regulatory mandates, let alone take appropriate action. Cybersecurity must be managed holistically. With this information it can automatically control network access, enforce asset compliance and coordinate incidence response to minimize propagation and disruption.

The buck stops with the CISO

Medical devices and IoMT are associated with direct patient care. They’re managed within the hospital by clinicians and bioengineers but often maintained externally by the manufacturer. Historically, medical devices weren’t connected, and too often security is still an afterthought for manufacturers. But make no mistake: they are cyber assets, and often riddled with vulnerabilities and recalls.

Among stakeholders, the CISO is responsible for managing risk and compliance for every asset connected to the network: laptops, switches, Zebra printers, badge readers, thermal imaging cameras, pharmacy dispensers, you name it. Including medical devices and IoMT in holistic efforts to secure the digital terrain is the surest way to limit risk and protect patients.

Photo: roshi11, Getty Images


Avatar photo
Avatar photo

Tamer Baker

Tamer Baker is the VP of Global Healthcare at Forescout, where he is responsible for supporting healthcare organizations across the world in boosting their security, privacy and compliance. Tamer holds a BS in Aerospace Engineering from Embry-Riddle Aeronautical University (ERAU Daytona Beach, FL) and has served as an Officer in the United States Air Force.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares1
Shares1