How to mitigate risks associated with connected medical devices

By Robert Bell /Special to Healthcare Facilities Today
February 4, 2019

Healthcare security leaders face many challenges, but one of the trickiest is cyber-protecting medical devices. Unprotected medical devices lead to more occurrences of data breaches and increase the risk to patient safety. With the growing cyber-threat on hospitals, it isn’t a question of whether or not these devices need better protection, it’s instead a matter of how security teams can successfully plan and execute protection strategies for their medical devices as quickly and effectively as possible.

Building a dedicated layer of defense

To protect the medical device network environment efficiently and safely, security teams must build a dedicated layer of defense that addresses the most urgent cyber-risks. This must be a careful and thoughtful process that adheres to the specific clinical requirements and constraints of the healthcare environment.

We’ve put together a blog series on how security teams in the medical space can work together with clinical engineering to mitigate the many risks associated with connected devices, and where to start.

Key Takeaways

In this three-part series we’ll discuss:

  • Gaining visibility into your connected medical devices and the context of their network behavior.

  • Properly identifying, assessing and scoring the cyber-risks of medical devices on your network.

  • Working with limited resources and still build a solid foundation that will enable effective cyber-risk mitigation strategies.

Part 1

Of the many challenges healthcare security leaders face, medical device cybersecurity is one of the trickiest. Given their inherent vulnerabilities and the potential risk to patient safety, it isn’t a question of whether they need better protection, it’s a question of how to achieve it. Hospitals have always been driven by clinical considerations when acquiring medical devices, and cybersecurity is only just beginning to become part of the procurement decision process. Furthermore, if you try to retrofit traditional IT security on the installed base of medical devices to mitigate their high exposure to threats, you get limited results and even risk interfering with clinical operations.

To protect the connected medical device network environment efficiently and safely, healthcare security teams need to build a dedicated layer of defense that addresses the cyber-risks. This process needs to be handled carefully, paying special attention to the specific clinical requirements and constraints of the healthcare environment.

Building this new cybersecurity layer for medical devices should be treated as a marathon, not a sprint. It is a multi-staged, ongoing process. Even if the resources for this goal are limited, it is important to start early in building a solid foundation that will enable to implement effective risk mitigation strategies in the future.

This blog series provides a framework for mitigating the cyber-risks of connected medical devices by breaking down the process into its essential building blocks.

Medical Device Visibility

Medical devices are seen as black boxes on the network, or not seen as all.

A common situation in healthcare organizations is that the security teams do not have visibility into the connected medical devices. They don’t know how many devices are connected, what types of devices they are, who they’re connected to, and whether their network behavior is normal and expected for these types of devices.

To properly assess and mitigate the risk of medical devices on your network, you first need to be able to see them, understand what their function is, and know how they should be communicating over the network.

Discovery & Classification

Different organizations may have different levels of visibility into their connected medical devices but based on our discussions with healthcare CISOs, this is one of the areas that needs to be improved most urgently.

Security teams need to be able to see all the medical devices connected on their IT network.

Medical devices have traditionally been under the responsibility of clinical engineering, and while organizations are now shifting the responsibility for medical device connectivity to IT departments, the information regarding the medical assets can’t always be accessed easily by security teams.

The first step security teams need to take before addressing medical device cyber-risks, is to create a data-rich inventory of the medical devices connected on the network.

There are several things that need to be considered when creating a detailed inventory of your connected medical devices.

  1. Active network scanning can disrupt the operation of medical devices – it is important to stick to passive discovery methods such as analyzing traffic from a switch TAP or mirror port.

  2. Network discovery tools that are designed for discovering IT systems won’t recognize medical devices.

  3. Building an inventory of the medical devices can be a gradual process because of the large number of devices and device types.

  4. This is not a one-time activity, but rather a continuous ongoing activity because devices will be added, replaced and removed from the network.

Aim to build a database of the various attributes for each device including the IP address, device type, department where it is located, the device brand and model, its operating system version and application software version, and the version of its latest security patch. The more information you can get on each device, the better, especially with the data that will help you determine vulnerabilities at a later stage of this process.

Network Mapping

Once you have started building a data rich inventory of your connected medical devices, the next step is to examine which other systems each device is communicating with. This is an important precursor for risk analysis because understanding the nature of a device’s network connections lets you determine how exposed it is to external and internal threats.

Here are the basic things you need to know for each connection to a medical device:

  1. What are the other systems is the device communicating with?

  2. Are the device’s communications within the hospital IT network or are their communications to external locations via the Internet?

  3. Are the external communications known and expected for this type of device?

  4. Are there unnecessary links between medical devices and other systems within, or outside the hospital network due to network misconfigurations?

  5. Are the device’s internal communications isolated within VLANs?

  6. Are the device’s external communications isolated within VPN tunnels?

This mapping of the medical device network ecosystem will help you understanding the likelihood of a cyber-attack on the device when you start assessing the cyber-risks. But before that, there is an extra step you should take to get a better understanding of the devices’ network behavior patterns.

Clinical Context

Security teams need to be able to distinguish between dataflow you would find on any connected digital system and dataflows that are that are part of a clinical workflow.

Being able to recognize a device’s communications as part of the clinical workflow will enable you to accurately assess the impact of a potential cyber-attack on a device and will also help you predict the effectiveness and risk of different mitigation measures. Security teams and clinical engineering need to start working together to build this knowledgebase for their clinical network environment.

Here is basic information that security teams need so start collecting for the connected medical devices:

Information Required


Which connections to and from the devices are for clinical data transfers and which are non-clinical communications?

Mapping the clinical workflow ecosystem will let you avoid interference with critical dataflows and will make it possible to recognize suspicious anomalies in clinical workflows.

Does the device transfer or store Protected Health Information (PHI)?

Devices with PHI are more likely to be targeted by cybercriminals seeking to steal or encrypt valuable information.

Does the device connect to patients directly, such as infusion pumps and pacemakers, or indirectly, such as patient monitors?

This information will help accurately classify devices based on their risk to patient safety.

The activities covered in this post represent the first stage in the process of medical device network cybersecurity which is to gather rich data on the devices, their network connections and their applications.

In Part 2 we will look at a step-by-step process that security teams can follow to leverage this rich data for accurately assessing the cyber-risks of the medical devices.

Robert Bell is a Product Marketing Manager for Cynerio. 

See the latest posts on our homepage


Topic Area: Information Technology

Recent Posts
Recent Posts

Atlanta coronavirus field hospital to be reopened

The facility was first turned into a 200-bed alternative care location in April


Joint Commission testing virtual surveys

A new format is being used for physical environment surveys


Boston company offers to build ‘sanitization stations' for local healthcare workers

These temporary shower can be installed inside or outside workers' homes


Q&A: Mobile ABHR dispensers

Brad Keyes discusses regulations related to mobile ABHR dispensers


Mask-strapped healthcare facilities turn to mask-cleaning system

Issues with availability of materials is contributing to the shortages


Post Comment


News & Updates • Webcast Alerts • Building Technologies

All fields are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.