Healthcare security leaders face many challenges, but one of the trickiest is cyber-protecting medical devices. Unprotected medical devices lead to more occurrences of data breaches and increase the risk to patient safety. With the growing cyber-threat on hospitals, it isn’t a question of whether or not these devices need better protection, it’s instead a matter of how security teams can successfully plan and execute protection strategies for their medical devices as quickly and effectively as possible.
Building a dedicated layer of defense
To protect the medical device network environment efficiently and safely, security teams must build a dedicated layer of defense that addresses the most urgent cyber-risks. This must be a careful and thoughtful process that adheres to the specific clinical requirements and constraints of the healthcare environment.
We’ve put together a blog series on how security teams in the medical space can work together with clinical engineering to mitigate the many risks associated with connected devices, and where to start.
In this three-part series we’ll discuss:
Part I: Gaining visibility into your connected medical devices and the context of their network behavior.
Part II: Properly identifying, assessing and scoring the cyber-risks of medical devices on your network.
Part III: Working with limited resources and still build a solid foundation that will enable effective cyber-risk mitigation strategies.
Part 3: Working with limited resources and building a solid foundation that will enable effective cyber-risk mitigation strategies
Protect, detect and improve
Risk mitigation strategies for the medical device network environment should come after establishing good visibility into the devices, their connectivity and behavior, and a good understanding of the devices’ associated risks. These are covered in part 1 and part 2 of this blog series.
With this knowledge, security teams can build a defense layer tailored for protecting their networked medical devices and strengthen this defense on an ongoing basis.
Prevention & protection
An effective strategy covers multiple aspects of the assets being protected. Use the intelligence that you gathered about the devices in order systematically address each of its risks in the most effective and safe way. The protection measures should include the following activities:
For medical devices, patching is never simple. Medical device software usually runs on a Windows operating system. But when Microsoft releases a Windows security patch, it needs be verified and approved by the medical device manufacturer to make sure that the patch does not impact the functionality of the medical device. Security teams, who are used to the relatively easy processes of IT systems patch management have a harder time with medical devices because they need to rely on clinical engineering or the manufacturer for patching the devices. What can help improve this is when the security people known which devices have which vulnerabilities as discussed in part 2. With this information they can request specific patches and keep track of the progress.
Whether or not the devices are patched, it is important to isolate their clinical dataflows from non-clinical dataflows. This is done by setting strict access policies and segmentations that restrict non-essential communications to and from the devices.
Additionally, security teams need to work together with clinical engineering and HTM to create stronger password protection and data encryption wherever possible.
Connected medical devices will never be entirely protected from all potential threats because there will always be legacy devices and restrictions to how much security you can enforce. It is therefore very important to put mechanisms in place for detecting and alerting when there are unexpected changes in the device behavior patterns.
To achieve this, it is necessary not only to monitor the behavior of medical device communications, but to be able to distinguish between legitimate medical workflows and suspicious data exchanges.
This is where the Clinical Context mentioned in Part 1 is essential. The more data you have regarding the underlying clinical workflow, the better and faster your response will be to medical device behavior anomalies.
Metrics and analytics
Medical device cybersecurity is a long, multi-staged process that needs to be continually improved over time to keep up with the evolving threat landscape. To achieve the best performance in this mission it is important to track of the progress and optimize future decisions based on the previous results.
Here are some tips for tracking risk mitigation progress:
• Create scorecards for the medical device risk index at different periods of the process.
• Set Key Performance Indicators (KPIs) for medical device network cyber-risk mitigation. KPIs can focus on various risk parameters such as the location and utilization of the devices or the severity on impact of the risk.
• Identify which activities and strategies helped reduce medical device risk index and which ones didn’t.
• Collect analytics and data that can be useful for future procurement decisions such as devices that have many unpatched vulnerabilities.
Healthcare security is years behind other industries and there is a great deal of catching up required. In this blog series we looked at the necessary steps for understanding the risks and building a strong foundation that will provide the necessary protection the connected medical device ecosystem so that the security gap can be bridged rapidly and effectively so that hospitals can keep patient-care safe. For more information about cyber-protecting medical devices, please contact Cynerio at firstname.lastname@example.org.
Robert Bell is a Product Marketing Manager for Cynerio.See the latest posts on our homepage