By David Finn
Not so long ago, security in healthcare meant physical access: were the doors locked and unlocked at appropriate times? Now the focus has shifted as the industry witnesses hospital systems ransomed, malware slow clinical operations to a crawl and the implications of not doing basic security on systems—backups, patching and incident response plans that include system shutdowns, cyberattacks and data breaches. Now the attention is on the medical devices used on patients for diagnostic and therapeutic services.
Both the Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA) have spent the past five years educating, guiding and regulating medical devices. During that time, more medical devices have been added to the networks with little regard to the privacy and security issues around them. Just this year, security researchers in two separate studies reported on technical vulnerabilities that pose significant risk to medical devices used in imaging. Those risks include data integrity, security, privacy and patient safety. One flaw in the DICOM standard actually allows malware to hide within medical images.
The year 2018 introduced real world threats to medical devices and real incidents that should cause concern for any clinician or patient who is using a medical device. It started with the American Hospital Association (AHA) issuing a call for the FDA to focus on reducing the regulatory burden while ensuring there is greater medical device oversight in their December 2017 letter in response to an FDA proposed rule. The FDA responded by extending the comment period. In fact, since the FDA released its cybersecurity guidance in 2016, medical device vendors have reported 400% more vulnerabilities per quarter through 2018.
Today, implementing medical device security must be viewed from the perspective of how it can affect patient care, safety and clinical operations. Security controls, IT processes or purchasing practices cannot be allowed to impact care, but that doesn’t have to come at the cost of security. Cybersecurity is one of the most pressing problems of healthcare and requires a sense of urgency, but it has to be addressed in the context of the many other healthcare realities—staffing issues, declining budgets and shrinking reimbursement. These diminishing resources can make establishing a cybersecurity plan for medical devices seem overwhelming to an organization, with many not knowing where or how to even start. However, organizations can begin assessing the security of their devices (both legacy devices already in place and new equipment) by focusing on the following six key areas and questions to help guide their evaluation:
- Acquisition/Procurement process and Support model – most organizations have well-defined processes around purchasing, but are medical devices part of that? Does that process include security review or language for the device makers to address security issues? Who manages medical devices themselves, and who manages their security? While there are many models, crossing between groups can create gaps in processes, policies and procedures.
- Inventory management – probably the weakest link in medical device security is simply knowing the location of devices, which logistically cannot be done manually. Many tools claim to do this but few really address both the technical security issues and patient safety impacts, or take a life-cycle approach to medical devices.
- Risk Assessment processes – medical device security must be risk based. The risks around medical devices are much more complicated than traditional endpoints. Patient care and safety are involved, so security must always be balanced against operational impacts.
- Secure Network management – organizations should consider the current network structure and how network segmentation, firewalls, access controls and network monitoring solutions can be used to manage compensating controls for medical device risk mitigation.
- Vulnerability Identification, Remediation and Incident Response – traditional vulnerability scanning cannot be conducted on medical devices. Medical devices come and go from the network and they may be impacted by scanning during use. You will need to utilize passive scanning techniques and understand who in the organization addresses which vulnerabilities. Organizations should develop and maintain an IR plan for investigating and addressing incidents that impact or include medical devices.
- End-of-Life Management – many of these devices store ePHI and other sensitive data, like network credentials. Data must be destroyed prior to device disposal. Capital planning process for medical devices should include technical vulnerabilities and remediation capabilities when prioritizing or selecting devices for replacement.
These best practices outline the key factors for organizations to consider in order begin understanding the true risk behind their medical devices. Medical device risk is complex and varies depending on each device, network, and organization involved. However, as we continue to expand the volume and capabilities of connected medical devices, not addressing their security also continues to expand the real risk and serious impact on patient care and safety.
David Finn is the Executive Vice President of Strategic Innovation at CynergisTek, an industry leader in healthcare cybersecurity and information management. He has been involved in leading the planning, management, and control of enterprise-wide, mission-critical information technology and business processes for over 30 years.