By Tom Stanford / Special to Healthcare Facilities Today

The proliferation of connected medical devices has created a vulnerable threat surface for cyber attackers to exploit. To protect themselves and their patients, healthcare facilities must embrace a holistic, lifecycle approach to connected medical device cybersecurity. Integrated processes and technology must span onboarding, inventory, monitoring, detection, correlation, remediation and analysis. The key to success is a commitment from the healthcare technology management (HTM), information technology (IT) and information security (InfoSec) personnel groups to integrate their processes and tool sets to drive collaboration and address this large and rapidly growing problem.  

The good news is that we now have the insight, technology and expertise to combat this new wave of threats and help the keep medical device fleet, patients and data out of harm’s way. The cross-functional team is well-positioned to succeed, if their plan possesses these elements and vital tactical steps.

Audit the inventory: A trusted inventory is the foundation for effective cyber security risk mitigation, and the first step is auditing the inventory of pre-deployed devices.  The key to success here is standardizing location data, naming conventions, make and model definitions. Hospital personnel can use a variety of modern IoT scanning tools to discover those devices and begin to fingerprint the behavior and interaction patterns of diverse types of devices including nuances of how they operate specifically in the environment.  It also is critical to augment the discovered IT data with a physical inventory that incorporates HTM data to create a true system-of-record for the device fleet and a collaboration platform for those two organizations to begin working together.

Create a new culture starting with onboarding: Once that platform is in place, create a culture of good security hygiene for medical devices by creating a new, standardized process for onboarding new devices into the environment. Bring together the IT and HTM teams to implement an onboarding process that ensures that the new system of record remains up-to-date as new devices are added to the medical device fleet. With these two basic steps, cross functional teams now gain total visibility into the device inventory, security posture, and risk exposure at any given time.

Embrace integration for more effective monitoring: From an operational standpoint, teams can now scan and monitor the device footprint on an on-going basis looking for aberrations and deviances from established baselines which are signals of devices that have been compromised. At the same time, teams can integrate with real-time feeds from industry vulnerability sources such as the national vulnerability databases (NVD) so that they are continually aware of new threat vectors that have been uncovered elsewhere outside your healthcare system. Real-time visibility into threats and attacks on the device infrastructure is now a reality.

Apply insights to connect the dots: More importantly, because a trusted system of record has been created, teams can now correlate an active attack not just against the specific device that is being compromised, but against all other similar and at-risk devices across the entire fleet. Use newly available technology to assess and rank these threats so work activity can be prioritized accordingly.  As a threat is detected, dig into the data but step back to take a holistic view at the total risk exposure for all devices that are deployed, offline for maintenance, sitting in a supply closet, or in the process of being procured.

Remediate, remediate, remediate: Unfortunately, this is where many organizations stop and are unable to “close the loop”. Detection and correlation, while critical to getting real-time visibility into an attack and its total risk impact in your environment, are not enough to protect the organization. If teams have followed the steps outlined above, they are operating from a position of strength from which to respond to threats and slam the window of exposure shut.

The system of record now becomes your system of action. Signals and alerts from IP addresses are immediately mapped to their Asset Tags. Based on that device identification, appropriate HTM staff can be immediately and automatically dispatched to take corrective actions. The cross functional teams can also integrate your system of record and action with the Security Operations (SecOps) solution used by your IT and InfoSec teams so that they are fully aware of the threat and have visibility into the steps and timeline to full remediation, and the current operational status of where they are in that process.

Strengthen your compliance posture: As anomalies are detected, responded to, and ameliorated, the system of record can now capture a detailed audit trail including status changes to different workflow steps, and time stamps of when specific corrective actions were taken. This audit data can be visualized and exposed in several rich ways to serve two important goals. First, it allows hospitals to demonstrate compliance with internal and regulatory requirements. This is an important consideration as liability and legal exposure are frequently tied to a healthcare’s system to demonstrate compliance with documented InfoSec policies.

More importantly, the hospital now has the means to perform a detailed post-incident review involving all key stakeholders including IT, InfoSec, clinical staff and HTM. This offers an opportunity to analyze various factors in preparedness and incident response -- signal interpretation, response times, effectiveness of cross-functional collaboration, time-to-closure, etc. This is a powerful tool to help the cross functional team learn from each incident and create a culture of continuous improvement that will give way to an increasingly robust security posture over time.

In the IOT era, the value of connected medical devices is undisputed. They have delivered a quantum leap forward in quality of care and improved patient outcomes. However, they have also created a massive and unmanaged threat surface that leaves our healthcare organizations vulnerable to new attack vectors. Responsible healthcare organizations can use modern technology and thoughtful, cross-functional process improvements to protect themselves and their patients from the risks of these attacks.

Tom Stanford is the founder and CEO of Nuvolo.