By Robert Bell /Special to Healthcare Facilities Today

Healthcare security leaders face many challenges, but one of the trickiest is cyber-protecting medical devices. Unprotected medical devices lead to more occurrences of data breaches and increase the risk to patient safety. With the growing cyber-threat on hospitals, it isn’t a question of whether or not these devices need better protection, it’s instead a matter of how security teams can successfully plan and execute protection strategies for their medical devices as quickly and effectively as possible.

Building a dedicated layer of defense

To protect the medical device network environment efficiently and safely, security teams must build a dedicated layer of defense that addresses the most urgent cyber-risks. This must be a careful and thoughtful process that adheres to the specific clinical requirements and constraints of the healthcare environment.

We’ve put together a blog series on how security teams in the medical space can work together with clinical engineering to mitigate the many risks associated with connected devices, and where to start.

Key Takeaways

In this three-part series we’ll discuss:

• Gaining visibility into your connected medical devices and the context of their network behavior.

• Properly identifying, assessing and scoring the cyber-risks of medical devices on your network.

• Working with limited resources and still build a solid foundation that will enable effective cyber-risk mitigation strategies.

Part 2: Properly identifying, assessing and scoring the cyber-risks of medical devices on your network

This blog series introduces a step-by-step approach to help security teams in the medical space create a comprehensive framework for addressing risks associated with their connected medical devices. Part 1 in this series, focused on establishing a foundation for understanding the connected medical device environment and maintaining a data-rich inventory of the devices, their connectivity, and the context of their network behavior. In this blog post, we’ll explore how to leverage this data-rich device inventory to accurately assess the cyber-risk associated with connected medical devices.

Risk Assessment needs to be proactive, systematic and prioritized

One of the key components of secure networking is the ability to assess the cyber-risk of the connected assets. But surprisingly only 34.3% or respondents of the 2018 HIMSS Cybersecurity Survey answered that their risk assessment included medical devices. When considering the abundance of vulnerabilities coupled with the severity cyber-incidents that involve medical devices, one would expect a much higher percentage than this. Additionally, medical device risk assessments tend to be non-systematic and are generally performed as an afterthought proceeding a cyber-incident. We believe that the main reason that risk assessments neglect to include medical devices stems from the lack of visibility into their network presence, connections and behavior.

Risk identification

A practical approach to risk assessment relies on a data-rich inventory that classifies the connected devices based on their type and model. This enables security teams to identify and log the specific vulnerabilities of each device. Here are some useful guidelines.

1. Gather information about known vulnerabilities for your connected medical devices. There are several websites where you can find up-to-date security vulnerability information. These include and MD-VIPER, US CERT, NIST National Vulnerability Database, and ICS-CERT.

2. Manage a list of security vulnerabilities for each of the medical devices. These should include specific vulnerabilities from the sources mentioned above, and also general vulnerabilities such as hard-coded passwords or unpatched outdated revisions of operating systems and medical software installed on the device.

3. In addition to the vulnerabilities, it is important to make note of the level of access security teams have to the device for implementing security controls and responding to cyber-events. Is the device managed by clinical engineering, the manufacturer or a third- party contractor? How easily can the device be replaced if necessary?

Risk probability

After identifying the potential risks on the device layer, the next step is to look at the network layer for determining the likelihood of an attack. Medical device vulnerabilities are only one aspect of the risk. The probability of these vulnerabilities being exploited depends on the attack vectors. Here are some examples of attack vectors that contribute to increased risk probability of a medical device:

1. Connections to other systems via the Internet (e.g. remote connection to manufacturer or third-party company for maintenance and services)

2. Connections to less secure workstations (e.g. remote physician’s workstation)

3. Devices that use unencrypted communications

4. Devices that use protocols with weak authentication

Risk severity

Unlike healthcare IT systems, the impact of a cyber-attack on medical devices is not limited to data security and privacy. Targeted and untargeted attacks on medical devices can disrupt clinical care and cause harm to patients.

After identifying the risks per device and determining their probability, the next step is to look and potential impact of a cyber-attack for each device.

The goal should be to rank the potential impact for patient safety, privacy and service disruption per device. For instance, a PACS (Picture Archiving and Communication System) would have a high privacy ranking, while an infusion pump would have a high patient safety ranking.

After defining the probability and potential impact ranking, you can give each device a risk index. The devices that have a higher risk probability and a more severe impact if they were to be compromised by a cyber-attack, should be given a higher risk index.

Different organizations can define different criteria for risk index scoring. The advantage of ranking devices based on their risk index is that it allows the organization to define the acceptable risk index level so that security teams can primarily focus on addressing the devices whose risk index exceeds the acceptable level.

In Part 3, we will discuss Working with limited resources and building a solid foundation that will enable effective cyber-risk mitigation strategies.

Summary

Healthcare security is years behind other industries and there is a great deal of catching up required. In this blog series we looked at the necessary steps for understanding the risks and building a strong foundation that will provide the necessary protection the connected medical device ecosystem so that the security gap can be bridged rapidly and effectively so that hospitals can keep patient-care safe. 

Medical devices are seen as black boxes on the network, or not seen as all.

A common situation in healthcare organizations is that the security teams do not have visibility into the connected medical devices. They don’t know how many devices are connected, what types of devices they are, who they’re connected to, and whether their network behavior is normal and expected for these types of devices.

To properly assess and mitigate the risk of medical devices on your network, you first need to be able to see them, understand what their function is, and know how they should be communicating over the network.

Robert Bell is a Product Marketing Manager for Cynerio.