Patients expect hospitals to be safe havens, but more and more we're seeing that the weakest and most critical assets in hospital networks are the very instruments needed to save lives: medical devices. With the increase in connected medical devices, the risk for malicious attacks is growing. Eighty percent of hospitals were attacked during the last two years and 77% of healthcare providers are concerned about unsecured medical devices.
Medical devices are often the weak point in a healthcare provider’s technology landscape and, if compromised, could affect patient health, safety or privacy. The concern is even greater due to the fact that medical devices are connected to all major data centers in the hospital's network – ranging from EMR, PACS, RIS and more. Compromising a medical device allows hackers access into the heart of a hospital network.
Fortunately, the threat can be significantly reduced by evaluating and mitigating the risks they pose. Below are the top five steps hospitals and healthcare networks should consider when implementing sound cybersecurity practices to create a resilient facility and clinical core.
1. Ensure complete visibility of all connected medical devices
Since you cannot protect what you cannot see, the first step is to gain visibility and an in-depth understanding of the current status of all connected devices on the network. With perhaps thousands of medical devices in use in any given hospital, the first step is to prepare an inventory spanning the entire network. Medical device inventory records are often manually updated and typically paper-based, incomplete and out of date – so it’s essential to create an electronic record and a process to keep it current. The inventory should also cover assets such as servers, information systems and other devices – whether wired or wireless – that communicate with medical devices.
Networks should also record a full device profile. The more detailed and granular the information held for each device, the easier it will be to monitor vulnerabilities and identify when changes, such as software patches, are required. Hospitals should also ensure they have an ongoing and automated solution that can identify and classify devices in real-time.
2. Create a prioritized risk assessment and remediation plan
A risk analysis determines the risk profile for each device based on known vulnerabilities and an evaluation of likely threats. Based on the risk analysis, healthcare information technology (HIT) professionals should create a holistic risk assessment – from a high-level and broader network picture, to a more detailed risk level for each device.
The risk assessment also provides input to the organization’s wider security architecture, making certain medical device and clinical asset security meshes with existing security protocols and controls, thereby ensuring a holistic view is taken to monitoring and protection.
As part of this process, leaders should understand where the weakest points are from an attacker's perspective and add them to the organization's criticality levels according to operational and business processes. Using information from industry bodies, analyzing CVEs, manufacturer disclosure statements and the Internet can also help to build a comprehensive picture of possible risks and mitigation actions. Organizations should then allocate those criticality levels to each device that indicates its vulnerability level as well as its importance to the organization.
Based on the risk assessment process a well-defined, prioritized and actionable remediation plan should be created. The remediation plan should also take into account the organization’s existing controls (what they have and what they are missing) and its remediation and recovery capabilities. This process will then result is a concise and actionable plan.
Prioritizing accordingly is also critical at this step and important to keep in mind, since cybersecurity will never be hermetic and resources are often tight. Leaders should therefore carefully choose the top action items to urgently remediate.
3. Implement active prevention to neutralize threats
A healthcare provider’s network has many access points, so a well-thought out defense architecture that reduces the attack surface is essential. This means healthcare providers should embrace the paradigm of active prevention and network hygiene enforcement. Be one step a head of the attacker
4. Use a holistic platform to manage IoMT security
Hospitals and healthcare networks use a holistic platform to manage their medical device security that seamlessly integrates with their workflow and can be used harmonically by different professional teams: clinical engineering, IT, and security.
Since security isn’t just a problem for the IT team, it’s important to incorporate dashboards and reports into operational workflows as well. This breaks down organizational silos and helps build a security-aware culture governing the use of medical devices. User configurable dashboards also create an easy way to present the most relevant information to managers, clinicians, bio-med analysts and other team members. For example, managers need a high-level view of attack surfaces, recent alerts and current problems; clinicians want to know about specific devices used in their operational roles; and security analysts need access to the device inventory and the ability to drill-down into specific problems.
5. Stay alert and instill a culture of security
Once the basics are taken care of, there can sometimes be the temptation to consider the work complete. The reality, however, is networks are subject to a constant state of change – as staff members come and go, threats change, and devices are replaced – so security must be managed and monitored closely.
To combat these challenges, healthcare organizations must establish a culture of cybersecurity – from the C-suite down. This can include introducing training programs to make sure staff members know how to spot threats and what to do if and when they find one and holding regular sessions to keep those principles top-of-mind. Leverage threat intelligence and experience from other healthcare providers and the broader security industry by taking advantage of shared information and early warning services such as those offered by MDISS, The Health Information Sharing and Analysis Center and ECRI Institute.
In the – hopefully – unlikely event of a breach, an incident response plan (such as that published by NIST), is a critical tool for ensuring continuity of operations while the problem is dealt with. Suffering a breach is unfortunate, but not having a pre-defined way of handling it is unforgiveable.
The ultimate objective of medical device security is to recognize, predict, prevent, and respond intelligently to malicious intent. Firm action, as outlined in these five steps, helps deliver that objective, and allows healthcare providers to focus on their main mission – providing quality patient care.