The Challenge of Medical Devices:
Medical devices represent significant exposure and potential vulnerability to healthcare organizations.
There are thousands of medical devices in use even in small medical operations. These devices are generally made to meet a specific use, and not often created with security at top of mind. They are also essential to keep functioning in order for health systems to operate. The volume, use, and design of medical devices combine therefore to present a unique challenge for healthcare security.
So how do you best protect your hospital or health system from the threats posed by unprotected medical devices? We asked our experts, Mark Ferrari, MS, PMP, CISSP, HCISPP, HITRUST Certified Practitioner, and Ryan Patrick, MBA, CISSP, HITRUST Certified Practitioner, for some tips:
Preparedness: Health Organizations need to be prepared for data breaches in their medical devices.
Data breaches should be approached not as a question of if, but of when. Expecting exposure and practicing incident response activities is the most beneficial thing health systems can do for their data’s security. It’s essential to establish a cross-departmental designated CIRT (cyber incident response team) that is responsible for keeping track of potential areas of exposure. It is also important to have formalized governance in place, which includes accurate and timely inventories, change management and configuration management. Adopting a security framework such as NIST or HITRUST will help guide the team’s preparation.
Detection: Organizations need increased risk detection practices and must have a dynamic, automated system for identifying risk in medical devices & the Internet of Things (IoT).
This automated system should have the dynamic capability to identify new devices in your health system environment, their operating systems and patch levels, and consistently compare device behavior to ‘normal behavior’ to detect potential breaches. A complete detection system should include a measurable way to score abnormal behavior in terms of risk, and to isolate devices that are functioning abnormally. Once unusual behavior is detected, the CIRT team will be alerted to begin their incident response plan.
Containment, Eradication, and Recovery: A cross-departmental CIRT should practice incident responses to decrease the damage a breach can do.
When a breach is detected and validated by your incident response team, the question becomes how quickly and thoroughly you can contain the threat, eradicate the danger, and recover any compromised data. We recommend practicing incident response incident response activities on a regular basis to streamline this process. As former military, we are familiar with the army’s use of tabletop activities to establish and practice an efficient response in case of an attack.
Post Activity: Incorporate the lessons learned from a breach into your response plan for future.
As we all know, data breaches will happen, and you need to be prepared when they do. But learning from the breach is important too. It is crucial that the team evaluates where the threat occurred and establish a plan to minimize that risk in future. Investigate the problems you experienced, discuss the lessons learned, and update your plan to include solutions.
Further Reading / Resources:
- FDA Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
- UL 2900-1: Software Cybersecurity for Network-Connectable Products
- UL 2900-2-1: “Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems”
- NIST Framework for Improving Critical Infrastructure Cybersecurity
About the Authors
MS, PMP, CISSP, HCISPP, HITRUST Certified Practioner
Executive Vice President, BluePrint Health Information Security
Prior to his role with Intraprise Health, Mark was Vice President and Chief Information Security Officer for BluePrint Healthcare IT. Mark currently sits on the New Jersey Health Information Management Systems Society (NJHIMSS) Security and Privacy Task Force and the HITRUST Alliance Assessor Council. Prior to his involvement in healthcare IT, Mark served as an officer in the United States Air Force.
MBA, CISSP, CCSFP, HITRUST Certified Practitioner
Vice President, BluePrint Health Information Security
Prior to joining Intraprise Health, Mr. Patrick served as Vice President of Client Services and Operations at Fortified Health Security where his team received awards from Frost & Sullivan and Black Book. He previously served as the Director of Security, Privacy and Compliance at Blueprint Healthcare IT, which became a part of Intraprise Health in 2018. He is a Battalion Commander for the United States Army Reserve. His combat and military valor was acknowledged in receiving a Bronze Star Medal, a Global War on Terrorism Expeditionary Medal, and the Global War on Terrorism Service Medal.
About Intraprise Health
Intraprise Health designs and implements tailored secure information technology solutions. Working with hospitals, health systems and Business Associates, Intraprise Health believes the marriage of security and frictionless health consumer experiences is critical to all who participate in the healthcare ecosystem. With a team of certified HITRUST Assessors, Intraprise Health’s industry leading BluePrint Health Information Security™ services have been focused on the healthcare privacy and security space for more than 10 years. Intraprise Health’s Care Navigator Healthcare Engagement™ products provide tailored patient engagement platforms for both providers and value-based care organizations.