3 Barriers to Achieving Medical Device Security

November 08, 2021 - Achieving medical device security requires a healthcare organization to have full visibility into how many devices are on its network, regularly patch and replace out-of-date devices, and stay ahead of the latest technical vulnerabilities in order to patch devices before they cause patient harm.

The problem is that for most healthcare organizations, there are significant barriers to successfully taking those measures as visibility remains a struggle and new vulnerabilities and patches are being discovered regularly.

“Healthcare is unique in the fact that we have a wide variety of devices that connect to our networks,” Samuel Hill, director of product at Medigate and former ER patient care technician, told HealthITSecurity.

“Other industries have that, but those industries don’t have devices that keep people alive. So, we have to be super accurate, and we need to be more accurate than we are currently.”

While no instances of patient harm have resulted from medical device vulnerabilities at this point, research has shown that it is possible for threat actors to exploit vulnerabilities and hurt patients via connected medical devices.

“The reason patients are in our hospital is because they're trusting us to care for them in their time of need with whatever the reason they've come to our hospital,” Hill reasoned. “If we let them down in any way, that's the worst possible outcome.”

Lack of visibility

The portable nature of medical devices makes it extremely difficult to keep track of everything, and implanted devices may even disappear from view when patients switch providers.

“If you don't know what's connected to your network, you can't really do much. Until you have visibility to everything that's connecting to your network, it's really hard to enforce your own policies about security,” Hill maintained.

A study conducted by HHS’s Office of Inspector General (OIG) revealed that organizations rarely use discretion to assess the cybersecurity of networked medical devices. OIG’s analysis of Medicare accreditation organization (AOs) hospital surveys found that the medical device security assessments were either lacking or nonexistent.

OIG stressed that it is “more important than ever that hospitals have a plan for securing their networked devices—which can number in the tens of thousands in a large organization—before those devices are compromised in a cyberattack.”

Previous KLAS research has revealed that healthcare organizations possess an average of 10,000 medical devices. Chief information security officers (CISOs) are increasingly concerned about the lack of asset inventories and visibility into how many devices are on their organization’s network.

Medical devices can be life-saving and crucial to patient care, but healthcare organizations should also be aware of the dangers of not knowing how many devices are attached to their network. Any unsecured device can be used as an entry point for bad actors.

Too many out-of-date devices

“Medical device manufacturers don't normally patch or update their software or operating systems very often,” Hill stated. “And when they do, they may not let the healthcare organization actually implement the patch or do the work.”

Legacy medical devices are devices that cannot be patched or updated further. These devices pose significant security risks and use out-of-date systems to function. Even if they still perform well clinically, the cybersecurity risks should not be overlooked.

According to Cisco, 60 percent of medical devices are at the end-of-life stage. Healthcare organizations tend to use each medical device for more than 20 years, making them a prime target for hackers.

Securing medical devices is critical to securing a healthcare organization’s entire network. Organizations are only as secure as their weakest link and providing an open door to hackers could be costly and detrimental to patient safety.

Changing cyber threat landscape

New medical device vulnerabilities are constantly being discovered, which makes it difficult for IT teams to patch every device in a timely manner. With thousands of devices and an ongoing cybersecurity workforce shortage, healthcare organizations are already stretched thin.

Patching devices requires a lot of manual effort, Hill explained. It is not a simple process, and the patch has to be applied to potentially thousands of devices on one network.

The ever-changing cyber threat landscape means that organizations must adapt and respond in a timely manner. While medical device security should be a top priority for healthcare organizations, it is often overshadowed by ransomware and phishing incidents that garner a lot of media attention and force health systems into EHR downtime and ambulance diversions.

The pandemic also shifted the threat landscape by increasing telehealth use, which comes with its own set of security risks. Meanwhile, ransomware gangs are becoming bolder and less afraid of targeting the healthcare sector in a time of crisis.

What healthcare organizations can do to mitigate risk

Hill emphasized the importance of implementing micro-segmentation, which is a network security technique that divides a network’s data center into distinct security segments to reduce the network attack surface and improve breach containment.

“And not every segmentation policy is created equal. We need to enforce the right policy for the right device at the right time,” Hill added.

Hill, who recently worked on Medigate’s Clinical Device Efficiency (CDE) offering for medical device security, suggested that it is equally crucial to keep an inventory of all medical devices and make sure they are consistently patched. The best thing that healthcare organizations can do is keep track of every connected device to mitigate risks and ensure that there are no glaring security gaps.

It is impossible to eliminate risk altogether, especially with the number of medical devices and seemingly constant influx of new patches and updates.

“So, the best practice is to know what's there, know what you can do about what's there, and then do the right thing for that device at the right time, in the right way,” Hill advised.

It’s also crucial to recognize that security is a team effort. Patients must be informed of the latest vulnerabilities that pertain to devices they may be using for care. To facilitate conversations with patients, the FDA’s Center for Devices and Radiological Health recently released best practices for communicating medical device vulnerabilities to patients and caregivers.

“Clear, actionable communication is one way to help protect and promote public health, and help ensure that patients, who depend on their medical devices, stay informed and protected,” the guidance explained.

“Early access to serious cybersecurity vulnerability information may provide assurance to patients and empower them to take early action to avoid any potentially harmful consequences to their health. Furthermore, early access to this information may also help build trust with patients and the public.”

Barriers to medical device security are persisting but implementing technical safeguards and increasing visibility can help organizations stay ahead of looming cyber threats.