Best Practices for Responding to Medical Device Security Incidents

November 11, 2021 - As healthcare organizations continue to integrate connected medical devices into everyday clinical care, it is imperative that providers recognize and prepare for medical device security risks that could impact patient safety, the Cloud Security Alliance (CSA) suggested in its new “Medical Device Incident Response Playbook.”

The playbook was inspired by growing medical device security concerns since the 2017 WannaCry ransomware incident, which demonstrated the fragility and vulnerabilities of medical devices. WannaCry successfully encrypted radiology equipment drives at hospitals.

“While serious confidentiality and integrity issues are often associated with leakage of medical device data, the highest risk when dealing with systems being used for clinical care concerns is keeping those systems available for patient care use,” the playbook stated.

“The loss of access to medical devices and other clinical system availability can lead to delays in patient care. This loss of availability can be due to the threat itself, or a result of an incident response (IR) process that doesn’t take clinical considerations into account and brings devices offline without consulting health care professionals.”

Significant barriers to achieving medical device security continue to persist years after WannaCry. Healthcare organizations often struggle to take inventory of all the devices in their networks, and many devices are too out-of-date to be patched and upgraded in order to successfully protect against exploitation.  

CSA suggested that cybersecurity staff and clinical leadership should work together to prepare for medical device security incidents and know how to respond in a way that does not negatively impact patient safety.

The playbook provided use cases for imaging device compromise, personal implanted devices, and networked infusion pump loss of availability.

The approach is centered around the NIST SP 800-61r2 Computer Security Incident Handling Guide. The guide suggests that organizations should focus on preparing, detecting, containing, and recovering from an incident, followed by threat sharing to ensure that other organizations can safeguard themselves against future attacks.

It is crucial that organizations maintain a medical device inventory database to reference while responding to a security incident. CSA also recommended that organizations classify devices based on clinical considerations and the potential impact of the device going offline in order to quantify risk.

After bolstering data repositories, healthcare organizations should focus on preparing their incident response teams, which should consist of clinical decision-makers, IT professionals, and vendors. A matrix of stakeholders with analytic, investigative, and project management skills should be considered.

After assembling a strong team, organizations should document communication channels, create medical device incident response escalation and notification procedures, and establish a coordinated vulnerability disclosure (CVD) program.

Adequately preparing an organization’s people, network, and devices for potential security incidents will not prevent incidents from happening altogether, but it will ensure that there are no unnecessary and unexpected risks to patient safety.

The playbook also recommended that healthcare organizations maintain a threat intelligence and threat sharing program, as well as a vulnerability management program. If an incident does occur, the incident response team to notify clinical leadership, contain the vulnerability as much as possible and disconnect the device from the network in coordination with care modification plans.

Of course, incident response will vary greatly depending on the nature of the compromised device. For example, implanted device vulnerabilities will require different responses than telehealth or wearable device security incidents.

“While the guidance presented in this framework may need some adaptation to account for particular patient care needs, particular security tool stacks, or other hospital specific variables, it highlights the importance of not treating medical device incident response as a one size fits all process and incorporating a tiered approach into the IR process that takes into consideration risks to patient safety,” CSA concluded.