Medical Device Security, Mitigation Needs to Reduce Patient Safety Risk

June 07, 2021 - Medical device security is consistently ranked as the top cybersecurity challenge facing health IT. Those challenges have rapidly increased in the last year with the ongoing pandemic response, as providers have swiftly onboarded connected tech to support patient care.

Health IT teams are tasked with technical challenges on a daily basis, from ensuring network bandwidth to protecting patient data privacy at rest and in transit. Connected medical devices and implemented IoT add further layers of complications to both visibility and connectivity.

As reliance upon these platforms has grown, the need for improved security has significantly increased, extending far beyond the four walls of the hospital. Although there have been serious technology advancements, medical device security is often an afterthought, or even worse, an insurmountable task.

According to CHIME, the greatest challenges come from patch management and real-time insights into device inventories. Many healthcare entities struggle to apply software updates in real time and an even greater number are unsure of just how many devices are operating on the network at any given time.

Visibility is at the crux of medical device security concerns, according to Cerner Director of Security Solutions Paul Schwartz. Few entities can confidently state how many devices operate on the network, including the location on the network, the make, model, or manufacturer.

Too many providers can’t answer how many devices on their network have been recalled or are operating with known vulnerabilities. Other challenges include how many vendors or departments are granted full access to the network and to elements unnecessary for their role.

All of these risk mitigation measures must be applied to medical device security. Beginning with visibility, make a plan for mitigation and the best approach for remediation for securing the medical devices on the enterprise.

“Hackers are damaging systems through simple, rudimental, automated attacks,” said Schwartz. “In many ways, the targets are easy. Phishing emails have been around for a long time, as well as malware and ransomware.”

“We know the right defenses, but we need to mitigate the risk through network visibility,” he added. “Multi-factor authentication is another huge step; we must do something to ensure all users are whom they say they are.”

But the solution is rarely rooted in technology. Enterprises need to assign responsibility to the right group, whether it be biomed, tech, or security.

For Schwartz, it must be an organizational shift on responsibility for securing medical devices and tying it back to the overall organizational structure: people, processes, and technology.

Overall, it’s a board of directors’ decision: What risk are we willing to accept and what are we willing to do to protect ourselves?

There are three key endpoints in healthcare: traditional, medical, and mobile. There’s been a high degree of security discussion and actions around the traditional endpoint. Schwartz stressed that it’s important for entities to be able to answer for their actions on securing the two other key areas, which truly are patient safety issues.

“We can learn a lot from COVID-19, with hospitals losing 60 percent of revenues,” said Schwartz. “How much money, per hour, is lost when surgeries are canceled, systems are offline, or ambulances are diverted? Securing medical devices needs to be seen as a business problem.”

The issue has existed as long as medical devices, and the industry is still trying to solve the problem.

The challenge is similar to that seen in the late 1990s with PCs, servers, and laptops, from an inventory perspective, he explained. Decades later, the sector is facing the same issue with medical devices.

“These are some of the most difficult questions for hospitals and hospital systems to answer,” said Schwartz. “At the end of the day, what are you trying to protect? That is what you have to know. If you don’t have a good inventory, you don’t know what it is you have to protect.”

“It’s an age-old problem: Multiple departments within a single hospital have the ability to acquire inventory, and that doesn’t always happen through IT or biomed.” he added. “As a result, those critical teams are unaware that some of these devices even exist on the network.”

Together, the situation drives the need to solve medical device security challenges from a people and processes point of view, or what Schwartz called, “shadow IT of devices.” But getting the departments to agree upon a policy for how IT devices are purchased for the organization is a daunting task.

As such, the shadow IT issue can only be solved through technology, able to gather real-time data on medical devices and their location on the network, such as automation, CMMS tools, and configuration management tech.

There are also a range of vendors that tackle inventory of devices and management. Once inventory is tackled, there are also tools to support monitoring and managing the data repository.

These are critical steps, but the industry needs to continue to break down the silo of IT and biomed into the IT space. Far too often, CIOs and CISOs will point to other departments as for who is in charge of handling the medical device issue, when in reality, it’s an enterprise-based tech risk.

“We’re starting to see the convergence of biomed and IT into one area, which is the roadmap that more hospital systems are going down,” said Schwartz. “It becomes a cultural change. Biomed has their traditional space, and IT or security teams have their place.”

“The convergence of those technologies is driving the integration of those departments,” he continued.

Adding to these challenges, medical devices often operate on Windows-based devices, commonly platforms that have reached end-of-life. Combined with the heightened targeting of the healthcare sector by ransomware actors, these risks are paramount.

For Cerner, it’s also a critical patient safety issue.

“Medical devices are designed to provide care and or maintain life,” said Schwartz.  “But it doesn’t mean the devices are technically complex.”

The dichotomy can be seen with ventilators, a simple tech tool that provides life-saving support, compared with an MRI, a complex tool that doesn’t necessarily provide critical care. As such, some tools aren’t designed with security in mind and can be more difficult or costly to replace.

As a result, some devices are simply difficult to patch or replace, so many providers continue to operate with vulnerable devices on the network. Given the patient safety risk, it’s still important for providers to mitigate the risk posed by these devices, particularly if updating or upgrading is not an option.

After gaining in-depth inventory and visibility into the network, the next step is to use configuration management tools, combined with micro segmentation to address the secondary or tertiary risk mitigation needs.

“It’s a patient safety issue that needs to be addressed like any other patient safety issue in healthcare,” said Schwartz. “We’re connecting vulnerable devices to people who need them. We need to protect these life-saving devices with everything we can.”

In a threat landscape where ransomware actors readily scan for and use vulnerabilities to gain a network foothold, then remain on the network for days, weeks, and even months, segmentation and reducing access points can drastically reduce the impact of a single exploit.

___________________________________

For 40 years, Cerner has worked at the intersection of health care and information technology to connect people and systems around the world. They use the latest technology to create solutions that let communities and people engage in their own health. Whether they are supporting the clinical, financial or operational areas of a hospital or health system, Cerner's tools are designed to work for today and think for tomorrow.