New Connected Device Security Maturity Model Helps Orgs Strengthen Cybersecurity

November 30, 2022 - Connected device security company Ordr published a maturity model to help healthcare organizations evaluate and improve the security of their connected devices. The guide is broken down into five stages of maturity, each with recommended actions and detailed descriptions.

Medical devices and other connected devices remain a security challenge for healthcare organizations. Although the issue has garnered some attention from legislators, experts have expressed a need for healthcare organizations to continue to prioritize device security internally today as they await the passing of legislation.

“The notion of a maturity model is not unique to protecting connected devices. NIST, among others, has developed models that help organizations go from rudimentary security levels to the most advanced level in a logical sequence,” the document states.

“Buying the most sophisticated tools doesn’t work if the other parts required for an organization to successfully leverage its capabilities have not been established. That is why it is implicit in all these models to start with people and processes.”

The first step in the new maturity model is asset visibility. If organizations do not know all the connected devices on their network, it is impossible to secure all of them. This step includes tips for automating the discovery of new devices and identifying initial device risk.

Next, the maturity model recommends that organizations focus on vulnerability and risk management. Within this stage, organizations are encouraged to gain a complete view of risk by identifying known vulnerabilities, leveraging external sources like threat feeds, and identifying risky traffic patterns.

The third and fourth steps are reactive and proactive security. Within the reactive security stage, the maturity model recommends that organizations use the insights from the previous stages to help teams understand device risk and establish priorities. In the proactive security stage, the model suggests that teams automate workflows and policies and implement zero trust segmentation to reduce the attack surface.

The maturity model’s final step is optimized security, in which organizations are encouraged to fine-tune security efforts and continue to evaluate threats. Since the nature of the connected device ecosystem is dynamic, it is important that organizations are constantly enhancing their practices to adapt to new threats and new devices.

“While all industries are at risk of cyberattack, the potential outcomes of attacks on healthcare organizations could be catastrophic, with real consequences for patients," Brad LaPorte, the guide’s author and former Gartner cybersecurity analyst, explained in an accompanying press release.

"Organizations cannot expect to reach the Optimized Security stage instantly. Each stage establishes critical capabilities, builds upon previous stages, and creates value on the journey to Zero Trust. No matter where you are on this journey and what your ultimate goal is, this guide provides essential insights to understanding your security posture - and what is needed to improve."

In recent months, more guidance has been released by the medical device security community to help organizations manage risk. For example, in October, the Medical Device Innovation Consortium (MDIC) released its first medical device security maturity benchmarking tool and report.

In collaboration with Booz Allen Hamilton, MDIC leveraged the Health Sector Coordinating Council’s (HSCC) Joint Security Plan (JSP), a product lifecycle reference guide to developing, deploying, and supporting secure medical devices and health IT products and solutions, to develop survey questions for medical device manufacturers.

The benchmarking survey found that there is a lot of room to grow when it comes to medical device security maturity on the manufacturing side. But with more tools and benchmarking data available, the hope is that the medical device community will make strides in improving security in the coming years.