With 12% of attacks rooted in Internet of Things (IoT) devices and 88% of healthcare cyberattacks implicating at least one Internet of Medical Things (IoMT) device, HDOs need to establish best security practices around these risks. Using the Health Industry Cybersecurity Practices (HICP) strategies as defined by the 405(d) HICP Task Force, the HPH sector can implement controls and risk mitigation strategies that enable them to securely deploy medical devices within their environments.

As one of the top three sectors prioritized for additional cybersecurity attention, the Healthcare and Public Health Sector (HPH) finds itself struggling to secure and manage the proliferation of medical devices creating an increasingly expansive attack surface. Underfunded IT budgets, lack of skill sets, lack of adequate staffing and low operating margins mean that healthcare delivery organizations (HDOs) find themselves using legacy medical devices, often no longer supported by the manufacturers. Additionally, many HDOs have siloed and understaffed IT, healthcare technology management (HTM, also known as clinical engineering or Biomed), and cybersecurity teams. 

These intertwined challenges increase the likelihood that an HDO will be the victim of a cyber attack, and the research supports this concern. According to the 2022 Ponemon Cybersecurity in Healthcare Report, 88% of HDOs said that they experienced an average of 43 attacks in the previous 12 months. Further, the costs arising from a data breach places the financial stability of these organizations at risk since they struggle with razor-thin operating margins, with research noting the average HDO’s operating margin was 0.4% in 2023. 

What is the 405(d) HICP Program?

Established under Cybersecurity Act of 2015 (CSA), the 405(d) HICP Program is a collaboration between the healthcare industry and the federal government. As part of developing cybersecurity awareness across the sector, the 405(d) HICP Program established risk mitigation best practices. 

The 405(d) HICP Task Group publishes the documents that HDOs use to implement these best practices. The members of this collaborative group include individuals from:

• U.S Department of Health and Human Services
• Health Sector Coordinating Council
• Cybersecurity experts
• Healthcare experts

In 2023, the 405(d) HICP Task Group published the most recent versions of the following documents:

• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations
• Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations

What are the Health Industry Cybersecurity Practices (HICP)?

The HPH sector uses health information technology for clinical care, fundamental research, population health, and health system design. Meanwhile, threat actors continue to deploy increasingly sophisticated attacks against these systems, threatening electronic Protected Health Information (ePHI) as well as patient health and safety. In response to these threats, the 405(d) HICP Task Group published the first iteration of the HICP in 2018. 

Recognizing the success of these publications, Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2021 to define “recognized security practices” as:

standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) HICP of the Cybersecurity Act of 2015

This amendment formalized HICP as a recognized set of controlling best practices across the HPH. 

The “HICP: Managing Threats and Protecting Patients” document identifies the following threats: 

• Social engineering: attempt to trick someone into sharing information or taking an action that malicious actors can later use to attack systems or network
• Ransomware attack: malware that attempts to deny users access to data, usually by encrypting it, and/or stealing information only to encrypt or return data once the victim pays a ransom
• Loss or theft of equipment or data: people losing mobile devices like laptops, tablets, smartphones, or USB drives or someone stealing any of these devices
• Insider, Accidental, or malicious data loss: either accidental or malicious unauthorized access to infrastructure, network, or databases
• Attacks against network-connected medical devices: exploited vulnerabilities impacting ePHI and patient safety

Challenges Securing Medical Devices

Managing medical device security poses unique challenges because they interact with the physical world in ways that conventional IT devices do not. As the HICP notes that the volume of medical devices ranges from 5-14 per bed, creating, maintaining, and monitoring the growing, changing, and mobile inventory becomes even more complex. 

In Technical Document 2, the 405(d) HICP Task Group notes the following challenges unique to medical, facilities management, and some IoT devices:

• Visibility, inventory, and device scanning: Active scanning can interfere with a medical device’s performance, disrupting functionality and harming patient care
• Passive scanning and communications protocols: Traditional scanners are unable to identify the unique protocols the devices use.
• Medical device risk management: The inability to identify devices creates an inability to determine vulnerabilities, risks, and appropriate remediation controls
• Device monitoring and network policy management: NAC systems lack contextual information about medical device use, traffic flows, or operational status creating two additional challenges:
  • Determining policies: The inability to obtain accurate device identification and how it communicates with other devices leads to an inability to create network communication restrictions.
  • Operationalization: Converting network communication policies is time-consuming and labor-intensive
  • Legacy devices: Many device operating systems or other components are beyond End of Service (EoS) creating security and device safety risks. 
• Remote access: Manufacturers update or mitigate vulnerabilities using remote access creating an additional attack vector.
• Risk analysis and ePHI: Inability to determine whether medical devices encrypt data complicating the ability to identify ePHI on the network as required by the Health Insurance Portability and Accountability Act (HIPAA)
• High knowledge/limited resources: Increased complexity around personnel resources and departmental alignments requiring Clinical Engineering, IT, and Security teams to collaborate. 

Additionally, HDOs need to incorporate medical devices into their overarching cybersecurity program. HICP explains that connected medical devices also fall within the following practices:

• #2: Endpoint Protection Systems
• #3: Identity and Access Management
• #5: IT Asset Management
• #6: Network Management
• #7: Vulnerability Management
• #8: Security Operations Center and Incident Response

HICP notes ADS can automate many tasks and integrate with the HDO’s Computerized Maintenance Management Systems (CMMS) and Configuration Management Database (CMDB).  Automating these tasks enables HDOs to:

• Operationalize maintenance and remediation workflows
• Coordinate security orchestration and incident response

Vulnerability Scanning is Risky

Technical Document 2 has the following warning, in all capital letters:

UNLESS APPROVED BY THE DEVICE VENDORS, THIS ACTION SHOULD BE TAKEN WITH EXTREME CAUTION DUE TO THE POTENTIAL IMPACTS ON MEDICAL DEVICES WITHIN THE PRODUCTION ENVIRONMENT. HDOS SHOULD NOT ATTEMPT TO CONDUCT VULNERABILITY SCANS UNLESS ABSOLUTELY CERTAIN THAT THE MEDICAL DEVICE IS NOT IN PRODUCTION, IS NOT CURRENTLY IMPLEMENTED IN A CLINICAL SETTING, AND IS NOT CONNECTED TO PATIENT

Additionally, it notes that the primary use cases for vulnerability scans are:

• When first procures and tested prior to deployment in a production environment
• When taken offline for preventative maintenance and routine patching
• During the utilization of the Asset Discovery and Security (ADS) monitoring tool

Essentially, Practice #9 explains that scanning medical devices is only safe when they are in highly controlled settings and not connected to patients.

Traditional Tools Offer Limited Capabilities

Technical Document 2 outlines that the ADS tools designed for medical devices offer the machine learning, AI, and deep packet inspection that HDOs can integrate into their CMMS. With ADS tools, HDOs can create a basic device identification for behavior tracking and analysis. From here, the HDO can establish a communications profile with the following elements:

• Volume
• Protocols
• Geography/location
• Traffic frequency
• Internal or external traffic source

HDOs can use ADS tools to identify:

• Undesired traffic, like watching risky ports to block them or network segments
• Vulnerabilities, like correlating known vulnerabilities and then determining whether to patch, block ports, or segment
• Unsupported OS, like identifying risky devices and then determining whether to upgrade the Operating System (OS), replace the device(s), or segment
• Abnormal device behavior, like determining whether traffic is necessary or unnecessary then blocking unnecessary traffic

With these tools, HDOs can implement appropriate timelines for mitigating risks arising from medical device vulnerabilities. For example, best practices are the following timelines:

• 30 Days: Implementing interim mitigation step after vendor communicates vulnerability
• 60 Days: Implementing solution after vendor produces it

Using Asimily to Implement Cybersecurity Practice #9: Network Connected Medical Devices

HDOs of all sizes need to implement Practice #9. Practice #9 in Technical Document 1, intended for Small Healthcare Organizations, directs these HDOs to use the best practices in Technical Document 2 for medium and large HDOs. Since all organizations need to implement medical device security practices, they should choose a solution that scales with them and their future technology plans. 

Aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Cybersecurity Practice #9 outlines the following sub-practices that apply to small and medium-sized HDOs.

Asset Management

When possible, HDOs need to inventory all:

• Hardware
• Software

With Asimily’s passive scanning to detect and fingerprint devices, HDOs gain visibility into all devices connected to the network. With this comprehensive, authoritative, and continuously updated medical device asset inventory that includes model, OS, and software version, they gain insight into: 

• Where a device is on the network 
• What department is responsible for it
• Where it moves throughout the campus

Endpoint Protections

When possible, HDOs should enable controls like:

• Anti-virus software
• Local firewalls
• Encryption
• Application allowlist
• Changing default passwords
• Routine patching

HDOs can use Asimily to continuously monitor medical devices both for a vulnerability’s existence and an attacker’s ability to exploit it. Then, they can implement controls that mitigate risk. With Asimily’s clinically validated compensating controls, HDOs can implement the Practice #9 best practice of employing mitigating factors to reduce risk.  

Asimily enables HDOs to monitor the following HICP suggested metric:

number of medical devices that do not conform to basic endpoint protection cybersecurity practices measured weekly

Identity and Access Management (IAM)

Managing medical device IAM poses a dual challenge. Most IAM tools require two things:

• Installing an agent on a device
• A human user presence

Since these medical devices may not meet these two requirements, Practice #9 explains that  NAC systems fingerprinting devices can address the gaps using MAC or IP-based authentication by identifying the following:

• Hardware: manufacturer, model, serial number
• Software: operating system, version, firmware revisions
• Device type and function
• Security assessment: vulnerabilities and risks

Additionally mentions implementing the:

• Strong passwords
• Remote access controls, like using VPNs, monitoring for anomalous activity, tracking access to authorized and unauthorized/high-risk target

Asimily’s fingerprinting capabilities enable organizations to identify the hardware, software, and devices connected to their networks. With our built-in risk metrics, HDOs can set baselines for normal activity and identify anomalous activity on the network that might indicate device takeover by threat actors. 

Network Management

As a best practice, Technical Document 2 explains that segmentation and micro-segmentation aligned to Zero Trust Architecture (ZTA) strategies is a best practice. 

Further, Practice #9 identifies the following benefits of micro-segmentation:

• Isolation
• Monitoring
• Compliance
• Access control

With Asimily, HDOs detect and gain visibility into all medical devices on the general access network, data center network, or other locations that fail to meet the requirements of the network segmentation strategies.

Asimily enables HDOs to monitor the following HICP suggested metric:

number of medical devices not currently segmented on wireless or wired networks measured monthly

Vulnerability Management

When implementing a vulnerability management program, HDOs should incorporate the following processes:

• Vulnerability and risk categorization
• Contract negotiation
• Vulnerability disclosure programs
• Software bill of materials (SBOM) and vulnerability lookups
• Vulnerability scanning

With Asimily, HDOs can implement a robust vulnerability management program built into their workflows by:

• Identifying where exploitable vulnerabilities are within the environment and for each specific device 
• Prioritizing activities on real-time exploitability
• Leveraging our clinically validated recommendations for vulnerabilities via digitized MDS2 information

Asimily enables HDOs to monitor the following HICP-suggested metrics:

• Number of unmitigated high-risk vulnerabilities on network-connected medical devices measured monthly
• Number of devices that have unknown risks due to lack of manufacturer-disclosed information, measured monthly. 

Contacting the FDA

HDOs can directly contact the FDA to file complaints or concerns about vulnerabilities when the manufacturer fails to mitigate risks. 

Additional Sub-Practices for Large Organizations

For large HDOs, the HICP outlines two additional requirements related to incident response. 

Security operations and incident response

Large HDOs need to provide additional monitoring, detection, and response activities around their medical device ecosystems that include:

• Baselining devices
• Network behavior
• Clinical context
• Profiling and grouping devices
• Deep packet inspection

With the Asimily Packet Capture, HDOs can capture raw packets to or from deployed devices that reveal attacker tactics, techniques, and procedures (TTPs). They can use this data as part of their incident response, forensic analysis, or network troubleshooting.

Procurement and security evaluations

Large HDOs should establish cybersecurity requirements used during the medical device acquisition process. Practice #9 outlines the following best practices:

• Security evaluation: Uncover design risks or flaws, obtain a copy of the latest MDS2
• Risk scoring: Use a multi-factorial risk score that includes the probability of a compromise, criticality, CVE, device properties, and connectivity
• Contract negotiation: Use cybersecurity evaluation to resolve any unmitigated risks and incorporate language into a contract
• SBOM: Request the list of software components used in the device
• End of Life (EoL)/End of support (EoS): Know the manufacturer’s life expectancy and incorporate EoL/oS mitigations

With Asimily, clinical engineering departments, security, and IT teams can collaborate during the procurement process by working from a shared pre-procurement risk analysis of the impact that a device will have within the HDO’s environment. 

Asimily enables HDOs to monitor the following HICP suggested metric: number of medication devices procured that did not receive security evaluation, measured monthly.

Asimily: Implement 405(d) HICP Practice #9

To learn more about  Asimily and aligning with HICP, visit our website or contact us today.