Medical Device Security Starts at the Supply Chain

Connected medical devices, often called the Internet of Medical Things (IoMT), are a more prominent part of patient care in modern healthcare. Internet-enabled infusion pumps, connected MRIs, and CT scanners automatically send data to a patient’s electronic medical record, empowering clinicians with the ability to get information right away and improve patient outcomes.

With the number of IoMT devices in hospitals expected to exceed 7 million by 2026, doctors and nurses can anticipate even more connected systems in their day-to-day work. This could ultimately mean that clinicians get more intelligence about their patients regularly, and lead to better health outcomes during hospital stays as well as after discharge. 

This is a good thing. Unfortunately, many of the connected medical devices in use throughout hospitals are not built with security in mind. This is why security needs to be top of mind for healthcare delivery organizations (HDOs) when it comes to the medical device supply chain. 

Why Security Needs to be a Bigger Concern in Medical Device Supply Chains 

The connected medical equipment that comes into a hospital needs to be as secure as possible. Every single one of them collects critical medical information on patients and, when interconnected properly, updates the electronic medical record. Moreover, these devices create additional cyber attack risk within the hospital. 

Healthcare is already one of the most targeted industries, with 725 large-scale breaches in 2023 alone. Ensuring that the connected equipment entering the hospital is as secure as possible should be a paramount concern for HDOs. A few of the other possible consequences include:

• Increased mortality rates – There is a 20% direct-line increase in mortality from a cyber incident, according to Ponemon Institute research. People die at higher rates at HDOs that experience a cyberattack or incident, which isn’t good news for trust in the system. 
• Reputational damage and community distrust – Rightly or wrongly, people mistrust HDOs who experience a cyberattack. The exfiltration of patient data breeds the perception of a lack of safety, meaning that people will often avoid HDOs who have experienced an incident. 
• Increased recovery costs – An IBM report estimates that it costs $10.1 million per incident for HDOs to recover from a cyberattack, excluding any ransomware payments. This is the highest recovery cost of any industry included in the IBM study. The surge in attacks on HDOs in 2023 doesn’t help matters concerning increased costs either.
• Possible regulatory costs – A hospital settled with regulators for $250,000 to avoid risks of imposed fines and expanded class-action lawsuits. HIPAA and CCPA are only a few of the statutes that HDOs need to worry about in terms of regulatory consequences. State regulators could also sue following an incident if they claim HDOs didn’t do enough to protect critical health data.

Unfortunately, many IoMT devices lack basic security features like encrypted data transfer and can’t be easily patched when vulnerabilities are identified. They also are not often built with security in mind. These devices go to market quickly, and manufacturers may not construct their firmware with the most secure architectures. This leads to major potential risks when it comes to securing critical infrastructure within the HDO.

Moreover, secure medical device supply chains mean that necessary equipment is available when it’s needed. A threat actor who knocks out an MRI machine as part of their attack chain takes that machine out of commission and, even if the attack is stopped, means that the MRI cannot be used until it is repaired. Between the risk of an attack taking a piece of necessary equipment out of commission and the possibility of a negative regulatory experience, HDOs need to ensure that their connected medical devices are as secure as possible. 

Best Practices for Medical Device Supply Chain Security

To ensure the most effective medical device supply chain security, there are a few key best practices that organizations need to consider: 

• Implement Pre-Purchase Risk Avoidance – While replacing connected medical devices is a costly and infrequent endeavor, it’s crucial that when these buying cycles occur, proper emphasis is given to procuring secure devices. Researching devices before purchase to ensure they do not open unnecessary risks for the organization can be a powerful tactic to mitigate risks before they arise. Reference relevant data sources such as vulnerability databases, manufacturer information such as SBOMs and MDS2, and more because an ounce of prevention is worth a pound of cure when it comes to medical device procurement.
• Inventory all Connected Medical Devices — HDOs need to inventory all their IoMT equipment. This should be done through scanning solutions that monitor network traffic and construct a map of all connected equipment. Accurate inventories ensure that security teams know which devices are on their networks and empower better allocation of staff time to monitor those devices.
• Implement Anomalous Behavior Tracking — Understanding the appropriate behavior of all devices connected to your network goes a long way toward ensuring supply chain security. Connected medical devices have specific behaviors that security teams need to monitor to ensure they’re not compromised.
• Manage and Mitigate any Vulnerabilities — Security teams need to manage and mitigate any identified software or hardware vulnerabilities in IoMT devices. Mitigating the risk of any major vulnerabilities that lack patches can ensure strong supply chain security.
• Assess Security Practices of Key Suppliers — The security practices of key suppliers are vital to understand for HDOs. Healthcare organizations rely on connected medical equipment to provide patient care, and device manufacturers need to have good security practices in place to ensure that they have made these devices as secure as possible. 

These best practices ensure that HDOs can secure their medical devices and track any possible issues throughout the supply chain. 

How Asimily Supports Medical Device Supply Chain Security

Medical Device Procurement Pre-Purchase Assessment

Asimily enables you to purchase confidently with Asimily Proactive. This feature enables you to look up and research devices being considered before acquisition. It provides a risk score, showing the level of risk you may incur with that new device, helping to streamline buying decisions and reduce risk before investment. What’s more – Asimily will also provide details on expected behavior from that device, informed by real deployments of that device.

Network Classification and Asset Inventory

The Asimily platform uses passive scanning technology to identify all devices connected to your networks without disrupting functionality. It ingests data from other trustworthy inventory sources as well, ensuring high accuracy and faster inventory generation from scratch. The ability to discover connected devices without interrupting their operation provides great value for HDOs.

Asimily identifies and classifies every connected medical device on your network down to the specific model, operating system, and software version. We define where they are, including physical location, and track them as they move so you can build accurate device profiles that include:

• Operating system
• IP address
• MAC address
• Port numbers
• Hostname
• Version number

Collecting this information simplifies supply chain security because it provides all the intelligence needed to build accurate maps of the most critical vulnerabilities. Asimily also adopts a risk-oriented approach to vulnerability management, empowering users with the most relevant information to resolve critical vulnerabilities and accurately understand the risks of specific devices.

Risk Remediation

With Asimily, you can prioritize remediation activities and address exploitable CVEs based on the measured risk a vulnerability poses by enabling you to:

• Filter the thousands of CVEs associated with your inventory to just those that are exploitable on your network.
• Prioritize your efforts to address the real risks to your network and not just the published list of potential threats
• Utilize the CVEs criticality score along with the Common Vulnerability Scoring System (CVSS 3.x) and the Risk Rubric for CVSS to rate the exploitable CVEs based on their “Likelihood” to put the device at risk (Low, Medium, High)

Asimily’s medical device supply chain capabilities empower security teams to be more efficient in resolving weaknesses in their IoMT systems. With Asimily, customers can be confident in the security of their medical devices no matter the challenge. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.