Patching Medical Devices Is Not Your Father’s IT Problem

If you are involved in technology, you know the drill: Cybersecurity and Infrastructure Security Agency (CISA) releases an urgent advisory, or an Information Sharing and Analysis Center (ISAC) issues a bulletin of an urgent cybersecurity advisory to its membership or the routine Microsoft Patch Tuesday.

Yet, with many, especially complex vulnerabilities like Urgent/11 or SweynTooth, you don’t get enough information on the risk and which devices are affected or how – your staff is being sent on a wild patching medical device goose chase, again.

In most high-performing health organizations, these alerts trigger change management processes and organization-wide actions to identify and patch various networked endpoints and servers to minimize network exposure and data risks from this latest vulnerability.

As vulnerabilities and threats are rapidly accelerating, so are the organization’s exposure and risks. With little influence to change these dynamics, the challenges are what tools and processes are in place to identify and prioritize where to focus limited resources to mitigate vulnerabilities, with patching when possible or other mitigating control measures.

The Complexities of Patching Medical Devices

For those that operate in the Health Technology Management (HTM), Clinical Engineering (CE), or healthcare information technology fields, the realities of responding to newly discovered vulnerabilities and deploying patch strategies are a different reality on connected medical devices and clinical support systems. These instances most often need to be managed on a completely different timeline.

Not to mention that added risks to patient safety and clinical operations if care cannot be delivered because of equipment downtime!

The complexities of connected medical devices, regulatory constraints, and alignment with clinical priorities do not always permit the rapid deployment of cyber-related patches; despite the FDA postmarket guidance conveying some flexibility to meeting the threats. While some suggest this guidance from the FDA permits patch management, the medical device manufacturer (MDM) ultimately remains responsible for “identifying risks and hazards associated with their medical devices, including risks related to cybersecurity”. 

The manufacturer is still required to conduct a risk assessment for any changes to their product and installed software to ensure the intended use of the device remains, and that any software changes do not alter the intended use or operation of the device. This is where the response and delay are often the reality facing HTMs and CEs.

Where does that leave the HDO when it comes to patching their medical devices?

Balancing the Tradeoffs Between Patches and Medical Device Risk

The healthcare organization faces a risk tradeoff, and this tradeoff is recognized by the FDA. Organizations may consider the risk of not patching to be higher than the risk of patching; in this scenario, they then accept not just the risk of patching, but also the risk of unintended consequences relating to the software patch and the device(s) in use. This is not a stance most hospitals or clinics are comfortable taking if they even have the capability or program maturity to lead to such a decision. Beyond the device as an endpoint, the FDA postmarket guidance makes it clear that healthcare organizations “should evaluate their network security and protect their hospital systems.” … the individual organization or clinic has a clear responsibility to maintain the secure baseline of the connected medical devices they purchase and put on their network.

This is the reality and an area where emerging technology, such as security and lifecycle management platforms can provide the greatest opportunity and support for an organization’s risk management and/or information technology programs.

Together, the organization and MDM are “responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance”.

It takes a partnership…

Clearly, it takes collaboration due to the number of devices and the number of MDMs that may be represented in each healthcare organization. This partnership must span many stakeholders and often many organizations. A report from Synopsys found US hospitals average 10-15 devices per bed.“As hospitals and other health care facilities adopt new technology, add new devices, and embrace new partnerships, patients get better and more efficient services – but the digital attack surface expands as well”. As hospitals expand the number of beds they can serve, it is certain this attack surface will be expanded.

The ideal partnership should include a vendor-partner that can provide an agentless deep-packet inspection platform that can differentiate medical devices endpoints and their associated risks to ensure an effective, robust, risk-based approach to a connected medical device risk management program.

Understanding the Differentiation of Risks

Understanding the differentiation of risks across an organization based on the ANSI/AAMI/IEC 80001, Application of risk management for IT Networks incorporating medical devices, requires an awareness of the unique space and an understanding of the individual endpoints in the environment. Not all risks are created equal and a partner that can differentiate where the main risks and priorities are can provide a great opportunity to start and align a connected medical device security program with the IT program. 

In summary, for healthcare organizations to be successful with the complexities of connected devices, a risk management program requires prioritization and mitigation options specific to medical and connected devices, as well as collaboration and partnership.

The Asimily platform provides both

Utilizing risk methodologies developed specifically for medical and connected devices, Asimily research and machine learning algorithms combined with deep-packet inspection enable the Asimily platform to differentiate risk across the ANSI/AAMI/IEC 80001 risk management framework:

  1. Patient Safety
  2. Clinical Effectiveness
  3. Data/Network Security

Often, the identified vulnerabilities can include a mitigation recommendation so identified risks can be mitigated with other technical or administrative controls when patching is not possible. This permits a tactical approach to the organization’s connected medical device risk management program. With this capability and approach the organization can focus its limited resources (time, money, people) on risks with a direct impact on patient safety. 

Not all vulnerabilities are equal…focus on serious risks first.

In the dynamic space of exponentially escalating cyber threats, it is essential for an organization to determine the real risks they want to focus their resources and efforts on and to understand how to mitigate risks when no manufacturer-certified patch exists or network segmentation and device quarantining techniques are not easily applied.

These capabilities are essential for the healthcare system to reduce risk, prioritize resources, and ensure patient safety and quality patient care.

Asimily can provide our clients with the differentiation of innovative exploit vector analysis combined with a comprehensive risk scoring mechanism, factoring in critical measures of risk and leading to a prioritized risk depiction.

This best-in-class risk-scoring capability provides a prioritization path for the healthcare system to develop a risk-based approach with a clear direction to remediate or mitigate the organization’s medical and connected device risks.

Schedule a consultation with an Asimily expert to see how you can defend your healthcare systems against ransomware and malware attacks with our leading risk management platform for connected devices.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.