When looking at an operating room, how many types of devices and clinical information systems can you think of? Based on the patient acuity and care delivery plans, the types of systems, resources, and data needed are methodically planned. 

When it comes to medical device vulnerability management and clinical information systems, a methodical approach is also crucial. In the context of an operating room, where numerous devices are connected to provide clinical functionality, the risks of cyber-attacks are high. However, providers face constraints in terms of system, resources, and budget. So, how can healthcare organizations prioritize vulnerability management to minimize risks that impact patients, business, and data?

First, we need to identify the rapid shift in healthcare technology adoption, including the dire need for digital transformation in the environment of care. Second, we need to accept that the threat landscape is constantly evolving, with creative adversary techniques. Third, we need to challenge the status quo, improve skill gaps, and accelerate the prioritization of activities essential to manage the complexities of these systems.

The Need for Nuanced Vulnerability Management in Healthcare

Taking the example of an operating room, the majority of the medical devices are connected to the network or to one another to provide the most clinical functionality. With most of them falling under the “legacy” category, many have security flaws such as plain text passwords, insecure application programming interfaces (APIs), outdated plugins, and unmonitored ports and services that open numerous doors to an attacker to render the clinical services inoperable. We have seen numerous occasions where hospitals have diverted patients when adversaries encrypt their data and deny access to critical, if not all, information systems. The most commonly used systems like hospital communication, lab ordering, medication supply, radiology, and patient charting become unusable, creating additional paths for medical errors, safety events, and even fatalities.

Applying a traditional vulnerability management approach may not be sufficient to solve this problem. Using a virtual machine to scan every device on the network, enumerating the vulnerabilities present in any of their components, and applying patches from the manufacturer or software vendor may not work. There are several reasons why this strategy falls flat in the clinical space:

• First, many of these devices are not designed to be scanned in this manner. Doing so could cause a crash, potentially putting care delivery, or even patients, at risk.
• Second, many if not most device manufacturers do not regularly release patches, and applying third-party patches immediately may violate regulatory approvals or service warranties.
• Last and most importantly, these devices are not like general-purpose computers. The way they behave is significantly more regimented. A component that exists in a medical device’s operating system may be “vulnerable,” but if said component is never used in the device’s normal workflow, the risk is very low and vulnerability management on the device isn’t needed as quickly.

We must have a more nuanced and contextual strategy for solving this dilemma. This means understanding, on a device model basis, clinical workflow, specific functions it performs, and parts of the device’s code that are exercised during its normal operation. 

For example, a device that stores or transmits personal health information (PHI) will generally be a higher priority to fix than one that doesn’t. Similarly, a device that is connected to or communicates with critical systems should be prioritized over one that isn’t, because attackers will often move laterally within an organization once they compromise a system.

Finally, we must move beyond a myopic fixation on patching as the only solution to vulnerability management. When taking the device’s clinical workflow into account, in many cases workarounds are possible that effectively mitigate or even eliminate the risk of a vulnerability without patching and without compromising care delivery.

Balancing Cybersecurity Risk Against Clinical Needs

Vulnerability Management for medical devices will always involve balancing cybersecurity risk against clinical needs and is further complicated by limited staffing. But with the right approach, it doesn’t have to be frustrating and indefinite. Understanding both a device’s likelihood of exploitation and the impact that a compromise can bring makes the HTM cybersecurity programs far more effective, and, ultimately, allows the healthcare delivery organization to put patient and provider safety as its top priority. Take a dive into this Vulnerability Management for IoMT Webinar to fully understand how to juggle this balancing act.

The Role of Asimily in Vulnerability Management for Medical Devices

Asimily provides a comprehensive solution for managing the vulnerabilities of medical devices.  By identifying a device’s intended use, analyzing numerous attack vectors, and consolidating threat intel from vetted sources, Asimily profiles the “cyber health” of devices on the healthcare network and classifies them into high, medium, and low-risk categories. This facilitates the prioritization of cybersecurity management activities, particularly vulnerability management, for healthcare technology management and cybersecurity professionals without sacrificing patient care.

Schedule a consultation with an Asimily expert to see how you can defend your healthcare systems with Vulnerability Management and still put your patients first.