When looking at an operating room similar to the one in this photo, how many types of medical devices and clinical information systems can you spot?* Based on the patient acuity and care delivery plans, the types of systems, resources, and data needed are methodically planned.
So, when we have hundreds or thousands of these medical devices vulnerable to cyber risks with a potential to cause harm, why are we not planning vulnerability management very methodically? Providers are constrained on multiple levels—system, resources, and budget. Is it really an issue of scalability, or is it about prioritizing components in this digital labyrinth to minimize risks that impact the patient, business, and data the most?
First, we need to identify the rapid shift in healthcare technology adoption, including the dire need for digital transformation in the environment of care. Second, we need to accept that the threat landscape is constantly evolving, with creative adversary techniques. Third, we need to challenge the status quo, improve skill gaps, and accelerate prioritization of activities essential to manage the complexities of these systems.
Taking the example of an operating room, majority of the medical devices are connected to the network or to one another to provide the most clinical functionality. With most of them falling under the “legacy” category, many have security flaws such as plain text passwords, insecure application programming interfaces (APIs), outdated plugins, and unmonitored ports and services that open numerous doors to an attacker to render the clinical services inoperable. We have seen numerous occasions where hospitals have diverted patients when adversaries encrypt their data and deny access to critical, if not all, information systems. Most commonly used systems like hospital communication, lab ordering, medication supply, radiology, and patient charting become unusable, creating additional paths for medical errors, safety events, and even fatalities.
Applying a traditional vulnerability management approach to this problem would involve using a virtual machine to scan every device on the network, enumerating the vulnerabilities present in any of their components, and applying patches from the manufacturer or software vendor. There are several reasons why this strategy falls flat in the clinical space:
· First, many of these devices are not designed to be scanned in this manner and doing so can actually cause a crash, potentially putting care delivery or even patients at risk.
· Second, many if not most device manufacturers do not regularly release patches and applying third-party patches may violate regulatory approvals or service warranties.
· Last and most importantly, these devices are not like general purpose computers; the way they behave is significantly more regimented. A component that exists in a medical device’s operating system may be “vulnerable,” but if said component is never used in the device’s normal workflow, the risk is very low.
We must have a more nuanced and contextual strategy for solving this dilemma. This means understanding, on a device model basis, clinical workflow, specific functions it performs and parts of the device’s code that are exercised during its normal operation. For example, a device that stores or transmits personal health information (PHI) will generally be a higher priority to fix than one that doesn’t. Similarly, a device that is connected to or communicates with critical systems should be prioritized over one that isn’t, because attackers will often move laterally within an organization once they compromise a system.
Finally, we must move beyond a myopic fixation on patching as the only solution to vulnerabilities. When taking the device’s clinical workflow into account, in many cases workarounds are possible that effectively mitigate or even eliminate the risk of a vulnerability without patching and without compromising care delivery.
By identifying a device’s intended use, analyzing numerous attack vectors, and consolidating threat intel from vetted sources, Asimily profiles the “cyber health” of devices on the healthcare network and classifies them into three risk categories. These high, medium, and low risk categories facilitate prioritization of cybersecurity management activities, particularly vulnerability management for healthcare technology management and cybersecurity professionals.
Vulnerability management for medical devices will always involve balancing cybersecurity risk against clinical needs and limited staffing. But with the right approach, it doesn’t have to be frustrating and indefinite. Understanding both a device’s likelihood of exploitation and the impact that a compromise would bring makes the HTM cybersecurity program far more effective, ultimately allowing the healthcare delivery organization to put patient and provider safety as its top priority.
*Patient monitor, anesthesia unit, defibrillator, robotic unit, ultrasound, hi-def wall and boom monitors, electrosurgical unit, smoke evacuators, sequential compression device, surgical lights, operating table, OR audio/video integration system, air warming unit, blanket and blood warmers, workstations, surgical sponges, and more.