Overcoming Security and Risk Management Challenges for Networked Medical Devices

As medical devices are becoming increasingly interconnected to provide the benefits of integrated and more efficient patient care, healthcare providers are challenged to manage the security risks of these connected devices. However, the increase in quality of care and gains through automation can only be realized if the resulting cybersecurity risks are managed to an acceptable low level.

Networked Medical Device Management Challenges

Managing networked medical devices from an IT and security perspective can be extremely challenging. Currently, there are around 10 to 15 million connected devices in US hospitals. A recent survey found that 82% of healthcare organizations have experienced an internet of things-focused cyberattack in the past year.

Healthcare providers face multiple technical and administrative issues that make it difficult to reliably and predictably deal with the complexities of their networked medical device ecosystem. The following challenges need to be addressed:

  • Vast Fleets of Devices. Providers have thousands of devices like physiological monitors, infusion pumps, ultrasound machines, etc. connected to their network. These different types of devices are supplied by many different manufacturers and as a result, vary widely in their technology platforms (e.g. operating systems). This also means they have varying security maturity and software management capabilities. A typical mid-size healthcare provider may have several thousand devices from hundreds of different manufacturers within their environment which makes the problem of managing networked medical devices extremely challenging.

  • Devices of Various Ages. Old and new devices with varying security maturity and capabilities coexist on the same network. An old infusion pump might be running a stripped-down customized Linux version that might not have the capabilities to be managed from a security and risk perspective. A new ultrasound machine, on the other hand, might have the latest Windows operating system with the ability to be remotely or centrally managed. In such scenarios, it might be easier to protect the ultrasound machine than the infusion pump, but it doesn’t eliminate the need to find a solution for the pump.

  • Difficult to Use General IT Practices. Design and use case constraints make it difficult to use commonly deployed management techniques, like device discovery or vulnerability scanning, as they are used in the IT space. For example, Scot Copeland in his presentation for ACCNet mentions how the Telemetry Monitoring system had failed as the result of a network vulnerability scan, which led to a temporary loss of equipment availability and diagnostic data.

  • One Solution Doesn’t Fit All. There is no common architecture on how to build a secure medical device network, and the data relevant to device and network properties is widely distributed across components. This means anyone attempting to understand a networked medical device has to look across a variety of distributed data sources which further adds to the complexity.

All of this means that healthcare providers have a variety of problems they must deal with, and they need to think holistically about how they want to approach networked medical device management.

Building a Device Master Record

The first problem is getting a comprehensive view of all risk and security-relevant medical device data. Most providers have a list of biomedical devices and some of their parameters in a CMMS database. This database has some valuable information about the device but typically does not have any of the relevant IT or cybersecurity parameters. Moreover, historically collected asset information has been known to be incomplete or inaccurate.

Without knowing all the details about the device, providers find it challenging to develop a strategy around procurement, replacement planning, lifecycle management, and medical device risk management. This could be addressed through a comprehensive device master record that allows the providers to optimize inventory, manage risks, focus resources, reduce costs, and, as a result, improve their overall connected device security posture and operational efficiency.

Device Relationships

The second problem is understanding how the devices are integrated, how they interact with other devices in the network, and how the data is flowing. Understanding device relationships allow the provider to properly configure or segment the network. Understanding how medical data flows through their network is useful in understanding any potential existing configuration issues (e.g. observation data from a device flowing to the wrong servers) which can be a problem with the complexities of healthcare protocols and the large number of devices distributed across the network. Misconfigured devices can lead to devices not functioning and leading to downtime. Also if the data cannot be tracked, it could lead to potential fines and costly debugging efforts.

Contextual Risk Management

The third problem is the ability to prioritize the mitigation tasks associated with different devices. Considering the wide variety of devices, use cases, and vendors, providers need to focus on their highest-risk devices. Such an approach reduces the risks to care delivery, patient safety, security, privacy, and business operations. 

In a complex industry like healthcare though, the risk does not just depend on the number of vulnerabilities or anomalies but varies across many parameters. For example, a ventilator has a higher patient safety risk than an ultrasound imager. Or, a device with a Microsoft operating system might have a higher likelihood of being infected by malware than a device that runs a proprietary operating system. There are many more such examples across a variety of dimensions. The inability to prioritize appropriately and react swiftly can lead to costly misdirected efforts, constant fire-fighting, and a continuous stream of issues that could impact delivery and quality of care.

 

Incident Monitoring

The fourth problem is getting a continuous view of the security and operational behavior of the device. The main challenge is that medical devices might have differences in behavior depending on the device and the environment which might appear as a problem. For example, a potential deviation of behavior because of a patch that updates the device configuration might be normal, whereas a change in behavior because of a security attack would be an anomaly. 

Differentiating between the two and providing an accurate view to the provider is important to eliminate extensive time and effort debugging non-existent issues or letting problems proliferate in their network.

Looking Forward

The increasing number of interconnected medical devices provides significant benefits to patients but also presents significant security risks. Healthcare providers face multiple challenges in managing networked medical devices and can address these challenges by taking the appropriate steps. Moving forward, healthcare providers must continue to manage these risks to ensure the delivery of high-quality patient care. 

Asimily is a healthcare cybersecurity service provider with focused security solutions for procurement risk assessments, threats protection technologies, and staff training courses that can help you protect your organization from cyber-attacks and grow in the years to come.

Schedule a demo today to learn how Asimily can help to make medical device risk management easier and protect your connected devices against ransomware and malware attacks.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.