Phishing emails aimed to compromise employee credentials. Encryption used to prevent exposure of sensitive data in the event of accidental loss or theft. Ransomware, rendering hospital computers useless and access to digital medical records unavailable. These are just a few of the things health systems are battling today in an increasingly sophisticated threat landscape. More often than not, it’s patient records and sensitive data that sits at the root of all privacy and security controls being implemented. But there’s an increasing concern over network connected medical devices that is threatening one of the core missions of every health system – patient safety.
Connected medical devices are becoming a key part of healthcare infrastructure, with the average hospital room containing nearly 15-20 of them. Some of these devices are still running on obsolete operating systems, while others were manufactured with significant vulnerabilities, such as embedded passwords in the software code. The amount of IoT devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones. The challenge in securing these devices is becoming increasingly clear to health systems around the world. While there’s no bulletproof solution to solve this problem, a number of measures and controls can be implemented that significantly reduces the risk to these devices, and ultimately protects patient safety.
Be out in front of the issue
While the Food and Drug Administration (FDA) encourages medical device manufacturers to proactively secure their devices, many continue to challenge this guidance with common myths circulated throughout industry. An example of one of these common myths is that the FDA tests all medical devices for vulnerabilities. The truth is that the FDA does not conduct pre-market testing of medical devices and it’s the responsibility of the manufacturers to do so. Ensuring this testing has taken place, among other requirements, such as vulnerability and patch management of devices, is paramount when negotiating with medical device manufacturers. It’s important for information security and clinical engineering teams to understand the facts and work with their legal departments to build security measures into their contracting.
Another common challenge for these teams is the various avenues of intake medical devices tend to enter hospitals through. Setting and enforcing policies and standards for medical device procurement will go a long way in ensuring the proper checks and balances have taken place before they get into production.
Understand your scope
Asset management is another area where a common and standard procurement process will save loads of time and headache for clinical engineering and cybersecurity teams. Putting these measures in place will ensure net-new devices are accounted for and properly managed. Many hospitals have devices on their floors that have been there for decades. Aiming to solve this problem through years of attrition simply isn’t feasible due to the threats hospitals face today. Health systems need to use a combination of technology and some manual inventory management to capture a complete picture of what they have on the floors, where they are located, and what purpose each device serves. This exercise will also prove invaluable in classifying the devices and measuring their risk to the network and patients.
Implement layers of security within the network
One of the most effective ways to protect medical devices from other network-connected devices and to protect the network from medical devices that lack the proper level of security controls is to logically separate them from one another. Implementing advanced micro-segmentation in a physical environment can be challenging and complex, but basic levels of network segmentation are completely achievable to start, assuming you’ve undertaken the process of understanding the landscape of the medical device environment first.
Port security through network access control solutions can also be extremely effective in maintaining an environment where rouge medical devices don’t find their way onto the network without coming through the proper channels first. Effective network access control is a complex and time-consuming implementation, but the payoff will be a highly improved level of visibility and control.
An additional security control is the deployment of a behavioral anomaly-based network solution, specifically designed for medical devices. This level of visibility will give cybersecurity teams the ability to detect unusual behavior from a medical device and quickly respond before a potential breach or infection gets out of hand.
As more network-connected medical devices continue to enter healthcare IT infrastructure, cybersecurity and clinical engineering teams need to work with the business to implement controls to reduce risk and increase patient safety. In the meantime, with both pre-market and post-market guidance coming from the FDA in recent years, a strong urge for enforcement and manufacturer accountability from the government remains a top priority to fixing a fast-growing issue.
Dan Costantino is the Chief Information Security Officer of Penn Medicine.