How hospitals can address medical device vulnerabilities

Hospitals rely heavily on medical devices and Internet of Medical Things (IoMT) devices to deliver high-quality patient care and improve outcomes. With an average of 10 to 15 medical devices per bed in a US hospital, a 1,000 bed hospital could have up to 15,000 medical devices to manage. Unfortunately, with the proliferation of medical devices and IoMT comes an ever-increasing attack surface.

Cyberattacks on medical devices can lead to misdiagnoses or missed treatments, resulting in serious injury or loss of life, as well as significant loss of business and reputational damage. Since these assets are mission critical, healthcare organizations must work diligently to secure them.

Cybersecurity challenges

Medical device and IoMT vulnerabilities scare clinicians, biomedical engineers, CISOs, and network security administrators, for good reason. Securing these assets poses many challenges.

• The clinical networks are not the same. IoMT and medical devices are difficult to manage because they are “headless”, i.e. a security officer cannot be installed on them to monitor and enforce compliance. Many of these devices are susceptible to active scanning and scanning, which can disrupt business or, worse, damage assets. Additionally, they share information and communicate with various endpoints, making them powerful vectors of damage.
• Separate management from other cyber assets. Medical devices and the IoMT are managed separately from other connected devices by clinicians and bioengineers whose primary concern is medical safety, including tracking recalls. To gather the data needed to update the CMMS, biomedical managers always move room by room, floor by floor, equipped with boards and counting. As a result, security teams have a fragmented view of their digital landscape, marred by blind spots and risks.
• Supply chain vulnerabilities and third-party maintenance. Not only are medical devices and IoMT not managed by IT; often they are not managed within the health system. Generally, FDA-regulated medical devices must be serviced by the manufacturer or a specialized service company. As a result, the hospital’s IT team does not know when these devices have security vulnerabilities or when a patch will be available (Example – Access: 7)
• Escalation of data breaches. The wealth of sensitive personal and financial data handled by hospitals and healthcare systems, coupled with known cybersecurity vulnerabilities, makes the healthcare sector an attractive target for cyberattacks. Over the past three years, 93% of healthcare organizations have experienced a data breach and 57% have had more than five breaches.
• Underinvestment in cybersecurity Healthcare organizations typically allocate 5-6% of their IT budget to cybersecurity, compared to 11-12% for more mature industries. It is therefore more difficult to recruit qualified talents, who receive a high salary and wish to have access to the latest technologies.

Recommended approach

A comprehensive solution requires continuous, automated discovery, assessment, and governance of ALL cyber assets in your environment, including medical devices and IoMT, without disrupting patient care.

1. Know what’s on your network. The main problem is to fully understand what is connected to your network. You can’t protect what you can’t see. Visibility requires the discovery, classification, and rating of each asset upon connection, and continuously thereafter. Sensitive and unmanaged devices should be visible and managed.
2. Design context-aware segmentation policies. Segmentation limits the attack surface by limiting communications between assets to what should be communicating with each other and isolating vulnerable devices until they can be remediated. This is especially important for legacy devices that are critical to patient care but are no longer supported by the manufacturer. Without segmentation, an attack on one part of the network spreads laterally. The vast majority of threats can be mitigated with proper segmentation, so you don’t have to worry about which vulnerability is next and which is after.
3. Automate repetitive tasks. Given limited resources, IT teams lack the ability to assess, in real time, all devices and confirm that each complies with security policies and regulatory mandates, let alone take appropriate action. Cybersecurity must be managed holistically. Using this information, it can automatically control network access, enforce asset compliance, and coordinate incident response to minimize propagation and disruption.

The buck stops with the CISO

Medical devices and IoMT are associated with direct patient care. They are managed within the hospital by clinicians and bioengineers, but often maintained externally by the manufacturer. Historically, medical devices were not connected, and too often security is still an afterthought for manufacturers. But make no mistake: they are cyber-assets, and often riddled with vulnerabilities and callbacks.

Among the stakeholders, the CISO is responsible for risk management and compliance for every asset connected to the network: laptops, switches, Zebra printers, badge readers, thermal cameras, pharmacy dispensers, etc. Including medical devices and IoMT in holistic efforts to secure the digital terrain is the surest way to limit risk and protect patients.

Photo: roshi11, Getty Images