Medical Device Security is crucial to patient safety & National Security

Our nation’s cybersecurity proactive efforts focus on implementing a collaborative approach to addressing the well-known fact that “security is only as strong as our weakest links”. As such, the security of medical devices and their associated networks must now be a national security priority because of their ubiquitous connections throughout the healthcare communities, government agencies and other users /entities. As we know, medical device cyber-security is crucial to patient safety, to the protection of patient sensitive data, and to the associated Health Delivery Organizations’ (HDO) business integrity. Today new innovations are being connected to the medical devices, such as IOT (Internet of Things), wearables, and electronic health records which enhance the healthcare services; However, these local and/or global interconnections add new vulnerabilities which increase healthcare and cyber risks to all stakeholders including our Nation’s Federal agencies.

As we know and have learned through this COVID-19 National Emergency, hackers are constantly trying to find ways to access and get into our healthcare systems/networks. Here are a few good practices for your organization to consider:

1.     What strategies hospitals can use to improve response and resilience to cyber-attacks

 In order to yield the best results, the challenge to enhance your security posture is by a collaborative team approach. This not only includes increasing the employees' security awareness but it also includes deputizing the patients to become part of the IT-HTM (Health Technology Management) team focused on the protection of their sensitive data and safety. Your team may want to consider the inclusion of some or all of the bullets below as part of your security enhancement plan:  

A.    Asset Management

·        Inventory all systems (include sensitive data inventory)

·        Know where they are at all times (RTLS, networking location, etc.)

·        Know each systems' security posture and risk assessment category (how vulnerable is it, what threats exist against it, secure it depending on its risk assessment categorization)

B.    Know the network (How is my network mapped? )

·        Map the network

·        Map how the system connects to the business side and healthcare side (part of Risk Assessment- patient safety, sensitive data, and business financials, etc.)

·        Cloud systems (are they trusted / secured clouds; such as, is it FEDRAMP certified?)

C.     Train and deputize all stakeholders to include employees and patients (each person has a responsibility to protect the sensitive data and patient safety)

 

D.    Implement a Medical Device Life-Cycle Cyber-security plan (Framework – NIST Cybersecurity Framework)

 Communication – Training – Validation – Scanning – Remediation-Patching – Medical Device Isolation -

a.      Include cyber-security in the medical device procurement Phase (including IOT devices used with medical devices)

b.     Request security patch-management plan from MDM (medical device manufacturers); MDS2 (Manufacturers Disclosure Statement of Medical Device Security)

c.      Build rapport with MDM and maintain open communications / records for notification of identified vulnerabilities and patch-management. Support those MDMs which are proactive with maintaining their systems promptly patched.

d.     Perform Risk Management for each medical device (risk assessment, categorize security requirement based on RA, implement security, mitigate residual vulnerabilities

e.      Implement a medical device isolation (VLAN – “segmentation” firewalls, ACL – Access Control List, etc.) architecture network for medical devices (this is truly useful to prevent infections to medical devices when tracking viruses as they approach the network)

f.        Include CM (Continuous Monitoring of MD cyber-security posture) (NSOC monitoring, NIST Vulnerability Data Base)

g.      Ensure MDM is proactive with testing/approving patches of identified vulnerabilities

h.     Make all personnel and patients aware of cyber weaknesses and their responsibilities to protect the systems/sensitive data (Train, train, train)

E.     NIST CyberSecurity Framework: (use NIST's Framework to build yours)

·        Identify – use NVDB – Nist Vulnerability Database

·        Protect – Patch, implement security controls, mitigate residual

·        Detect – (Identity and Access Management, NSOC, Network sec

·        Respond – (contain and stop , VLAN isolation, physical interventions, etc.)

·        Recover (Back up systems)

·        Prevent future repeats using lessons learned

 

F.     Have a COOP (Continuation of Operations Plan)

·        Plan to revert to manual (non-computer) paper-based healthcare for incidents when computer systems are taken down

·        Plan to revert to back-up systems (maintain digital backup systems locally and in other partners’ sites in other geographical locations, etc.)

·        Plan to work with local hospital / Health Delivery Organizations (HDOs) as per MOU (Memorandum of Understanding)/

·        Plan to collaborate with the State and Local Department of Health, Medical Device Manufacturers, etc. 

G.     Incident preparedness and response plans (to include written processes for communications and POCs - points of contact)

  1.  Prepare (practice, practice)

  2.  Detection and Analysis (Continuous Monitoring)

  3. Contain, Correct, Recover

  4.  Post Incident Report / Activity (lessons learned, update all plans with new information)

Collaboration yields success!  

Some helpful links:

Links:

https://www.nist.gov/programs-projects/national-vulnerability-database-nvd

https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf

Please refer to our published articles and others below:

https://www.healthcare-informatics.com/news-item/cybersecurity/hhs-releases-voluntary-healthcare-cybersecurity-practices

http://www.24x7mag.com/2018/09/studying-medical-device-service-model/

https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm622074.htm

http://www.24x7mag.com/2018/05/reducing-risks-healthcare/

http://www.24x7mag.com/2013/07/the-medical-device-security-life-cycle/

hhttp://www.24x7mag.com/2013/02/laptop-and-mobile-device-risk-management/

ttp://www.24x7mag.com/2012/09/creating-a-risk-reduction-program-for-mobile-health/

https://www.fda.gov/MedicalDevices/Safety/

https://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/ucm604500.htm