Listening to Part 1 of the Minnesota HIMSS webinar series Medical Device Security Overview for Healthcare Delivery Organizations with speakers Matt Dimino and Carrie Whysall from CynergisTek, I found the following to be useful information that you can apply to your organization’s security program development.
Medical Device Security Services
Medical devices have important functions and carry sensitive data, making them attractive cyber attack targets. As medical devices become increasingly connected to the internet they are becoming greater security risks. These devices are purchased and utilized by different departments within the organization and can lead to inaccurate asset inventories and unmanaged devices.
Attacks on medical devices can cause disruptions in patient care and possibly result in patient harm. Not only will this result in lower quality care for that patient, it will also affect organizations reputation, and bottom line.
IoT & IoMT Device Security Challenges
There are a variety of security challenges that come with securing medical devices, and each requires a different solution.
- Culture: There’s a disconnect between IT and Clinical Engineering teams. Each group has minimal experience and knowledge of the other’s work and capabilities.
- Legacy Systems: Many medical devices on networks today are running on outdated operating systems and are kept for long periods of time.
- Unable to Update: Medical devices are often difficult, if not impossible, to patch.
- Medical Device Ecosystem is Complex: The medical device ecosystem is very complex, with devices coming from multiple vendors and software platforms.
- Lack of Security Contracts: Many familiar IT security controls don’t apply to medical devices. Administrative and physical controls can be disruptive to patient care and operations.
- Lack of Tools: IT teams have limited tools that work well with medical devices and can scan inventories for vulnerabilities.
- Medical Devices are Proprietary: Medical devices are specialized; with different wireless requirements, hardware and software.
- Insufficient Visibility: Many medical device networks lack adequate visibility of their medical device inventory.
- Inventory Size: Hospital beds have about 10 to 15 connected medical devices per bed, and each device has an average of 6.2 vulnerabilities
Medical Device Security Components
Medical device security should be comprehensive, creating a security program in three stages ensures it will be implementable down the line.
- Risk Assessment: The first step in creating a program is assessing your current security practices. This includes reviewing the current security program practices, installing a passive network scanner, and creating a security risk classification guide. Organizations should also segment devices and decide what teams, whether it be IT or Clinical Engineering, will be remediating vulnerabilities and overseeing different devices.
- Program Development: Next, create a cybersecurity program through adding security practices to pre-existing device management practices. This includes continued surveillance over remediated devices and other assets, as well as standardized device assessment, configuration and incident procedures.
- Program Management: Sustained device management is necessary for medical organizations to stay secure. Assisting in medical device procurement and deployment, vulnerability reporting, and remediation planning should all be performed as part of program management.
How Ordr Can Help
Cynergistek highlighted a passive device scanner as a key tool to creating and automating a medical device security program. Ordr Systems Control Engine (SCE) is able to provide an accurate asset inventory, properly classify devices with granular detail needed for appropriate workflows, baseline and map device communications and enable micro-segmentation efforts.
The Ordr SCE gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a free sensor.
Look for blog posts covering Part 2 and 3 of the Medical Device Security webinar series in the future. You can watch the full HIMSS webinar here.