[Part 2] Medical Device Security: Building an ROI-Based Business Case

Watching Part 2 of the Minnesota HIMSS webinar series Medical Device Security Overview for Healthcare Delivery Organizations with speakers Matt Dimino and Carrie Whysall from CynergisTek, I found the following to be useful information that you can apply to your organization’s security program development.

IoT & IoMT Device Security

Device Risk

The biggest medical device security risk organizations face is the possibility of a widespread attack or multiple security threats happening at once. This can cause widespread unavailability of devices needed to treat patients. The integrity of devices is also important to consider, without proper device management and supervision, malware can remain undetected.

Gaps

Medical devices should be assessed at point of purchase. Before putting a device on a network it should be checked for basic passwords and other vulnerabilities. Organizations should also know all devices that are on the clinical network, and track what those devices are doing. Clinical Engineering (CE) and Information Technology (IT) teams should work together to leverage their training and awareness of device security risks.

Challenges

Typically there are safety specialists who focus on technical controls and separate specialists who work on risk management, but these tasks should be joined into one security plan so that medical devices are controlled and monitored for risks.

Difficulties Developing a Medical Device Security Program

Developing a medical device security program can be difficult for a multitude of reasons:

• Business: Lack of adequate funding, staffing and training issues, as well organizational structure impede the creation of a joint CE and IT security program.
• Policy and Procedure: Organizations’ IT policies and procedures rarely include medical device security, and have disjointed governance and sponsorship policies.
• Technical: Typical IT network tools do not work for medical device security purposes, and without passively scanning them as part of the IT network, medical devices often get overlooked. Use of legacy devices also causes technical issues, as devices are not updated for long periods of time.
• Vendors: Medical device vendors utilize different remote access controls that may or may not be able to show who/what causes devices to crash.
• Physical Security: Physical guest access to devices and the potential for organization IDs to be used to gain access to devices puts them at risk.

Addressing the Stakeholders

Involve all parties in the creation of a medical device security plan. Make clinical staff aware of the integrity of medical devices such as ultrasounds and anesthesia machines. Also include CISOs, IT teams, Healthcare Technology Management (HTM) teams and vendors. Discuss with all those involved the objectives of creating a medical device security plan and set up a timeline, as creating and rolling out a security plan can take many months.

How Ordr Can Help

Creating a device security program is challenging on its own, and would be even more difficult without a product to help passively scan for devices and identify risks.

The Ordr System Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. Want to experience Ordr on your network? Request a free sensor.

Look for a blog post covering Part 3 of the Medical Device Security webinar series in the future. You can watch the full HIMSS webinar here.