Sometimes it’s hard to even consider tackling a problem because it’s so awesome in nature. Webster's defines awe as “a feeling of reverential respect mixed with fear or wonder.” Healthcare CIOs, CISOs and even members of board of directors express this sense of awe when discussing one of greatest security risk factors in their world — connected medical devices. Cybersecurity experts, however, offer advice: implement your security program incrementally so it won’t be so daunting.
Medical devices are ubiquitous in hospitals and with medical services providers. We need them to monitor, analyze and, increasingly, treat patients. Bleeding edge healthcare innovators are also working with next generation medical devices combined with robotics and informed by analytics to serve as “mechanical care providers.”
Connected medical devices allow providers to see their patients’ compliance with treatment protocols and detect or be alerted to problems before they become serious or adversely impact a patient’s health. This connectivity allows healthcare professionals to track trends and provide more effective patient care. But there is a healthy fear within the cybersecurity community that hackers can exploit security vulnerabilities in medical devices with relative ease, thereby endangering patients and putting a healthcare organization’s data assets at serious risk.
In October, an article called, “MITA Releases National Standard for Medical Device Security,” explores the publication of a voluntary standard that supports security risk management within healthcare organizations by providing standardized information on security control features integrated within medical devices. The announcement by the Medical Imaging & Technology Alliance also said the standard clarifies the roles of those involved in medical device security.
Research by companies that provide IoT and medical device security “shows healthcare’s limited resources and IT staffing gaps hinder the ability of organizations to transition into more secure platforms,” according to an August 2019 article in Health ITSecurity. “As healthcare continues to steadily increase the number of connected devices, the attack surface is expanding, and it’s becoming more challenging to successfully scale security.”
According to the “2019 HIMSS Cybersecurity Survey” regarding the initial point of compromise for significant security incidents in the past 12 months, 10 percent occurred because of medical device problems in hospitals and six percent were associated with vendor medical devices. In addition, 33 percent of survey respondents indicated they have embedded legacy (unsupported) operating systems in medical devices.
“Many healthcare providers report breaches of healthcare data due to a compromise of a business associate, according to data on reported breaches by the Office for Civil Rights at the US Department of Health and Human Services,” the survey notes.
Given the astonishing number of connected medical devices — Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2019, while the Statista Research Department says almost 161 million healthcare IoT devices are estimated to be shipped worldwide for installation in the year 2025 — the potential risk can be devastating from both human and organizational perspectives. The estimated number of connected medical devices is expected to increase from 10 billion to 50 billion over the next decade, according to the IBM Institute for Business Value. These are certainly some intimidating numbers for healthcare security leaders.
Vikas Khosla, Chief Digital Health Officer of Intraprise Health, sees the reality behind the statistics every day. Intraprise Health is a 100 percent healthcare-focused cybersecurity firm that helps hospitals, health systems, healthcare insurers and Business Associates ("vendors”) improve their cybersecurity programs with a specific focus on addressing third-party risks such as those posed by connected medical devices.
“The healthcare industry is struggling with protecting their sensitive information from the risks of medical devices,” he says. “But it’s really overwhelming for them. Even a small community hospital may have several hundred medical devices that have various levels of vulnerability. A large health system has thousands. All of these devices are provided by third-party vendors and the healthcare providers have very little control over the security the devices do or do not provide.”
He says many organizations don’t begin the arduous process of ensuring the devices are secure because “it’s such a huge lift.”
It’s also important to understand the process can take time and resources. As the FDA, which approves medical devices for use (they also list cybersecurity incidents on their website) notes, “The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage security risks.”
But working to control this risk is an incremental process, Khosla says. And as the adage goes, “Once begun, half done.” The first step of the process, he says, is proper governance, inventory and assessments to understand your weaknesses.
Often, organizations don’t know how many connected devices they have and what their vulnerability is. Some mistakenly believe the device vendor has ‘handled’ security because the vendor is a prominent brand in the marketplace. Wrapping their organizational head around the issue begins with understanding what devices they have and what risks are associated with these devices. Then, and only then, can they begin to resolve the security gaps. The fix may be as easy as a patch or more complicated, like network segmentation, a process that disconnects devices from the internet or separates them from the main network.
Since many organizations don’t have the staff or the expertise to do this, they may want to call in somebody who does. But it’s important to remember to “eat the elephant one bite at a time.”
For medical device security that means starting with aligning all stakeholders to establish a governance model showing responsibilities and decision-making roles. Every health system has a few different departments that have some responsibility for securing connected devices. Typically, the biomedical (or bioengineering), IT and information security teams need to be involved.
Next, there should be a medical device security policy, minimum-necessary security standards, as well as an incident response procedure if there ever is an attack or infection from malware. The effectiveness of your processes should be tested through some sort of table-top exercise on a periodic basis.
And maybe most importantly, you should maintain an inventory of your medical devices to the best degree possible. You can’t secure what you don’t know you have. If you make this an ongoing effort, eventually you will have a pretty complete inventory. If these foundational steps are put in place and part of a continuous program, you will have made significant strides in protecting your patients and securing your organization from one of the greatest cyber threats in healthcare today.
Understanding and categorizing the various risks posed by medical devices is the first step in getting past the “shock and awe” and protecting your organization from a breach.