As CIO’s and CISO’s who walk the halls of healthcare institutions know all too well, the number of devices being enabled in the Internet of Things and Internet of Medical Things around us is exploding exponentially. With this explosion, complexities arise in security, data collection, storage, and especially lifecycle management. Devices have varying degrees of security and lifespans that range from two years up to 15 years, adding complications to management strategies.
Medical devices are the next perfect storm as a security threat vector and lifecycle management is now becoming predicated on risk and security vulnerabilities within the legacy device ecosystem. Hackers increasingly turn to medical technology used by providers as the next mechanism to commandeer and attack networks and hold organizations for ransom. Medical IoT devices are connected to a vast array of sensors, monitors and numerous applications making them an ideal entry point into the larger hospital networks and an easy way to propagate attacks to other systems.
The FDA started to make cybersecurity a priority in 2013 as a requirement for connected medical devices; however, due to the long development cycle of these devices and long time to get certified for use in the market, the rollout is slow. This will result in a significant lag in the introduction of connected devices that have embedded cyber threat resilience components that can thwart modern threats. This creates an incredibly complex lifecycle management challenge for healthcare technology.
Cybersecurity challenges are now becoming the primary driver for lifecycle management of medical technology. Older compromised systems present a sizeable risk to cybersecurity and leave every member of the C-Suite asking how to tackle this challenge. Often these systems have little to no update capabilities, are outside of vendor support or have been replaced with newer, better supported product lines. Vendor support for cybersecurity vulnerabilities typically takes time to create, test and patch before they can be deployed across the entire device population. As an example, an EEG monitor has a typical lifespan of 10 years. During that period security vulnerabilities will change and morph making it difficult for manufacturers to keep pace with the cybersecurity threat landscape. Even worse, securing these devices ultimately rests on the provider.
One must keep in mind that vulnerability testing is complex because of the various systems, subsystems and chipsets that are embedded in these devices. Most organizations simply do not have a $10 million budget to create a lab or staff who has the functional expertise to effectively perform hardware and software vulnerability testing with the rigor required to pass a security audit. Organizations must hire vendors who have the needed technical expertise, specialized staff and equipment in ferreting out vulnerabilities in purpose-built devices. It is not enough to perform a software scan on a device and assume it is secure.
So what approach should an organization take to lowering their risk on medical devices with varying usable lifespans and cybersecurity protections?
Evaluate Your Environment For Risk
- Identify devices that are end of life. These devices will have no updates released, which exposes them to risk. Furthermore, discovered vulnerabilities may not be announced by the company. We recommend you replace these devices with supported systems.
- Identify systems that are no longer covered by service contracts or lack current operating systems capable of being secured. This issue is similar to devices that are end of life, and should also be replaced or covered by a new service contract.
- Audit prospective vendors security, patch management and cyber-security countermeasures to ensure satisfactory risk mitigation
- Contract for penetration testing of on premise devices. It’s important to cover both the hardware and software of the device in this assessment.
- Consider WIFI, Bluetooth, SD card and proprietary RF interfaces as potential areas of compromise on devices. Ensure there are controls in place to monitor and protect devices over all communication protocols. Disable protocols that are not in use if possible.
- Create a risk profile for each device used in your environment and a risk score and then prioritize based on that risk creating a lifecycle management posture rooted in security.
Global Risk And Compliance
- Have an action plan: Create standard operating procedures for what to do when medical devices are compromised
- Create a risk framework for each device to determine what to do if a device is infected with malware or has been compromised by a hacker
- Include medical devices in your governance plan to ensure that compromises are dealt with at an appropriate level and escalation paths are included
- Ensure you have logs for each device with current firmware versions, patches, etc. and ensure you have a process and policy to perform medical device updates.
- Create Incident response plans specific to breaches involving medical devices and have a team assembled. Include retainers for breach mitigation and post-mortem cyber forensics.
By implementing and monitoring the product lifecycle, leaders, CSOs and CISOs can better plan when to introduce new operational technology in the environment. Ensuring that each of these devices will not negatively impact your operations is critical for continuity of care and allowing for the transformative delivery of healthcare services and improved patient outcomes. Implementing a lifecycle management approach to medical device refreshes rooted in a security framework will allow providers to keep pace with the rapidly evolving threat landscape that is currently plaguing the industry, while ensuring compliance and minimizing security threats and vulnerabilities in the process.