Medical Device Security and Patient Safety

February 18, 2022

  • Medical technology device usage is growing substantially.
  • Device connectivity and management pose significant challenges for healthcare providers.
  • This post offers a number of basic security recommendations for medical devices.

 


 

The healthcare sector has been a primary cyber crime target for some time, and the industry saw a record number of ransomware attacks in 2021.

 

Ransomware is obviously a major concern, but it isn’t the only threat healthcare organizations need to watch. The medtech market grew 6.3%, posting a fourth consecutive year of growth, and we’re seeing an increase in the number of medical devices deployed. We also see an increase in the different types of devices such as:

 

  • Robotics – robotic-assisted surgical teams, radiation delivery systems, nanotechnology and microbots
  • Telemedicine – remote patient monitoring or management tools
  • Wearable health devices – wearable biosensors
  • Artificial intelligence – similar to wearable health devices, the technology uses biosensor data to diagnose conditions and identify trends for individual patients
  • Virtual reality/augmented reality – gather data in a 3D format to assist surgeons in preparation for surgery; assist with psychological therapy, post-traumatic stress disorders, etc.

 

These devices are critical to a patient safety. Still, since manufacturers often provide day-to-day care and feeding, organizations may not be aware of their current security posture. Optiv has worked with hundreds of large healthcare organizations and thousands of hospitals, performing security assessments and other consulting types of engagements, and have found that the security of medical devices is hit and miss. Some organizations have taken on the responsibility of securing these devices, while others trust security to the manufacturer/vendor.

 

Which approach should your organization take? We always recommend that you “trust, but verify.”

 

According to the Medigate data team, 2021 saw:

 

  • a 14.5% growth in connected medical devices
  • 30% of devices affected by two or more critical vulnerabilities
  • That 20% of medical devices should enroll in an endpoint detection and response (EDR) tool, but only 7% of those eligible have

 

These findings reflect our experience. In two recent cases, the Medigate Device Security Planform (MDSP), which Optiv uses for our HIPAA Risk Assessment engagements with IoT analytics and discovery, identified multiple medical devices with active connections to known malicious sites or addresses in foreign countries. The organizations had decided to leave their medical device security to the manufacturer/vendor in both instances.

 

In many cases, healthcare organizations have no choice but to depend on manufacturer/vendor support, but that doesn’t mean your IT security team can’t implement additional security controls. We recommend a managed risk approach to any devices added to an environment. Here are a few general risk reduction recommendations:

 

First - Segment your medical devices to isolate them from other network areas and limit access provided to your vendors. The approach has multiple benefits:

 

  • Limits access
  • Depending on your method for segmentation, it can help you track the location of devices
  • Assists with vulnerability management scanning (exclude areas from scanning)
  • Improves performance with less congestion
  • Better analytics for network monitoring

 

Second – When possible, endpoint protection practices should be used to protect the medical devices and the PCs used to control them. Anti-virus, EDR, MDR and XDR are all vital security controls to implement.

 

Third - Identity management is critical to limiting access to these devices. Remove default accounts and, if possible, bind authentication for the organization authentication system. Ensure that users adhere to your password change policy.

 

Fourth – Organizations should keep an accurate inventory of their medical devices. Know what devices are operating on your network. Once you have an accurate inventory, you can check for vulnerability disclosures from manufacturers using the National Vulnerability Database (NVD). Perform vulnerability scans before deploying new devices.

 

Fifth – There are several medical device security platforms available. These systems afford an in-depth view of your medical devices, providing analytics such as anomaly detection, mapping, aggregating unmanaged devices and network policy management. These systems can also assist with optimizing device utilization, providing an organization with a higher return on investment.

 

These five recommendations aren’t an exhaustive list, but implementing them will greatly reduce your medical device attack surface and provide warning in the event of an attack. If you want to document your risks and build risk mitigation strategies to reduce those risks, Optiv can assist with building the business case and prioritizing controls.

Brian Bradley
Principal Healthcare Consultant, Risk Management
Brian has more than 25 years' experience in healthcare information technology environments, ranging from mid-sized providers to large university medical programs. He’s a former Chief Information Security Officer, HIPAA Security Officer and Information Security Manager for the DOD and DHS.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.