Secure medical device deployment best practices
February 16, 2021
By Ken Zalevsky
The global digital health market is expected to grow to $640 billion by 2026, an astounding 28.5% compound annual growth rate (CAGR). Connectivity is driving this massive growth, and the current global pandemic has accelerated the deployment of connected solutions. Hospitals currently have deployed around 15 connected medical devices per bed, and this number is increasing as medical device manufacturers rush to maintain relevancy by introducing connected versions of legacy devices.
At the same time, cyberattacks against hospitals are on the rise. Between September and October 2020, the number of attacks against hospitals increased by 71%. This could just be a glimpse of things to come, as some experts are predicting cyberattacks against hospitals will triple in 2021. This is partially due to the COVID-19 global pandemic and the complications this is causing for hospitals. Not only are hospitals experiencing higher demand for in-house healthcare services, but they are simultaneously trying to support telehealth, as patients and providers maintain distance.
In addition to pandemic complications, traditional spending by hospitals on cybersecurity products and services has been modest in comparison to other industries, making them a continually favorite target of bad actors. One bright spot is the prediction that hospital spending on cybersecurity will increase in the coming years, however, the general consensus is that, even with this additional investment, hospital cybersecurity budgets will still not be adequate to mitigate the risk. So, what, if anything, can hospital security staff do today to maintain patient safety in the face of continuous threats of cyberattack? A great place to start is with the basics, and there are cyber hygiene best practices that can provide a good foundation upon which to build. Let’s explore those now.
Monitoring and maintenance
Monitoring and maintaining a healthy, secure network should be a primary, high-priority activity for every hospital security team. Medical device manufacturers (MDMs) consider security when designing and building devices, and hospitals must consider security when deploying and maintaining those devices. Diligent monitoring and continuous threat mitigation activities, such as working with MDMs to get the latest security patches, is the only way to proactively prepare for cyberattacks. Unfortunately, this is still not enough to provide immunity. This is partially due to the fact that maintenance of medical devices is usually limited to the manufacturer or trained third-party service providers. Hospitals have limited ability to patch closed medical devices, however, the hospital security team can gain tremendous insight into potential risks of devices through transparency and visibility into the device and components utilized. This transparency comes from the willingness of the MDMs to provide reliable security documentation, including the Software Bill of Materials (SBOM) with their devices. The SBOM should list all of the software components utilized in the device, at a minimum. Some SBOMs also provide information on component vulnerabilities, which enables hospital security staff to take a more proactive approach to potential threats.
Maintenance of medical devices requires communication and participation with vendors, specifically with respect to security patches and updates. According to FDA’s Postmarket Management of Cybersecurity in Medical Devices, “Because cybersecurity routine updates and patches are generally considered to be device enhancements, manufacturers are generally not required to report these updates and patches as corrections under 21 CFR part 806.” So hospital staff should work with manufacturers to receive timely cybersecurity patches and updates, especially given the continuously changing threat landscape.
Network segmentation
Segregating the hospital network into segments, sometimes called zones or sub-nets, is an effective method of limiting the network traffic and controlling the exposure of medical devices deployed to those sub-nets. This provides some protection against the proliferation of malware and can be done without entirely isolating the devices. Some MDMs can provide implementation guidance or documentation that can assist hospital security staff in device deployment, while some MDMs can provide information on segmentation strategies specifically for their devices. Of growing concern is the deployment of devices in a remote scenario, given the global pandemic, so hospitals should ask for information regarding remote accessibility, specifically focused on security measures that have been taken to limit exposure in remote deployment scenarios.
Data scoping
Hospital security staff should develop and maintain an analysis of data flows within their networks. Understanding where and how data flows through the hospital network is critical in its protection. Some areas to consider and specific questions to consider include: Are sensitive data encrypted as exchanged between hospital systems on the internal network? Are various data archives containing sensitive data protected with the appropriate levels of authentication and security? Are sufficient backup techniques in place that would enable shorter uptime cycles after an incident? Do these backup techniques include off-site storage or redundant servers? MDMs can help in this exercise by providing detailed information regarding their devices’ handling of sensitive data. For example, MDMs should be able to provide answers to questions like: Are sensitive data stored on the device itself? If so, for how long? Are there procedures in place to periodically remove or refresh the stored data? Are the data stored on the device encrypted, in case of theft? How does the device communicate with other hospital systems? Is this communication with other hospitals systems encrypted?
End user training
In spite of all the warnings and continuous training, end users still represent a popular point of entry for bad actors. By falling victim to phishing campaigns or by unwittingly providing sensitive information, like network credentials, end users are effectively turning off the alarm system and leaving the front door unlocked. In other words, none of the technological best practices implemented will have much impact if end users do not have the proper cybersecurity training.
To illustrate the importance of end user training, here’s a brief summary of an actual incident that took place a few years ago. A large organization hired a cybersecurity consultant to conduct a thorough review of their systems and provide a detailed report of technological weaknesses that could be vulnerable to attack. Before examining a single system, the consultant simply walked into an executive’s office, made up a story about being from the IT support team, and within 5 minutes had a network username and password. No need to look any further. Until this organization trained its end users properly, no technological solution could keep them safe. And this is true for most organizations.
The good news is that end user cybersecurity training does not have to be overly expensive or administratively burdensome to conduct. There are some end user training programs offered online for as little as $2.70 per end user. End users should be trained annually, and these training records should be maintained in a central repository for reference in the instance of a cybersecurity event or audit. Some organizations conduct their own internal training, which is specific to their environment and infrastructure, and there are tools available to help develop that training content, as well.
Conclusion
In summary, there are actions that hospital security staff can take today in order to develop a more proactive posture toward medical device cybersecurity, but they don’t need to do it all on their own. Medical device cybersecurity is a shared responsibility, and neither stakeholder has all of the tools and information to address this problem alone. The alignment begins with effective communication, which should be transparent and open, and continues through the entire medical device life cycle. By working together, medical device manufacturers and hospitals can achieve their shared goal of improved patient safety.
This overview covered a few medical device deployment best practices, but there is a lot more information to be found, including frameworks, tools, and processes. Here’s a short list to get you started:
FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
NIST SP 800-53 Rev 5 Security and Privacy Controls for Information Systems and Organizations
FDA Postmarket Management of Cybersecurity in Medical Devices
IEC 62443-4-2:2019 Security for industrial automation and control systems, includes discussion of network segmentation.
NIST Data Flow Software Tools – NIST Data Flow System Version 2 – available for download here.
The global digital health market is expected to grow to $640 billion by 2026, an astounding 28.5% compound annual growth rate (CAGR). Connectivity is driving this massive growth, and the current global pandemic has accelerated the deployment of connected solutions. Hospitals currently have deployed around 15 connected medical devices per bed, and this number is increasing as medical device manufacturers rush to maintain relevancy by introducing connected versions of legacy devices.
At the same time, cyberattacks against hospitals are on the rise. Between September and October 2020, the number of attacks against hospitals increased by 71%. This could just be a glimpse of things to come, as some experts are predicting cyberattacks against hospitals will triple in 2021. This is partially due to the COVID-19 global pandemic and the complications this is causing for hospitals. Not only are hospitals experiencing higher demand for in-house healthcare services, but they are simultaneously trying to support telehealth, as patients and providers maintain distance.
In addition to pandemic complications, traditional spending by hospitals on cybersecurity products and services has been modest in comparison to other industries, making them a continually favorite target of bad actors. One bright spot is the prediction that hospital spending on cybersecurity will increase in the coming years, however, the general consensus is that, even with this additional investment, hospital cybersecurity budgets will still not be adequate to mitigate the risk. So, what, if anything, can hospital security staff do today to maintain patient safety in the face of continuous threats of cyberattack? A great place to start is with the basics, and there are cyber hygiene best practices that can provide a good foundation upon which to build. Let’s explore those now.
Monitoring and maintenance
Monitoring and maintaining a healthy, secure network should be a primary, high-priority activity for every hospital security team. Medical device manufacturers (MDMs) consider security when designing and building devices, and hospitals must consider security when deploying and maintaining those devices. Diligent monitoring and continuous threat mitigation activities, such as working with MDMs to get the latest security patches, is the only way to proactively prepare for cyberattacks. Unfortunately, this is still not enough to provide immunity. This is partially due to the fact that maintenance of medical devices is usually limited to the manufacturer or trained third-party service providers. Hospitals have limited ability to patch closed medical devices, however, the hospital security team can gain tremendous insight into potential risks of devices through transparency and visibility into the device and components utilized. This transparency comes from the willingness of the MDMs to provide reliable security documentation, including the Software Bill of Materials (SBOM) with their devices. The SBOM should list all of the software components utilized in the device, at a minimum. Some SBOMs also provide information on component vulnerabilities, which enables hospital security staff to take a more proactive approach to potential threats.
Maintenance of medical devices requires communication and participation with vendors, specifically with respect to security patches and updates. According to FDA’s Postmarket Management of Cybersecurity in Medical Devices, “Because cybersecurity routine updates and patches are generally considered to be device enhancements, manufacturers are generally not required to report these updates and patches as corrections under 21 CFR part 806.” So hospital staff should work with manufacturers to receive timely cybersecurity patches and updates, especially given the continuously changing threat landscape.
Network segmentation
Segregating the hospital network into segments, sometimes called zones or sub-nets, is an effective method of limiting the network traffic and controlling the exposure of medical devices deployed to those sub-nets. This provides some protection against the proliferation of malware and can be done without entirely isolating the devices. Some MDMs can provide implementation guidance or documentation that can assist hospital security staff in device deployment, while some MDMs can provide information on segmentation strategies specifically for their devices. Of growing concern is the deployment of devices in a remote scenario, given the global pandemic, so hospitals should ask for information regarding remote accessibility, specifically focused on security measures that have been taken to limit exposure in remote deployment scenarios.
Data scoping
Hospital security staff should develop and maintain an analysis of data flows within their networks. Understanding where and how data flows through the hospital network is critical in its protection. Some areas to consider and specific questions to consider include: Are sensitive data encrypted as exchanged between hospital systems on the internal network? Are various data archives containing sensitive data protected with the appropriate levels of authentication and security? Are sufficient backup techniques in place that would enable shorter uptime cycles after an incident? Do these backup techniques include off-site storage or redundant servers? MDMs can help in this exercise by providing detailed information regarding their devices’ handling of sensitive data. For example, MDMs should be able to provide answers to questions like: Are sensitive data stored on the device itself? If so, for how long? Are there procedures in place to periodically remove or refresh the stored data? Are the data stored on the device encrypted, in case of theft? How does the device communicate with other hospital systems? Is this communication with other hospitals systems encrypted?
End user training
In spite of all the warnings and continuous training, end users still represent a popular point of entry for bad actors. By falling victim to phishing campaigns or by unwittingly providing sensitive information, like network credentials, end users are effectively turning off the alarm system and leaving the front door unlocked. In other words, none of the technological best practices implemented will have much impact if end users do not have the proper cybersecurity training.
To illustrate the importance of end user training, here’s a brief summary of an actual incident that took place a few years ago. A large organization hired a cybersecurity consultant to conduct a thorough review of their systems and provide a detailed report of technological weaknesses that could be vulnerable to attack. Before examining a single system, the consultant simply walked into an executive’s office, made up a story about being from the IT support team, and within 5 minutes had a network username and password. No need to look any further. Until this organization trained its end users properly, no technological solution could keep them safe. And this is true for most organizations.
The good news is that end user cybersecurity training does not have to be overly expensive or administratively burdensome to conduct. There are some end user training programs offered online for as little as $2.70 per end user. End users should be trained annually, and these training records should be maintained in a central repository for reference in the instance of a cybersecurity event or audit. Some organizations conduct their own internal training, which is specific to their environment and infrastructure, and there are tools available to help develop that training content, as well.
Ken Zalevsky
In summary, there are actions that hospital security staff can take today in order to develop a more proactive posture toward medical device cybersecurity, but they don’t need to do it all on their own. Medical device cybersecurity is a shared responsibility, and neither stakeholder has all of the tools and information to address this problem alone. The alignment begins with effective communication, which should be transparent and open, and continues through the entire medical device life cycle. By working together, medical device manufacturers and hospitals can achieve their shared goal of improved patient safety.
This overview covered a few medical device deployment best practices, but there is a lot more information to be found, including frameworks, tools, and processes. Here’s a short list to get you started:
FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
NIST SP 800-53 Rev 5 Security and Privacy Controls for Information Systems and Organizations
FDA Postmarket Management of Cybersecurity in Medical Devices
IEC 62443-4-2:2019 Security for industrial automation and control systems, includes discussion of network segmentation.
NIST Data Flow Software Tools – NIST Data Flow System Version 2 – available for download here.