When it comes to protecting patient data, IT executives face an uphill climb — and it’s only getting steeper. From Mirai to Brickerbot, the attacks are becoming increasingly sophisticated, making it critical that medical device security is a top priority. To that end, the Open Web Application Security Project (OWASP) has released a set of best practices for the secure deployment of devices. This initiative aims to educate hospital IT leaders on how to better secure patient information, serving as a compliment to the FDA’s recent postmarket guidelines for improving security in the development and manufacturing of connected medical devices.
Part one of this three-part series focused on purchasing controls and perimeter defenses. This piece will break down both the network and device controls that must be in place to create a secure environment.
It is not uncommon to have one or more computers attached to devices used for the collection and analysis of medical device data (a central station) or a PC/appliance used to send data to the EHR system (an interface). While they can be distinct systems, in many cases they are hosted on the same system. Securing interface systems is critical, and these are often the points at which your isolated medical device network is bridged with the main internal network.
Security controls that should be in place include:
- OS Hardening: The removal of unnecessary services, password protection, installation of AV, and other common OS hardening techniques should all be employed. For further details, consult guidance specific to your operating system.
- Encrypted Transport: As with medical devices, these systems will be used to send and receive data, and as such, should make use of the same secure protocols discussed in the device configuration section (Part 2).
- Message Security – HL7 v3 Security Standards: Interface systems are often used to transmit data to an EHR, PACS, or other clinical system, and HL7 messages are the standard format for accomplishing this. The exchange of HL7 messages should be done using the HL7 v3 standard, as this provides for security provisions not present in earlier versions.
All the controls in the world are useless if misconfigurations and vulnerabilities are rampant. Security testing will help you to uncover and shortcomings in your devices or within the setup that surrounds them. It is better to discover such issues via testing so they can be addressed via fixes or the addition of compensating controls than to later discover the same weakness exists during the forensic face of an incident response.
- Penetration Testing: A penetration test can be an effective means of assessing how effective your device and network configurations are at turning back an attack on medical devices installed on your network. The results can be used to help further improve your defenses and may reveal flaws in the device that can be presented to the manufacturer for patching in an upcoming update release.
Eventually all organizations will face the compromise of one or more devices. One of the things that differentiates an organization that has a mature security program from ones that don’t is how effective they are at detecting, containing, and eradicating such threats.
- Incident Response Plan: Organizations should have detailed plans in place to deal with the compromise of medical devices before such an incident becomes a reality. Organizations should have a clear cut strategy that defines how they will react to an incident and who will be responsible for what actions during the detection, containment, eradication, and recovery phases. It is also important all staff are made aware of the plan and are trained to respond appropriately and effectively. For organizations without any sort of incident response plan in place, a good starting resource can be found here.
- Mock Incidents: It would be highly beneficial for any organization to conduct a mock incident regarding the compromise of medical devices to ensure that they have an effective response plan in place and that employees are adept at carrying it out. Mock incidents provide a great way to identify both security deficiencies and effective practices, and those lessons can help further improve your organization’s security posture.
Special thanks to Tony Alas for his input on biomedical devices.