There are myriad factors that have made medical device security so challenging. For starters, the average lifecycle for an operations system is about 7 to 10 years, while medical devices can last for up to 20 years — and that makes for quite a gap.
But that’s just one reason.
Another is the fact that until a few years ago, security wasn’t a top priority for device manufacturers, according to Murad Dikeidek, Information Security Manager at the University of Illinois Hospital & Health Sciences System. “The focus has been on the safety of devices, not on cybersecurity,” he noted during a recent webinar, which also featured Mitch Parker, CISO at Indiana University Health, and Shankar Somasundaram, Founder & CEO at Asimily. In fact, it wasn’t until 2014 that the FDA established cybersecurity standards; while the first recall devoted to a security flaw came a year later.
For CISOs and other leaders, that delay has meant having to contend with a high level of risk — and coming to some stark realizations. “Security is not a goal, it’s a process,” said Dikeidek. “And so we have to have constant visibility into every device that we put on the network.”
During the discussion, the panelists shared their thoughts on why medical devices are vulnerable, what controls can be implemented, and what to look for in a cybersecurity solution.
“Medical devices are vulnerable”
One of the key hurdles with medical devices? They often run legacy applications, on legacy hardware, and legacy platforms, according to Dikeidek. “For the longest time, there hasn’t been any security maintenance to keep up with these devices.” What’s more, they “contain different components that the manufacturer has no complete control over,” whether it’s third-party applications or off-the-shelf software that isn’t approved for use with medical devices.
Another problem is connectivity. Legacy devices often use serial to Ethernet converters to connect to the medical device network, which can get complicated. “They don’t understand secure network communication, and they have no built-in mechanism to handle any threats that the network can present,” Dikeidek noted. As a result, they may accept communications from any device on the network, even if it’s malicious. Devices need to be able to communicate properly and securely, and with designated devices, he added. If not, organizations open themselves up to threats.
The other sticking point with legacy devices is patch installation, noted Somasundaram. “Medical devices are vulnerable; you can’t really patch them the way you patch IOT devices.” In addition, some manufacturers have policies that prevent health systems from installing anti-malware — or if they do, they risk invalidating the warranty.
The good news is that device manufacturers recognize these limitations, and are working to catch up with the rest of the industry, according to Parker. “A lot of advancements have been made, but it’s going to take 5 to 10 years for it to percolate through the rest of the industry.” For IS leaders, the challenge comes in supporting legacy devices as new devices are rolled out, all while protecting against emerging risks.
The “right controls”
It’s a lot to consider, and it puts even more pressure on IT and security professionals to ensure they’re implementing the right controls. To that end, the panelists offered best practices to help guide the process.
- Collect data. The first step is to gather as much information as possible about the device and its makeup, according to Dideidek. It starts with requesting the MDS2, a document that lists all of a device’s information and security controls, and the software bill of materials.
- Assess the security posture. Security can be assessed using a vulnerability scanner to “perform a safe scan” and determine whether the device is being affected, he noted. Once that’s done, it’s critical to reduce the attack surface and reduce exposure to the network, which in turn can help limit risks. “You want to restrict the traffic to what is needed. If no internet access is needed, remove the internet access. If internet access is needed, restrict it to what is needed.”
- Segment, but don’t overdo it. Although it’s important to put in firewalls and segment the network, organizations can too easily fall into the trap of oversegmentation, said Somasundaram. “When you do this, it can create a maintenance nightmare.”
- Know your entry points. It’s imperative to identify critical entry points in the network and understand the different ways in which devices can be exploited, he noted. One way is by running exploit analysis for vulnerabilities that may be found on different devices. “If you understand the ways in which an attacker can exploit your network, you can appropriately add compensating controls.”
- Proxy control. Somasundaram recommended inserting checks to ensure all web browsing goes through a proxy and is tightly controlled. However, leaders must first determine which choke points are unique to medical and IoT devices. “Medical and IOT devices have only certain ways they can be exploited in these networks,” he said. “If you understand what those vector parts are, you can decide where your proxy should be placed and how your network access control should be configured.”
- Don’t neglect physical security. Medical devices don’t have a password or pin to safeguard configurations, and therefore must be stored safely and securely, said Dikeidek. And whatever controls are in place, make sure they stay in place through regular audits.
- Track all recalls. Keeping an eye on recalls is a must, although it can be difficult for some organizations, according to Dikeidek, who recommends utilizing resources like ECRI. “They do some incredible work in publishing product and recall advisories.”
- Maintenance is key. “Make sure you have a maintenance plan in the budget, even just to get patches,” which aren’t always covered, according to Parker. It’s also important to make sure the right operational resources are in place to manage maintenance costs. “The way I see it, if you’re not doing regular device maintenance, you have greater concerns.”
- Manage change carefully. If changes need to be made — and they often do — introduce them “carefully, deliberately, and in a way that aligns with the culture,” he added. “That’s the biggest consideration: how it affects peoples’ ability to do their jobs.”
A foundational piece in all of this is having a solid intake process, noted Parker, which starts by assessing the products that are available and determining whether they meet your organization’s needs. “Look at your risk assessment, making sure to keep your network and your devices in consideration, and assess three or four vendors based on that using an isolated test network,” he said. “Make sure they gather the information you need to accomplish your tasks and that it fits with your workflow.”
When it comes to finding the right solution, the panelists offered the following recommendations:
- Don’t just involve IS when evaluating products. Clinical engineering, information security, operations, and clinical should be part of the process. “A solution like this has far ranging effects on everyone,” said Parker. “You have to be prepared to address these across your organization.”
- Choose a vendor who “understands both side of the business” and can work with various groups to make sure any solution fits the needs of the entire organization, Parker noted.
- Make sure it integrates with all of the existing security solutions, said Dikeidek. “The more solutions can work together, the more comprehensive and complete your security program will be.”
- Know how sophisticated and granular its approach is for rating risk. When risks are rated accurately, it can help with remediation and ensure efforts are concentrated in the right area, he noted.
Finally, recognize that this is a heavy lift, one that requires patience and a whole lot of collaboration, according to Dikeidek. “It takes a village to secure a medical device. You need to communicate, you need to coordinate, and you need to collaborate. It takes a lot of people to get on the same page, and it takes time.”
That means not just incorporating feedback from different stakeholders, but keeping a strong pulse on what’s working — and what isn’t, he said. “You have to pay attention to peoples’ reactions and peoples’ needs. You might have to reset and try something different until it works.”
To view the archive of this webinar — Real-World Management of Medical Devices (Sponsored by Asimily) — please click here.