For CISOs and other leaders, there’s no doubt that medical device security has become a top priority — particularly given some of the breaches that have wreaked havoc in recent years. The question is how to approach it.
“The medical device world is very different from the IT world,” said Samantha Jacques, PhD, VP, Clinical Engineering, McLaren Health Care, during a panel discussion. Not only is the approval process significantly longer with devices, but the technology isn’t being built on current platforms. In IT, “we’re getting new laptops and servers and we’re always on the latest version of whatever system we use,” she noted. “Medical devices don’t function like that. And so, trying to apply the same techniques from a security perspective is inherently challenging.”
Brett Harris (Cybersecurity Officer, Americas, Siemens Healthineers), who also served on the panel, along with Jason Elrod (VP & CISO at MultiCare) and Ty Greenhalgh (Industry Principal, Healthcare, Medigate by Claroty), agreed. “You can’t install third-party software. You can’t use typical IT tools, and that creates a gap between what IT can see and do, and what needs to be done with a medical device,” he said.
It creates a complex problem that can only be addressed through a multifaceted approach that features the right combination of technology and governance, according to the panelists. During the discussion, they outlined the most important components of a successful device security strategy.
“You can’t protect what you can’t see.”
The first — and arguably most critical factor — is visibility, said Greenhalgh. “If you can’t see which devices are on your network, it becomes very problematic in trying to manage what their risks are, what the criticality is, and how you should respond to any type of anomalous behavior.” That, he added, can create “a lot of anxiety” for security leaders.
This is where technology can play a key role. By leveraging discovery tools, such as the ones offered by Medigate by Claroty, CISOs can more effectively see and monitor devices, he added. “You need to know how your assets and software are communicating. Without that, you’re flying blind.”
Harris concurred, adding, “You can’t protect what you don’t know is there. Having technology that allows you do to passive detection and analysis of systems provides visibility into medical devices to be able to do proper management.”
This, however, isn’t possible without having the right building blocks, he said. It’s critical to understand the clinical context of a medical device, including how it’s being used and how workflows are configured, before bringing in security to support it. “There’s a governance technique that organizations need to bring to bear with these devices,” he said.
Elrod agreed, adding that, for CISOs, navigating the intersection of technology and governance has become increasingly important. “How do get I them working together in a seamless fashion? How do I manage that? And how do I fold that into my overall enterprise risk management? Because that’s what we’re doing here.”
Another question leaders face when managing device security is the reporting structure. For Jacques, it’s not necessarily about who reports to whom, but rather about ensuring everyone is “pulling in the same direction for safety and security.” Although a number of large organizations have moved biomed under IT, that isn’t the case for most mid-sized and small hospitals, some of whom have biomed reporting to facilities. Not an ideal situation, as facilities “doesn’t necessarily have a strong focus on patching or vulnerability management,” she added. “It’s a real struggle.”
On the other hand, those who are able to move biomed under IT can position themselves well, according to Harris. “It’s a great place for medical device security to sit, because when IT security owns the topic, they’re pushing that as the focus, whereas when IT falls under clinical engineering, the focus is on clinical care and not disrupting the process,” he noted. “Sometimes you need that disruption to say that while a procedure works fine from a clinical perspective, it might not work from a security perspective.”
Bridges & gaps
Harris agreed, noting that aligning security risks with the overall risk governance for the organization can go a long way toward improving security. For leaders, the challenge is in bridging the gap that often exists between IT/security and biomed/clinician engineering and combining knowledge sets by creating a dedicated medical device security group. That way, “you have people who have clinical engineering backgrounds and IT security backgrounds working together in one group” toward the singular goal of securing medical devices.
To Elrod, reporting lines aren’t nearly as important as clear lines — more specifically, ensuring clean lines of authority, which guarantees that “whoever is in charge of IT has decision-making capability,” and a firm grasp of both policy and risk management around medical device security. “You need clear lines of authority, no matter where IT reports,” as well as accountability, strong communication, collaboration, standardization, continuous improvement, and alignment with organizational goals. “It’s not one person’s job,” he added. “This is all of our jobs.”
One way to encourage that mindset, according to Greenhalgh, is by establishing a committee with representation from IS, clinical, compliance and other key areas. The ideal person to head it up? Someone like Jacques, who can speak the languages of security, clinical engineering, and IT, “which allows others in different departments to understand why operations have to be considered and why clinical engineering is doing something the way they’re doing it.”
The culture piece
That’s where culture comes in.
As leaders know, having the best model in the world doesn’t mean much without buy-in from all involved. One of the keys to building allegiance, according to Elrod, is by making it a point not to paint security as an extra step or a blocker. “You can’t perform the function of healthcare going forward without security and the infrastructure components,” he said, adding that in cases like this, words clearly matter. “Security isn’t a blocker. Security needs to be self-evident. The reason why you have to have strong authentication and encryption and monitoring and risk management on medical devices is because if a threat actor gets in and does something bad, it could have a kinetic real-world impact.”
Cybersecurity needs to become synonymous with patient safety, which is going to require “a cultural and language change,” Elrod added. “We need to instill that in folks.”
Harris agreed, adding, “that’s the North Star we want to get to; where people aren’t thinking about security as something separate, but as part of patient safety in general.”
To accomplish that, leaders need to stop preaching to the choir (in this case, security folks) and have critical conversations with physicians, nurses, and C-suite leaders, noted Jacques. “We need to help educate them and help them understand that security is not a blocker; it’s an enabler. It enables us to provide better care. “If we don’t have appropriate cybersecurity departments helping to protect us, we’re going to be shut down. We are not going to be able to provide care.”
If organizations are able to accomplish that and treat cybersecurity as patient safety, “you’ve won the war,” she said.
To view the archive of this webinar — Grounding Your Medical Device Security Program in Good Governance (Sponsored by Siemens Healthineers and Medigate By Claroty) — please click here.