This blog series introduces a step-by-step approach to help security teams in the medical space create a comprehensive framework for addressing risks associated with their IoT medical devices.
Part one in this series focused on establishing a foundation for understanding the connected medical device environment and for maintaining a data-rich inventory of the devices, their connectivity, and the context of their network behavior. In this next installment, we’ll explore how to leverage this data-rich device inventory to assess the cyber-risk associated with connected medical devices accurately.
Risk Assessment Needs to Be Proactive, Systematic and Prioritized
One of the key components of secure networking is the ability to assess the cyber-risk of the connected assets. But surprisingly, only 34.3 percent of respondents of the 2018 HIMSS Cybersecurity Survey answered that their risk assessment included medical devices. When considering the abundance of vulnerabilities coupled with the severity of cyber-incidents that involve medical devices, one would expect a much higher percentage than this. Additionally, medical device risk assessments tend to be non-systematic and are generally performed as an afterthought proceeding a cyber-incident. We believe the main reason that risk assessments neglect to include medical devices stems from the lack of visibility into their network presence, connections
A practical approach to risk assessment relies on a data-rich inventory that classifies the connected devices based on their type and model. This enables security teams to identify and log the specific vulnerabilities of each device.
Three Useful Guidelines
- Gather information about known vulnerabilities for your connected medical devices. There are several websites where you can find up-to-date security vulnerability information. These include MD-VIPER, US CERT, NIST National Vulnerability Database, and ICS-CERT.
- Manage a list of security vulnerabilities for each of the medical devices. These should include specific vulnerabilities from the sources mentioned above and also general vulnerabilities, such as hard-coded passwords or unpatched outdated revisions of operating systems and medical software installed on the device.
- In addition to the vulnerabilities, it’s important to make note of the level of access security teams have to the device for implementing security controls and for responding to cyber-events. Is the device managed by clinical engineering, the manufacturer or a third-party contractor? How easily can the device be replaced if necessary?
Calculating Risk Probability
After identifying the potential risks on the device layer, the next step is to look at the network layer for determining the likelihood of an attack. Medical device vulnerabilities are only one aspect of the risk. The probability of these vulnerabilities being exploited depends on the attack vectors. Here are some examples of attack vectors that contribute to increased risk probability of a medical device:
- Connections to other systems via the internet (e.g., remote connection to the manufacturer or third-party company for maintenance and services like over-the-air (OTA) updates)
- Connections to less secure workstations (e.g., remote physician’s workstation)
- Devices that use unencrypted communications
- Devices that use protocols with primitive authentication
Determining Risk Severity
Unlike healthcare IT systems, the impact of a cyber-attack on medical devices isn’t limited to data security and privacy. Targeted and untargeted attacks on medical devices can disrupt clinical care and cause harm to patients.
After identifying the risks for each device and determining their risk probability, the
The goal should be to rank the potential impact on patient safety, privacy and service disruption for each device. For instance, a PACS (picture archiving and communication system) would have a high privacy ranking, while an infusion pump would have a high patient safety ranking.
After defining the probability and potential impact ranking, you can give each device a risk severity index. The devices that have a higher risk probability, and a more severe impact if they were to be compromised by a cyber-attack, should be given a higher risk index.
Different organizations can define different criteria for risk index scoring. The advantage of ranking devices based on their risk index is that it allows the organization to define the acceptable risk index level so that security teams can focus on addressing the devices whose risk index exceeds the acceptable level.
In Part 3 of this series, we’ll discuss how to use risk assessments and IoT data to build hardened and enduring defense layers into medical device networks.