Risk mitigation strategies for the medical device network environment should come after establishing good visibility into the devices—their connectivity and behavior—and a good understanding of the devices’ associated risks. These are covered in Part One and Part Two of this series.
With this knowledge, security teams can build a defense layer tailored for protecting their networked medical devices and strengthen this defense on an ongoing basis.
Prevention, Protection & Improvement
An effective strategy covers multiple aspects of the assets being protected. Use the intelligence you gathered about the devices in order systematically to address each of its risks in the most effective and safest way. The protection measures should include the following activities:
For medical devices, patching is never simple. Medical device software usually runs on a Windows operating system. When Microsoft releases a Windows security patch, it needs to be verified and approved by the medical device manufacturer to make sure the patch doesn’t impact the functionality of the medical device.
Security teams—who are used to the relatively easy processes of IT systems patch management—have a harder time with medical devices because they need to rely on clinical engineering or the manufacturer for patching the devices. What can help improve this is when the security people know which devices have which vulnerabilities, as discussed in Part Two. With this information, they can request specific patches and keep track of the progress.
Isolation of Concerns
Whether or not the devices are patched, it’s important to isolate their clinical data flows from non-clinical data flows. This is done by setting strict access policies and segmentations that restrict non-essential communications to and from the devices.
Additionally, security teams need to work together with clinical engineering and HTM to create stronger password protection and data encryption, wherever possible.
Connected medical devices will never be entirely protected from all potential threats. There will always be legacy devices and restrictions on how much security you can enforce. It’s therefore very important to install mechanisms for detecting and alerting when there are unexpected changes in the device behavior patterns.
To achieve this, it’s necessary not only to monitor the behavior of medical device
This is where the clinical context, mentioned in Part One, becomes essential. The more data you have regarding the underlying clinical workflow, the better and faster your response will be to medical device behavior anomalies.
Metrics and Analytics
Medical device cyber security is a long, multi-staged process that needs to be continually improved over time to keep up with the evolving threat landscape. To achieve the best performance in this mission, it’s important to track the progress and to optimize future decisions based on previous results.
Here are some tips for tracking risk mitigation progress:
- Create scorecards for the medical device risk index at different periods of the process.
- Set key performance indicators (KPIs) for medical device network cyber-risk mitigation. KPIs can focus on various risk parameters, such as the location and utilization of the devices, or the severity or
impactof the risk.
- Identify which activities and strategies help reduce medical device risk index and which ones don’t.
- Collect analytics and data that can be useful for future procurement decisions, such as devices that have many unpatched vulnerabilities.
The Future of Healthcare Security
Healthcare security is years behind other industries. There’s a great deal of catching up to do. In this series, we looked at the necessary steps for understanding the risks and for building a strong foundation that will protect the connected medical device ecosystem. In this way, the security gap can be bridged rapidly and effectively, so that hospitals can keep patients safe.