Sep 08, 2021
By Sarah Czarnowski

On and Available: How Nuvolo Applies Industry-Leading Standards to Medical Device and Facilities Systems Security

Cybersecurity is a growing priority for healthcare organizations across the globe—but it can be challenging to implement and execute effectively. In fact, across the healthcare sector, the average time to identify and contain a breach is 329 days. Not exactly speedy.

And when it comes to protecting physical, network-connected medical devices and systems, healthcare technology management (HTM) teams have arguably one of the most difficult cybersecurity tasks of all. They’re charged with ensuring the uninterrupted operation of these assets—which can include critical things like MRI machines, transfusion pumps, or even HVAC systems—to ensure patient safety at all times.

Ransomware attacks are on the rise, and while many of these are targeted at information technology (IT) devices like computers systems, hackers could also easily gain access to operational technology (OT) like the assets mentioned above. From there, they could shut them down or otherwise manipulate them for nefarious purposes.

That’s why HTM teams need a clear roadmap that allows them to identify threats across their organization and act on them quickly—before it’s too late.

In this post, we’ll take a look at how Mayo Clinic and Nuvolo have worked together to address these important concerns with a set of standards specifically for teams managing network-connected medical devices and systems.

The challenges of medical device and systems security

HTM teams have the unique responsibility of ensuring medical devices and systems are safe, accessible, and available. That means if a security event occurs or a vulnerability is found, there must be a clear process for remediation.

Unfortunately, many medical devices don’t follow a standard operating procedure. They have controls that are vendor-specific or can’t be updated. And even if the controls are usable, there is often confusion around who should handle the remediation work (IT team vs. HTM team, for example). This directly impacts the safety and availability of crucial, life-saving technologies.

What’s more, many HTM teams don’t have an effective device lifecycle process in place that incorporates procedures to manage security risks.

This means that devices may not be secured properly, and the organization may be unsure of their overall risk level. These teams need effective security lifecycle profiles (SLPs) and SLP remediation plans (SLP-RPs), which require specialist knowledge and thorough development, testing, and overhead to keep the best practices (or “standards”) up to date.

Another challenge is the absence of one trusted medical device inventory. Having such an inventory—ideally accessible via mobile devices, tablets, and laptops—is crucial for device matching, contextualization, and security event correlation. Without it, HTM teams are left guessing where a device is located, the date of its last update, what department owns it, and other key information. This makes it much more difficult to address a security issue in a timely way.


Common challenges in medical device and systems security


How having go-to standards can help

Drawing on decades of experience addressing the concerns outlined above, the Mayo Clinic Healthcare Technology Management Cybersecurity team has created a standardized process for implementing medical device security procedures.

This structured, templated system—based on the National Institute of Standards and Technology (NIST) and Association for the Advancement of Medical Instrumentation (AAMI) standards—helps ensure medical devices and healthcare facilities systems meet organizational and security requirements throughout their lifecycle.

Recently, Nuvolo worked with Mayo Clinic to create Nuvolo OT Security with Industry Leading Standards, combining the robust capabilities of Nuvolo Connected Workplace with the thoughtfully crafted standards developed by Mayo Clinic.

Nuvolo clients now have access to a library of manufacturer- and model-specific risk remediation processes that can be applied during device evaluation and onboarding. These include activities such as implementing strong default passwords, confirming installation of the latest software patches, and checking for vendor-recommended network and security settings.


An example checklist of settings that help ensure industry-leading standards throughout the device lifecycle (Note: not a screenshot of the Connected Workplace interface)


Plus, Nuvolo OT Security helps deliver enhanced medical device and systems security by providing:

  • A single device inventory that integrates with discovery and security monitoring tools.
  • Rules-based workflows to identify and correlate all devices affected by vulnerabilities or cybersecurity events.
  • Automated remediation across support teams to resolve issues quickly.

These capabilities combined with Mayo Clinic’s standards help HTM teams gain greater visibility and remediation capabilities so they can better protect their fleet of connected medical devices and healthcare facilities systems.

Learn more about Nuvolo OT Security for healthcare, and find out more about how we’re applying the standards developed by Mayo Clinic.