May 02, 2022
By Sarah Czarnowski

The Regulation and Implementation of Medical Device Cybersecurity Procedures

This article originally ran in 24×7 magazine.

Regulators around the world are beginning to take notice of the security risks associated with medical devices—and with good reason.

A Palo Alto Networks report from 2020 stated that 83% of Internet-connected medical imaging devices—from mammography machines to MRIs—are susceptible to cyberattacks.

In fact, any network-connected operational technology (OT), including all medical devices and facilities equipment that make up part of the Internet of Things (IoT), face possible cyber threats that could open the door to data breaches or denial-of-service attacks. That can include something as seemingly secure as an infusion pump.

An Industrial Control Systems Emergency Response Team (ICS-CERT) report found that Internet-connected infusion pumps “may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump (and) it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

So, while there’s no doubt that integrating medical devices and healthcare facilities’ OT with the hospital network helps with more efficient patient care, there are obvious risks that come with these technological advances. Hackers have realized that connected devices and systems provide extra windows into hospitals’ networks, giving them more opportunities to access sensitive information or even manipulate life-saving machines.

In the meantime, government and regulatory agencies have been analyzing these new threats and working to introduce measures to stop them.

How Medical Cybersecurity Authorities Are Fighting Back

New legislation, initiatives, and guidance are being enacted worldwide to ensure better safety for medical devices and systems. Here are a few of the most recent developments:

  • The U.S. Department of Health and Human Services 405(d) Program and Task Group is a “collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector.” The program was started in 2015.
  • The Medical Device Coordination Group (MDCG) published new guidance in 2020 to help manufacturers fulfill all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR) and In-vitro Diagnostic Medical Devices Regulation (IVDR). The two regulations enhance the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks.
  • The European Union Agency for Cybersecurity (ENISA) issued cybersecurity guidelines in 2020 for hospitals procuring services, products, and infrastructure.
  • The Internet of Things (IoT) Cybersecurity Improvement Act of 2020 establishes minimum security requirements for IoT devices owned or controlled by the U.S. federal government and requires the National Institute of Standards and Technology (NIST) to issue standards and guidelines for the use of IoT devices owned or controlled by federal agencies.

In addition, NIST created four publications to help address challenges raised in the Act and provide guidance. Together, four documents—NIST Special Publication (SP) 800-213 and NIST Interagency Reports (NISTIRs) 8259B8259C, and 8259D—form a unit intended to help ensure the government and IoT device designers are on the same page about cybersecurity for IoT devices used by federal agencies.

These publications outline a process and starting point for manufacturers to identify the capabilities that help ensure a strong security posture. For example, any organization that purchases a device should be sure they can see and identify the device on their network and change its password.

What Hospitals Can (And Should) Do in the Meantime

While government and regulatory actions can help nudge device makers to provide devices with the appropriate security functionalities, many hospitals can do more when it comes to being proactive on the day-to-day operation and security management of their medical devices.

Typically, the teams responsible for medical devices are not security experts, and their focus is making sure the correct settings, patches, and mitigation are applied to their devices. They’re busy enough ensuring devices are accessible and available.

To solve for this, many healthcare systems have tried to tackle the problem of medical device security with traditional IT security tools or by deploying a stand-alone OT security discovery solution. These tools, while providing some basic level of visibility, lack the ability to provide context about impacted devices or to act on an OT cyber security event.

For example, the IT team may see an IP or MAC address identified as being under attack, but they are often left to try and determine what the device is, if it is being used, details about its maintenance history, ownership, and location information, as well as other important contextual data.

A recent IDC study even called out the critical need for context, beyond basic data obtained from network traffic, to enable security tools to function.

So, what can hospitals do about it? They can implement the four primary elements of an effective OT cybersecurity system:

  1. A single, trusted, and accurate device inventory. This provides necessary contextual data for every device, including network profile data (MAC, IP, patch version, etc.), maintenance history, device location, status, service contract details, and device owner.
  2. Secure onboarding and offboarding. Hospitals need to ensure that medical devices enter service and are placed within the environment of care safely and securely. This is important because it can reduce the chances of taking on unnecessary risk and help remove existing risk from the network environment. In addition, when a device is retired, these capabilities ensure the de-commissioned OT device can be safely disposed of or donated, consistent with best-practice OT security requirements.
  3. An OT device discovery and security monitoring tool, fully integrated with the complete OT device inventory data. This is essential to aid in discovery and visibility for network-connected OT devices and to identify security events.
  4. A single system of action for OT security orchestration and response (or OT SOAR). This includes a rules-based workflow engine that identifies devices affected by an OT security event. OT SOAR matches the event data against an accurate OT inventory and provides the full security context and impact of that event. The organization can then understand what remediation, patching, or mitigating controls to put in place, as well as resolution priority. Then, security work orders can be automatically generated to initiate remediation activities, and the system tracks the progress of the work order from inception through completion.

Ultimately, it will take a collaborative effort to protect healthcare systems against these attacks. But by being proactive, implementing the capabilities listed above, and following the latest regulatory guidance, hospital leaders and their teams can always stay one step ahead of bad actors.