Sep 23, 2021
By Tony Bailey

Why Hospitals Struggle with Medical Device Security (And What They Can Do to Address It)

It’s never been more challenging to protect hospitals from cyber-attacks. Hackers are using increasingly sophisticated methods to breach IT security systems and obtain unauthorized access to sensitive information.

And while it’s rare, there is also a very real possibility that these attacks could target operational technology (OT) assets. This is especially concerning for hospitals, as any network-connected devices—including heart rate monitors, infusion pumps, and even HVAC systems—could be manipulated, significantly compromising patient safety.

That’s why it’s crucial for modern hospitals to understand the importance of medical device security and be prepared to respond to threats and vulnerabilities.

Unfortunately, many hospitals are falling behind when it comes to securing their network-connected medical devices. In this post, we’ll briefly discuss why these shortcomings happen, and then identify how hospitals can address them.

Common OT-Related Security Problems for Hospitals

While every hospital wants to ensure its medical devices remain safe and available, they’re not always able to implement effective security measures to achieve this. Here are a few reasons why.

  • Lack of budget: Oftentimes in hospital systems, security for IT devices (like laptops and servers) receives a larger allocation of the overall IT budget than security for OT devices. While it may not seem like a significant issue, this disconnect can make it challenging to dedicate sufficient resources to OT security.
  • Insufficient technology: In many cases, healthcare systems have attempted to tackle an OT security problem, but lack of knowledge about the subject leads them to immature technology solutions. For example, they may invest in an OT discovery and security monitoring tool without knowing that such a solution isn’t enough to provide comprehensive security on its own. As we’ll see momentarily, device context and orchestrated remediation are also key parts of a holistic OT security program.
  • Underqualified staff: Another factor that affects OT security is the difficulty of finding personnel with the right skills. A SANS 2021 survey of OT security defenders across all industries found that over half of respondents reported insufficient labor resources to implement existing security plans.1

The survey also reported that over half of respondents mentioned that IT staff does not understand OT operational requirements. This is significant because, in the healthcare industry, these requirements often dictate that only authorized, certified personnel can even touch a medical device.

The First Steps for Solving OT Security Problems

There are definitive steps hospitals can take to address the issues above. While budget will of course vary across organizations, every hospital should be looking to invest in technology and staff needed to secure their OT assets.

Firstly, every hospital needs a single, trusted inventory of device profiles that includes details such as maintenance history, the device owner’s name, and what the device is currently being used for.

As we mentioned above, discovery and security monitoring tools can be useful, but only when paired with a comprehensive inventory. This allows OT security monitoring tool events to be fully contextualized and can help with an orchestrated, automated response and remediation—abilities that characterize the highest possible level of OT Security.

In addition, hospitals need proper staff in place to plan for and address these issues. While many small- to medium-hospital systems rely on third-party vendors to manage their OT security, these vendors may be more IT-focused and often fail to address security for OT devices and facilities systems with adequate care.

Instead, hospitals need a team with skills and experience to understand and address the security risks presented by OT devices. This will ideally include the skills to navigate a single inventory that is integrated with security and monitoring tools and tied to a system of remediation action, as we outlined above.

Simplifying OT Security for Hospitals

Nuvolo and First Health Advisory have recently partnered to level up OT Security for healthcare organizations. By combining the robust capabilities of Nuvolo OT Security with First Health Advisory’s OT security risk management services, we’re helping to reduce friction for hospitals in assessing, planning, implementing, and running an effective OT security risk management program.

This service leverages Nuvolo’s single inventory of OT devices and healthcare facilities systems, its ability to integrate with OT security monitoring and discovery tools, and its capability to prioritize, correlate, and orchestrate automated workflows for fast remediation.

 

When a security event occurs, Nuvolo provides teams with the ability to see the full context of a device, know who the device owner is, and understand what remediation process must be followed. First Health Advisory then helps remediate the issue, or an automated work order is dispatched to the qualified HTM technician.

Together, we’re making it simpler than ever for hospitals to understand and address OT security-related issues, threats, and vulnerabilities.

Learn more about Nuvolo OT Security and Nuvolo’s partnership with First Health Advisory.

 

1SANS 2021 OT/ICS Cybersecurity Survey