Nov 11, 2020
By Leslie O'Connell

Children’s Hospital – A Medical Device Security Success Story

If I could time travel into the future, my first port of call would be the point where medical technology is at its best because, like most people on this planet, I have this aversion to dying.”


–  Neal Asher – Famous English Sci-Fi Writer

If you time-traveled from 1920, today’s medical devices would seem like something out of a science fiction novel. We can only imagine what life-saving devices will look like in the next 100 years; I’m sure they’ll be amazing, and I’m sure humankind will have fixed the cyber security problem by then.

But for now …

Cybercriminals are upping their game; attacks are now common occurrences. So much so that the FDA and DHS regularly issue warnings of potential vulnerabilities with common devices, like imaging systems, infusion pumps, and anesthesia machines.

We understand this and feel obligated to ensure that the medical devices our solution tracks and maintains are also protected.

How do you build a robust medical device cyber security program across your health care organization? Here’s how.

Children’s Health Care


Our customer is one of the largest and busiest children’s health care systems in the U.S. They rely on thousands of network-connected devices to care for the 250,000-plus children they treat each year.

The hospital’s executive leaders, clinical engineering, and IT security teams set out to create a process to safeguard all their medical devices.

They have Nuvolo for medical device inventory and equipment work order management and Zingbox for device discovery and monitoring. Logically, they thought if they integrated Nuvolo’s inventory data into Zingbox’s monitoring solution, they would have a mature cyber security platform.

When the Zingbox monitoring system detects a security event, a simple lookup on the Nuvolo device database correlates the MAC or IP address to the device, telling you the location and other essential details. Remediating the device from that point forward, however, is a manual process.

This integration did not provide them with a mature cybersecurity solution. There was no remediation automation, assessment, correlation, or context for the threat.

They quickly realized they needed to move to Nuvolo’s fully integrated Cyber Security solution. A solution complete with orchestration, automation, and real-time response management.

Here’s how Nuvolo OT Security Works

Nuvolo is a modern CMMS with a robust medical device inventory and history database.   First, we integrated our data-rich CMMS device inventory database with IoT security and medical device monitoring tools.

Then, we built a medical device cybersecurity control center, complete with automation, discovery, and tracking.

We did the integrations already; there’s no need to spend your time and resources only to find out, like this client did, that you’ll need to do a lot more to get to the highest maturity level.

If there’s an incident, IT and Security have the information they need for swift action. They instantly know what room the device is in, what department owns it, the software and firmware information and that Matt Smith is the clinical technician for the device.

However, that’s not all; there’s a lot more proactive and reactive cyber orchestration built into our solution.

Operationalizing Your OT Security Process

Our OT Security solution is designed for SecOps, IT, Clinical Engineering, and Facilities to work together, and designed for each to get the information they need from the system.

We act as a translation layer, pushing your monitoring solutions security event data through our cybersecurity tool to enrich the events. Whether it’s a vulnerability, an active exploit, a discovery event, or a utilization event, we track, automate, and enhance orchestration.

The console consists of two main queue’s EAM and EAM Security.

EAM queue

The EAM queue is the starting place for all the data and where the automation happens. It’s the translation layer; all events – discovery, utilization, security – are feed through key records for each event type.

All the data coming through has different attributes. You’ll want to be able to take further action depending on the data and the event.

That’s where Action Scripts come in; they are the rules and workflows created to drive automation.  The action scripts are specific to each event type – discovery, utilization, and security.

For example,

The facilities department sets up a new defibrillator and creates the device record in Nuvolo’s CMMS.

  • The device is then discovered by the IT monitoring system and is registered in Nuvolo OT Cyber as an unknown device.
    • If the MAC address is known, an action script will correlate the MAC address with CMMS device data and automatically update the device record to identify the device as the defibrillator.
    • Suppose the IT monitoring solution is only discovering an IP address. In that case, an action script will automatically create a work order to have a technician check out the device and update the CMMS device record.
  • If a security event is associated with that defibrillator, action scripts can simultaneously alert IT and trigger a high priority work order to Clinical Engineering.

EAM Security Queue

The EAM Security Queue is your proactive OT cybersecurity monitoring tool. It tracks what threats have been found in your environment, what you’ve done so far about those threats, and provides the data to monitor for new threats.

Here’s how:

  • Assessments

This queue allows you to proactively assess your devices against Manufacturers Disclosure Statement for Medical Device Security (MDS2) data. It’s checking for devices that are missing key features of MDS2 guidelines.

For instance, rules created in the assessment queue check for devices that aren’t automatically logging off after a certain amount of time or devices with unrestricted administrative privileges.

  • Exploits

This queue lists the security events and affected devices in your medical device fleet. It’s an inventory of what threats or vulnerabilities were found, what’s been remediated, what’s still actively being worked on.

You can see a complete history of the events and any remediation steps that IT, Security, or Facilities has taken. History such as what software patches have been applied or what clinical engineer was dispatched.

All details about the device remediation steps are detailed in this section.

  • Vulnerabilities

We have an automated import service that captures data from national vulnerability databases, like the FDA or ECRI, and has a Common Weakness Enumeration (CWE) import template. This imported data is checked against all network medical devices for proactive remediation workflows.

If, for instance, there’s a known vulnerability in the software that runs your infusion pumps. We correlate that data with the 100’s of infusion pumps, verify which ones are affected, alert IT and clinical engineering and create the remediation work orders.

  • Cyber Security Dashboards

We’ve created this data-rich OT cyber platform that elevates your cybersecurity posture. You’ll want dashboards to keep track of it all.

We give you feature-rich, drill-down capable dashboards and reports. Here are some examples:

  1. Security Event Dashboard – See the details of security events from the moment they hit the system to complete remediation.
  2. Vulnerability Dashboard – Track vulnerabilities and see what was done, what other devices you have that exhibit similar characteristics, and what steps you are taking to prevent an attack.
  3. Manufacturers Vulnerability Dashboard – Understand which manufacturers and devices are opening you up to the most risk.

Our customer, the children’s health care system, implemented Nuvolo’s security solution. Those medical devices being used to treat 250,000-plus children each year are more secure than ever from cyber threats.

And that’s what their medical executives, IT, and clinical engineering teams really wanted.