New technology is not the solution for solving medical device cyber security.
Healthcare is targeted by cybercriminals today more than any other industry. Network connected medical devices are one of the largest and most vulnerable attack surfaces. The health system can invest millions of dollars in the latest technology and achieve no meaningful reduction in medical device attack surface or make patient care safer. New technology is not the solution for solving medical device cyber security.
Cyber security risk mitigation for medical devices is difficult. There is no single technology to solve the problem. IT solution providers have paid little attention to medical device cyber security or the needs of clinical engineering. There are also structural and organizational impediments that limit a healthcare system’s ability to address medical device cyber security.
A legacy island mentality within IT and clinical engineering is problematic and remains a common element of most healthcare system’s organizational landscape.
This process and technology guide will provide insight on how to address these challenges within the healthcare system. The goal is to deliver process improvement and technology optimization to achieve a sustainable level of cyber security readiness. Our objective is to eliminate network connected medical devices as a threat vector and entry point into the health system. Success in this area will reduce the probability and impact of a cyber security event and create positive organizational change over time.
The starting point for risk mitigation is understanding the problem. The challenge is not the perils of network connected medical devices or the dire cyber security implications for patient care, liability or even loss of life. These are merely symptoms of a more fundamental and pervasive set of challenges.
For most health systems, a self-assessment would likely reveal barriers between IT, security and clinical engineering. These organizational divides, which are the result of disparate reporting structures, distrust, non-strategic OEM relationships, old technology and limited collaboration are at the heart of the problem. A legacy island mentality within both IT and clinical engineering is problematic and remains a common element of most healthcare systems’ organizational landscape. The epicenter of the cyber security threat for healthcare is the pervasive nature of this island mentality.
Bridge building between IT, risk and privacy, security and clinical engineering is essential to mitigating the cyber security threat. The outcome for healthcare is better, safer and more effective patient care.
Historically, the fleet of network connected medical devices was limited and exclusively within the purview of the clinical engineering team. In the absence of a cyber security threat, there was no business reason for collaboration between clinical engineering and IT. WannaCry served as a wake-up call. Today, medical device cyber security is the single largest threat to patient care. There is now a compelling reason for crossdepartmental cooperation, streamlined reporting, process improvement and optimized technology. Working together, these functions now serve a common purpose that can save lives and reduce risk.
Today, medical device cyber security is the single largest threat to patient care. There is now a compelling reason for crossdepartmental cooperation, streamlined reporting, process improvement and optimized technology.
Medical device cyber security is not the same as managing vulnerabilities on personal devices and servers. IT security performs a top-down function and protects the healthcare system in a controlled manner. Medical device cyber security requires a more cross-functional strategy that recognizes the strategic role that clinical engineering plays in mitigating cyber security risk for network connected medical devices.
Healthcare systems must also challenge the OEM community. The response to WannaCry was lackluster. Enhanced cyber security data is essential for risk mitigation and response planning
IT leaders rely on twenty years of maturity to mitigate security risk. No such maturity, processes, tools or platforms exist today for securing medical devices. There is an urgent need for a modern, enterprise platform, collaboration and organizational process improvement.
Clinical engineering plays a strategic role in helping understand the importance of medical device lifecycle management. The first priority for the cyber security work group is ensuring one point of ingress for all new, replacement or loaner medical devices. The most important process improvements for risk mitigation are unified ingress and standardized on-boarding. Accountability and consequences for non-compliance are absolutely essential for sustainable cyber security risk mitigation.
Building a cyber security team requires board sponsorship and an equal seat at the table for IT, privacy and risk and clinical engineering.
Process improvement requires departmental collaboration and an integrated approach to cyber security risk mitigation. Ensuring each component works together is necessary to a sustainable outcome. Completion of a physical inventory is a critical process activity for cyber security risk mitigation. Completing a physical inventory without addressing ingress and onboarding is a waste of time and money and will not mitigate the cyber security threat. There are three (3) recommended process improvement areas for modern physical inventory:
The most important process improvements for risk mitigation are unified ingress and standardized on-boarding.
Make, model and description will no longer cut it. Process improvements including ingress, on-boarding and EAM allows for use of expanded medical device security profiles and reduced risk. Incorporation of the aforementioned process improvements will reduce the need for additional physical inventories. An expanded profile must include audit quality data including:
The health system cannot manage a published vulnerability or cyber security event without an appropriate medical device security profile. The primary users for expanded profiles is IT security and clinical engineering. Better data allows clinical engineering, as source of authority and EAM owner, to identify affected devices and initiate response. Expanding devices profiles is a mandatory process improvement.