The platform provides device identification and security profile capabilities that exceed MDS2-level data. Valuable contextual information is available on each medical device. The data comes in the form of an expanded medical device profile. Complete, cyber-compliant device profiles serve as the enabling mechanism for response to network monitoring and security events. This data also provides event enrichment and the context for automated remediation activities. The platform utilizes a modern and innovative data model to compare the medical device inventory against reported vulnerabilities from the NIST National Vulnerability Database (NVD) or other published sources.
The process includes a modern physical inventory or consumption of information from a trusted data source. The goal is standardized and cyber-compliant medical device profiles. The platform will ingest MDS2 form data as well as common platform enumeration (CPE) and network identification information. The platform also integrates with leading network discovery and security monitoring tools to maintain the integrity of medical device inventory data over time. Best practices approach requires a structured medical device ingress process and on-boarding procedures to ensure new, loaner and replacement medical devices are introduced into the health system in a secure manner with cyber compliant profiles.
The foundation for medical device cyber security is a single, trusted enterprise system of record. Securing medical devices requires a single platform with standard naming, location, department, contact and network data as well as a matching capability for Common Platform Enumeration or CPE identifiers. The Nuvolo medical device cyber security platform integrates with existing monitoring and discovery tools to deliver comprehensive cyber security protection.
The platform provides native integration capabilities for inbound discovery, utilization data and security events. The platform also has native capability to return those events to the originating system with full correlation and enrichment. These advanced capabilities allow existing IT security systems to automate all required technical mitigation steps such as adding network ACLs or changing firewall configurations to protect and isolate an affected medical device.
The platform supports integrated CAD-based floor mapping with integration into both passive and active RTLS systems. Integration allows for near real-time tracking of medical devices. This capability also provides real-time updates to the location field in the platform as medical devices move throughout the health system. The platform serves a trusted source of location data. Clinical engineering and IT security personnel can systematically locate and initiate remediation activities in the event of cyber security activity or published vulnerability.
The platform has comprehensive security and administrative access controls based on roles with specific privileges. Out of the box, the defined roles include technicians, managers and security administrators. Additional roles can be easily configured based on the specific health system requirements.
The platform comes standard with a comprehensive reporting and analytics module. The easy-to-use toolset includes pre-built reports, analytics and the capability to build custom reports and dashboards in real time. The reporting and analytics module is flexible and extensible and new reports and dashboards can be created in minutes.
The platform automates the processing of security events including:
- Correlation to medical device inventory
- Notification to responsible parties within the clinical engineering, IT security, service provider and OEM ecosystem
- Auto-dispatch of corrective maintenance work orders for immediate investigation and initiation of remediation activities
- Initiation of digital procedure checklists within the platform to ensure standardized and auditable remediation activities
- SLA management and tracking
- Comprehensive data, analytics and reporting for audit purposes
No other solution or technology has the holistic data model and workflow engine needed to properly orchestrate and automate medical device cyber security for the health system.
Cyber security protection requires knowing what medical devices exist, location data, movement, department-level ownership and standard operating procedures for remediation in the event of a cyber security event or published vulnerability. It also requires a single ingress for all new, replacement and loaner medical devices entering the health system. Physical inventory provides a baseline for cyber security protection when coupled with closing disparate ingress points for medical devices entering the health system. Sustainable cyber security protection can only be achieved by consolidating ingress and standardizing device on-boarding in a single, trusted, modern enterprise system.
When the health system uses physical inventory together with ingress consolidation, successful cyber security protection can be achieved.
Many health systems today utilize legacy CMMS technology. These systems have little or no native medical device cyber-security capabilities. Legacy CMMS is difficult to configure and supporting expanded medical device security profiles is a real challenge. Legacy CMMS owners will also face the complexity, time requirements and cost associated with integrating these systems with modern IT and security systems. These challenges for health systems operating multiple, disparate CMMS technologies.
Nuvolo provides a single, modern system of record to replace legacy CMMS and address cyber security risk mitigation for the health system in a single platform. A modern CMMS (EAM) capability is a prerequisite for sustainable cyber security risk mitigation.
Medical device cyber security is a subscription software service. The cost of the subscription is based on total number of network connected medical devices. Each network connected medical device is charged single flat rate per managed device per year.
The health system should expect to have an operational platform in place within 90- 120 days from project kickoff for basic cyber security protection. Incremental value will be achieved as updated physical inventory and common platform enumeration (CPE) data is populated within the platform. The health system should expect that populating medical device physical inventory and CPE data will take six (6) to twelve (12) months from project kickoff, based on the size and geographic footprint of the health system. Value-added will incremental as data gets populated within the platform.