Today, medical devices are used throughout the world for the diagnosis and ongoing treatment of medical conditions. Technology advances and medical treatment innovations have led to many of these devices becoming more connected (and interconnected) to healthcare provider networks via various mechanisms. This is achievable through both wired and wireless information communication vehicles and protocols, such as ethernet, USB cables, serial ports, RFID, Bluetooth, and 802.1x, to name a few.
Although networked medical devices continue to provide transformational achievements within patient care, they also introduce cybersecurity and safety risks to the patients and providers who rely on them. These risks will continue to evolve as the device technology and methods in which they are used evolve. The primary risks which have been identified to date (and which continue to be quantified and researched) include risks to patient safety, clinical operations, patient privacy and the risk to the broader organizational environment from a compromised medical device.
After many audits and assessments at various organizations of differing sizes across the United States, we have identified a number of common control gaps in healthcare provider medical device security programs. Here, we review the pitfalls and offer guidance on controls which should be considered to assist in mitigating risks.
No Formal Governance / Team Alignment
Medical device security is a team sport. Devices have become far too complicated and their application and capabilities have become too far reaching to allow one individual team to bear the full weight of securing these devices. It’s time to acknowledge this is a shared responsibility between clinical engineering (CE) / biomedical engineering (biomed), cybersecurity, procurement, network team, device manufacturers and vendors, legal and risk management, etc. Many organizations lack a formalized (or non-formalized for that matter) governance function that would allow these groups to communicate regularly about the security of medical devices within their environment. This doesn’t just apply to small physician practices; large health systems across the U.S. also need to connect these groups with existing or new committees and document formal structure and strategies related to medical device security. These functions should be allocated visibility to leadership for expedited reporting of issues and needs.
Not Getting Biomed and Cybersecurity Involved Early in Planning / Procurement
Many providers report they simply do not have a process for getting biomed and/or cybersecurity involved during early planning/procurement discussions for medical devices. Instead, clinical teams talk directly with procurement about what they need, go out and purchase something themselves or bring in trial equipment from manufacturers. Biomed and cybersecurity should be on the forefront of device vetting so that root cause issues can be worked out prior to the devices arriving at the hospital. Although a delay in timing can perceptively impede improving patient care, moving too fast with purchasing and implementing these new devices may carry big risks to patient care and/or data security.
Shadow devices can also be a very large risk to the organization. Departments and/or physicians can bring in their own devices, rent or receive trials from manufacturers, etc. and these devices can go unnoticed by the critical teams charged with securing the devices until something malfunctions and they are called to fix the phantom device. Organizations should enact proactive controls via biomed and cybersecurity implementation / procurement process tollgates to catch these coming in, but they can also use detective controls such as network discovery tools and departmental surveys to uncover existing shadow devices.
Lack of a Standard Set of Devices
Many of us are “brand loyal” when purchasing computing devices for personal use. Whether we identify as Apple or Windows folks we typically cite convenience and interoperability as key purchase drivers. Healthcare organizations often do the same, choosing devices from the same manufacturer that simply play well together, and the time and effort spent on securing those devices can be greatly reduced when the approach is simplified. Additionally, organizations can benefit monetarily from volume or loyalty discounts from device manufacturers or resellers if they stick to one device type, model, etc. Biomed should work with the clinical team and cybersecurity to develop short lists of pre-approved medical devices, and then also develop and implement exception processes where needed.
Lack of Uniform Contract Language
Good vendor management practices have received lots of attention since large data breaches by have taken advantage of vendor connectivity to the victim organization. Additionally, the Office of Civil Rights within the U.S. Department of Health and Human Services (OCR/HHS) and the PCI Council have also recently added key vendor management controls to their respective compliance frameworks. In order to implement these best practices and controls between healthcare provider and medical device manufacturer, start at the contracting phase. Providers should work to review their existing contract requirements and update them with key control requirements. Agreements between these organizations should clearly state medical device security roles and responsibilities, required documentation (MDS2, Cybersecurity Bill of Materials (CBOM), etc.) service level agreements, future patching and maintenance processes, etc. Requirements clearly spelled out in the contract will give the provider more control and visibility as to what enters their environment. Some healthcare systems such as The Mayo Clinic have developed impressive vendor management processes related to medical device manufacturers and resellers and have shared this information publicly.
Incomplete and Inaccurate Medical Device Inventories
We are often surprised to learn healthcare organizations either don’t know what medical equipment they own, can’t locate the devices, and/or have no information related to cybersecurity controls or vulnerabilities for the devices. Keeping a mostly accurate inventory of devices on the floor will allow a provider to pass Joint Commission audits. But we often ask clients: “Can you truly say you have a handle on all the devices, and have they been prioritized by cybersecurity risk?” Including key cybersecurity fields within your device inventory will allow biomed and cybersecurity to make informed decisions about how the devices should be treated and where your biggest risks may lie. Here’s a few to consider adding to your device inventory:
- Does the device have the ability to create, store, process, and/or transmit ePHI?
- Technical identifiers: Network segment, IP address, MAC address, model name / number, serial numbers, etc.
- Software / firmware version
- Key controls enabled / available (I.e., Password / passcode protected, protected by asset-based anti-virus or anti-malware software, firewall rules or ACL’s applied, etc.)
- Encryption status
Some organizations are opting to use RFID location tracking mechanisms and systems to (typically) improve operational processes. These can also be leveraged to assist biomed and cybersecurity with their more technical safeguarding missions as well.
Lack of Risk Assessment Procedures
What happens when, after two missed preventive maintenance cycles spanning a full year, the provider finally acknowledges a device has gone missing? Is anything being done to quantify the risk to the organization related to a potential data breach? Most organizations have no processes in place to perform a risk assessment on a missing device to understand the implications of the situation, which very well could be a data breach as defined by HHS. If we are unable to definitively say the device was not hosting ePHI and/or that it was encrypted, it’s most likely a reportable data breach that should immediately be further evaluated by the organization. Providers should work to equip themselves with enough data about the devices to make a risk-based determination if a data breach has occurred. Processes for lost or missing devices should be updated to involve the cybersecurity and regulatory teams up front for deeper analysis.
So what’s next?
Organizations that recognize any, or all, of these pitfalls should take a deeper look at how medical device security is being handled. Ensuring that biomed and cybersecurity are closely aligned on the key risks and controls related to medical device security is key. And, having strong contracts and requirements with medical device manufacturers and resellers is becoming increasingly important. The issues may seem overwhelming but recognizing the need for more attention to medical device security is an important first step.