Today, medical devices are used throughout the world for the diagnosis and ongoing treatment of medical conditions. Technology advances and medical treatment innovations have led to many of these devices becoming more connected (and interconnected) to healthcare provider networks via various mechanisms. This is achievable through both wired and wireless information communication vehicles and protocols, such as ethernet, USB cables, serial ports, RFID, Bluetooth, and 802.1x, to name a few.
Although networked medical devices continue to provide transformational achievements within patient care, they also introduce cybersecurity and safety risks to the patients and providers who rely on them. These risks will continue to evolve as the device technology and ways in which they are used evolve. The primary risks that have been identified to date (and which continue to be quantified and researched) include risks to patient safety, clinical operations, patient privacy and the broader organizational environment from a compromised medical device.
After many audits and assessments at various organizations of differing sizes across the United States, we have identified a number of common control gaps in healthcare provider medical device security programs. Here, we review the pitfalls and offer guidance on controls, which should be considered to assist in mitigating risks.
No Formal Governance/Team Alignment
Medical device security is a team sport. Devices have become far too complicated, and their application and capabilities have become too far-reaching to allow one individual team to bear the full weight of securing these devices. It’s time to acknowledge this is a shared responsibility between clinical engineering (CE)/biomedical engineering (biomed), cybersecurity, procurement, network team, device manufacturers and vendors, legal and risk management, etc. Many organizations lack a formalized (or non-formalized, for that matter) governance function that would allow these groups to communicate regularly about the security of medical devices within their environment. This doesn’t just apply to small physician practices; large health systems across the U.S. also need to connect these groups with existing or new committees and document formal structure and strategies related to medical device security. These functions should be allocated visibility to leadership for expedited reporting of issues and needs.
Not Getting Biomed and Cybersecurity Involved Early in Planning/Procurement
Many providers report they simply do not have a process for getting biomed and/or cybersecurity involved during early planning/procurement discussions for medical devices. Instead, clinical teams talk directly with procurement about what they need, go out and purchase something themselves or bring in trial equipment from manufacturers. Biomed and cybersecurity should be on the forefront of device vetting so that root cause issues can be worked out prior to the devices arriving at the hospital. Although a delay in timing can perceptively impede improving patient care, moving too fast with purchasing and implementing these new devices may carry big risks to patient care and/or data security.
Shadow devices can also be a very large risk to the organization. Departments and/or physicians can bring in their own devices, rent or receive trials from manufacturers, etc. and these devices can go unnoticed by the critical teams charged with securing the devices until something malfunctions and they are called to fix the phantom device. Organizations should enact proactive controls via biomed and cybersecurity implementation/procurement process tollgates to catch these devices coming in, but they can also use detective controls such as network discovery tools and departmental surveys to uncover existing shadow devices.
Lack of a Standard Set of Devices
Many of us are “brand loyal” when purchasing computing devices for personal use. Whether we identify as Apple or Windows folks, we typically cite convenience and interoperability as key purchase drivers. Healthcare organizations would be wise to do the same, choosing devices from the same manufacturer that play well together. The time and effort spent on securing those devices can be greatly reduced when the selection approach is simplified in that way. Additionally, organizations can benefit monetarily from volume or loyalty discounts from device manufacturers or resellers if they stick to one device type, model, etc. Biomed teams should work with the clinical team and cybersecurity to develop short lists of pre-approved medical devices, and then also develop and implement exception processes where needed.
Lack of Uniform Contract Language
Good vendor management practices have received lots of attention since large data breaches have taken advantage of vendor connectivity to the victim organization. The Office of Civil Rights within the U.S. Department of Health and Human Services (OCR/HHS) and the PCI Council have also recently added key vendor management controls to their respective compliance frameworks. In order to implement these best practices and controls between healthcare provider and medical device manufacturer, start at the contracting phase. Providers should work to review their existing contract requirements and update them with key control requirements. Agreements between these organizations should clearly state medical device security roles and responsibilities, required documentation MDS2, Cybersecurity Bill of Materials [CBOM], etc.), service level agreements, future patching and maintenance processes, etc. Requirements clearly spelled out in the contract will give the provider more control and visibility as to what enters their environment. Some healthcare systems such as the Mayo Clinic have developed impressive vendor management processes related to medical device manufacturers and resellers and have shared this information publicly.
Incomplete and Inaccurate Medical Device Inventories
We are often surprised to learn healthcare organizations don’t know what medical equipment they own, can’t locate the devices, and/or have no information related to cybersecurity controls or vulnerabilities for the devices. Keeping a mostly accurate inventory of devices on the floor will allow a provider to pass Joint Commission audits. But we often ask clients: “Can you truly say you have a handle on all the devices, and have they been prioritized by cybersecurity risk?” Including key cybersecurity fields within your device inventory will allow biomed and cybersecurity to make informed decisions about how the devices should be treated and where your biggest risks may lie. Here’s a few to consider adding to your device inventory:
- Does the device have the ability to create, store, process and/or transmit ePHI?
- Technical identifiers: network segment, IP address, MAC address, model name/number, serial numbers, etc.
- Software/firmware version
- Key controls enabled/available (i.e., password/passcode protected, protected by asset-based anti-virus or anti-malware software, firewall rules or ACLs applied, etc.)
- Encryption status
Some organizations are opting to use RFID location tracking mechanisms and systems to (typically) improve operational processes. These can also be leveraged to assist biomed and cybersecurity teams with their more technical safeguarding missions as well.