One of the most crucial aspects of moving medical care into the 21st century is increased access. Giving healthcare providers the ability to interact with more data, diagnostic tools and treatment devices substantially amplifies their capacity to provide comprehensive, targeted care. Unfortunately, the flip side is that healthcare providers aren’t the only ones who might try to gain entry.
Thirty years ago, cybersecurity was hardly a consideration. Fifteen years ago, it was an afterthought — a minor factor quickly reviewed at the end of a design cycle. Our increasingly interconnected world requires that cybersecurity become a core feature of any sophisticated (or even elementary) electronic device. This article will look at some of the guiding principles behind an effective cybersecurity risk assessment for medical devices.
What Should You Consider for Medical Device Cybersecurity?
On a federal level, the FDA has yet to publish a set of universal requirements; however, they have recognized the general standards outlined in ANSI/UL 2900. These will most likely form the core of any legal regulations the FDA eventually issues. Additionally, some states (e.g., Oregon and California) have passed laws requiring minimal cybersecurity baseline standards to be met. Begin with these specifications as you establish a cybersecurity risk assessment process for your organization.
It’s also critical to recognize which devices should be included under a cybersecurity umbrella. Networked and wireless devices are easy to identify, but isolated devices with exposed USB or ethernet ports should also be considered. If a device has the capacity to be accessed remotely — whether it’s currently being employed or not — it must be included in your review.
A Three-Tiered Process for Medical Device Cybersecurity Risk Assessment
Asset Management and Access Management
The first aspect of a thorough cybersecurity risk analysis revolves around physical controls. Inventories must be comprehensive, accurate and routinely audited. Physical security controls need to be in place to ensure that only authorized personnel can check out, use and relocate medical devices. At a broad scale, procurement and disposal procedures for the entire organization must be aligned with inventory control and access control processes. All of this occurs under the umbrella of asset management.
An additional core consideration is access management. It can be easy to assume that a device that isn’t connected to the hospital network and is located in a restricted area doesn’t pose a risk, but that is often not the case. How often are your permission groups scrubbed to ensure that the restricted areas in a facility are appropriately mapped and segregated? What are your organizational procedures for granting access to certain areas? How frequently are access lists scrubbed to remove people with outdated permission levels? One particular concern is vendor access, and strict procedures must be established and adhered to when it comes to visitors.
A Door vs A Destination
Second, a thorough cyber risk assessment must be conducted at the individual device level. Keep in mind that the purpose of a risk assessment is to identify and quantify risk. Don’t make the mistake of assuming anything. If a device is extremely low risk but still can be accessed remotely, those capabilities must be identified, recorded and systematically handled. Technology continually evolves, and today’s low-risk device might become a crucial point of entry for hackers tomorrow.
One question you should ask at this stage revolves around second-tier vulnerabilities. Identifying and quantifying the potential damage any individual compromised device could have is relatively straightforward: outline that device’s capabilities and the worst-case scenarios are typically apparent. However, understanding the damage that the device could have as a door instead of a destination is even more essential.
Third, review the hospital or organizational network as a whole. This is another area where access management is crucial. Robust procedures for establishing, assigning, reviewing and removing permissions must be created, and they should be audited regularly. There will be a natural tension between IT and medical providers: in an ideal tech world, a nurse would have to enter a 16-digit password each time she wanted to change a setting, and that password would be unique to each user and machine. Unfortunately, that standard might also result in patients dying. Bringing both groups together to make the best collective decisions is a critical “soft” aspect of medical device cybersecurity.
The network should be regularly updated with security patches and routinely subjected to vulnerability scans. Proactively identifying and resolving potential risk areas is crucial to maintain a functional network.
Following this three-tiered approach to medical device cybersecurity risk assessment will help your organization establish a solid foundation for patient and provider safety. Stay up to date with the latest regulations, then regularly review physical risks and cyber vulnerabilities at both the individual and network levels.