Medical devices connected to hospital networks haven’t yet been the source of high-profile catastrophic cyberattacks in the United States. But the vulnerability to such attacks is leading to many sleepless nights for health system chief information officers and chief information security officers.
When Salt Lake City-based KLAS Research and CHIME (the College of Healthcare Information Management Executives) partnered to interview healthcare IT executives in 2018 about medical device security, only 39 percent of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care.
The survey found that 18 percent of provider organizations had medical devices impacted by malware or ransomware in the last 18 months. The CIOs and CISOs surveyed estimated that the average number of connected medical devices on their network was just under 10,000 and that one-third of them were “unpatchable.”
In addition, 76 percent reported that their resources are insufficient and too strained to adequately secure medical devices. Almost half cited poor asset and inventory visibility as a top organizational factor, followed by ambiguous security ownership and responsibility.
KLAS recently published a Healthcare Internet of Things (iOT) Security report looking at health system priorities when working with vendors on medical device security. “Most hospital organizations have thousands of medical devices,” said Joe Van De Graaff, KLAS’ vice president for digital health and security. “The number of entry points is almost infinite. The solutions out there today will help you gain visibility.”
The primary pain points are uncertainty and fear, he said. “It is one thing to have a concern about security, but it is a next-level concern to have fear about a medical device attached to a patient being hacked. It becomes very personal.”
“For many health systems, deploying these solutions is a ‘turn on the lights’ moment, because they haven’t had this kind of visibility before,” said Van De Graaff. There is this defined need, and now provider organizations are deciding which vendor partner they should go with and whether they should outsource it as a service with the vendor actually managing the devices.”
Another emerging purchasing driver is tracking device utilization, he said. As CISOs, CIOs and biomedical directors start using these asset management solutions, they realize they cannot just identify what is on the network and at risk, they can also better utilize these medical devices so perhaps they don’t have to purchase additional equipment.
The stakeholder driving these efforts could be the CISO, biomedical engineering or the information technology department. “It is becoming more common that the different stakeholders collaborate with each other,” Van De Graaff said. In addition, most are looking beyond just the medical devices to all types of iOT devices. “It is becoming a shared initiative,” he added. “They are saying, ‘If we need to track medical devices, we need to do the same for our HVAC system and other devices on the network.’ It is becoming apparent that while medical devices tend to be one of the first ripples in the water, most organizations are seeking to handle non-medical devices as well.”
No longer a back-burner issue
The good news is that many health systems are making concerted efforts to bolster their medical device security programs. At the recent CHIME Fall Forum, Rick Lang, vice president and CIO of 232-bed Doylestown Hospital in Pennsylvania, described how he and his team deployed a comprehensive medical device cybersecurity strategy to create policies, procedures and training. Doylestown is creating a cross-functional cybersecurity program backed by a robust set of cybersecurity technologies.
One challenge has been that CIOs are not traditionally used to dealing with medical devices as part of their oversight. It has been the responsibility of biomedical engineering. “It has been a back-burner issue, but no longer due to the sweeping impact an attack could have,” Lang said. For instance, if cardiovascular services were comprised for any period of time, it could have a huge impact on patient care and finances, he said.
When determining how they would address the issue, Doylestown realized they didn’t just want to buy software; they needed help tying together compliance, detection and response.
In terms of compliance, they needed to develop policies, best practices and governance specific to medical device cybersecurity; they wanted the ability to detect attacks against medical devices 24x7 and they needed help with identifying potential risks with medical devices; and in the event of an attack, they wanted to be sure that they could respond effectively.
They chose to work with a vendor, Sensato, that had a single solution to help with compliance best practices and policies and detection through a robust software platform. The company is responsible for 24x7 monitoring by a security operations center and medical device incident response program. Now Doylestown’s medical devices are “fingerprinted” and catalogued into a comprehensive asset management system.
“The first thing we did was revise our business associate agreement to make sure purchasing spelled out our policies and companies complied with them,” Lang explained. “For instance, if a company gets breached, they have to notify us within 24 hours, and they must respond to any request we give them for information about that breach. We also require that they do a cyber risk assessment and vulnerability testing annually and that we get access to the results. We haven’t had anybody not sign it yet.”
In terms of asset management, Doylestown had to identify all medical device resources, then prioritize scanning for vulnerabilities based on risk thresholds. “We prioritized in order of impact on patients and operations,” Lang said. “When we get the scan results back, our biomedical team has to work with the vendor and IT on remediation and patching. We set up firewalling or quarantining of end-of-life (EOL) devices or a patch, and/or deploy other mitigating technologies to help us get through that deficiency.”
Staff engagement is crucial, Lang said. Sensato created a 30-minute class for staff members about why this is important and why they need to be involved. They try to develop real examples involving actual devices Doylestown uses, such as smart pumps or telemetry. “We can go over scenarios on how to detect an anomaly. For example, if every smart pump on the floor is not working, that should set off an alarm,” he said. Incident response to a medical device cyberattack is a new process, Lang said. “It requires strong coordination with those disciplines outside of IT. Nurses have to understand the patient safety ramifications. This is an evolving process and will take some effort before we have a full incident response program for medical devices.”
Lang’s advice to other CIOs is to segment their local area networks and get the medical devices off the hospital LAN. “If one-third of those devices are EOL or ‘unpatchable,’ you don’t want them on your hospital LAN. If your network is segmented, an attack on a medical device is effectively localized and you are able to shut down or ‘park’ those devices.”
“We now have a solid asset management system for medical devices,” Lang said. “We have changed the way we do things with medical devices, but we still have a long way to go. We have good policies in place now, and it is time to execute. We are on the right track.”
Gaining visibility
There may be hundreds of medical devices on a hospital network that IT executives aren’t aware of, said Kelly Rozumalski, secure connected health director at Booz Allen Hamilton, so setting up an asset management structure to gain visibility into all the medical devices on your network is an important first step. “Adding a layer of complexity is the addition of remote patient monitoring and sending these medical devices home with patients,” she said.
Rozumalski added that hospital systems have to build closer ties to medical device manufacturers to make sure they are building security in from the beginning. “The fact is that a lot of the devices in use are legacy devices that have been there for years. The issue is that a lot of them cannot be patched, and unfortunately, we are not going to be able to change out all these legacy devices anytime soon. That is not realistic,” she said. “So it is important to identify compensating controls so that we can isolate and protect them. It all starts with visibility into your network.”
The U.S. Food & Drug Administration and the Department of Homeland Security have been working with stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosures for identifying and addressing cybersecurity risks, she added. “If there is a vulnerability on one medical device, there is no reason why every other manufacturer should not be aware of that vulnerability so they can mitigate it in their systems,” she said. “Coordination and information sharing is crucial.”
Staying on top of patch management at Edward-Elmhurst
She said the clinical engineering team responsible for medical devices has always been under the IT umbrella. Yet 18 months ago, as she and the health system CISO began learning more about potential vulnerabilities of medical devices on the network, they realized the IT team did not have the skills or knowledge to manage security on these devices as they do PCs and servers. “So we started talking to the clinical engineering team about how to get better visibility into the number and status of medical devices,” Lopez said.
In working with the device vendors, the Edward-Elmhurst team found some weren’t very advanced in terms of cybersecurity, so figuring out where they were in term of patch management was an important first step, and the health system sought help from an outside vendor. “We started talking with Trimedx about how they could help us manage this better and get our IT team the skill set to manage this better.”
Trimedx helped Edward-Elmhurst complete a comprehensive asset inventory. They found they had 22,924 total devices and 4,272 connected devices. “We comprehensively tracked all physical connectable devices on the network,” Lopez said. “They are accessible via Trimedx’s clinical asset informatics platform. We had 50 different ambulatory locations, and there are lots of assets in these ambulatory locations. That was an eye-opener for me.”
Trimedx and Edward-Elmhurst now work together on patch management to reduce risk. Onsite Trimedx cyber specialists filled the gap of clinical engineering and cybersecurity expertise that they didn’t have in-house. They communicate with the vendors and serve as a critical link in a comprehensive security strategy. “They are an extension of our team and meet with us weekly,” Lopez said. “They are integrated with our IT and clinical engineering team and meet with the CISO three times per week.”
The change also has sped up the process of doing initial risk assessments on new devices being deployed by streamlining the assessments by IT and clinical engineering and getting the piece of equipment out to operations faster.
Now Lopez and the CISO have a dashboard they can show to the audit and compliance committee and the executive council. It shows the progress they have made on an 18-month journey to having a much better handle on device inventory, patch management and compensating controls. “We have made a lot of progress in a short period of time,” she said. “I don’t worry about this like I used to. It has made life better for our organization.”
“The greatest win of all was that we used to have biomedical cybersecurity as one of our top 15 things on our enterprise risk list,” she said. “This was a daunting challenge. But as of September it was removed from that list. That is a good story to tell.”
Taking a New Approach to Cybersecurity Risk Assessments
Medical device security is just one aspect of a holistic cybersecurity program. Smaller community hospitals often struggle to find the financial and staffing resources to do an adequate job. But it is possible to bolster your defenses.
In his presentation to the CHIME Fall Forum, Neece noted that traditional security information and event management (SIEM) software solutions can be complicated and costly for small community-based hospitals to deploy. The lack of integration and usability can drive a high cost of ownership, he said, and it can be difficult to translate the results into something that non-technical personnel can use.
In addition, he said, working with vendors that are not specific to the healthcare sector can create a laborious contracting process and lead to key needs being missed and delayed implementations. “In addition, it may take months to implement a solution and achieve results,” Neece said. After an evaluation process, Lake Regional chose to work with Sensato, which has a holistic cybersecurity program, including real-time 24x7 network intrusion detection.
One of the first steps of creating a cybersecurity program is risk assessment. But a challenge CIOs and CISOs face is that it can be difficult to make measurable progress on cybersecurity preparedness and demonstrate it to an executive team or board in non-technical terms. “The results of a traditional risk assessment are usually complicated, even overwhelming,” Neece said, “reducing the value of the assessment.”
To develop a strategic roadmap, Lake Regional embraced the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2), a common set of industry practices grouped in 10 domains and arranged by maturity level. Based on your current status, you get a score assigned for each domain compared with a desired score, based on risk tolerance.
A dashboard view creates a fairly simple way to present their status to the executive team. “You can establish a baseline and then repeat the assessment to easily see your progress,” Neece explained, and tying financials to the tasks allows you to calculate return on investment. “That way you can see where your gaps are and see where you are improving. The dashboard allows everyone to quickly understand where you stand without having any background in technology or cybersecurity. The vendor, Sensato, analyzed Lake Regional’s results and provided them with a prioritization specific to the institution. Together they built a three-year, high-level roadmap based on C2M2 findings.
Neece said once the information was presented in this format, board members were intrigued. “They felt it was insightful,” he said. “Two board members stopped me after a meeting and said they wanted to make sure cybersecurity goes up the list on the agenda in future meetings.”
Neece’s advice to community hospital IT leaders is to make risk assessments like C2M2 the foundation for your cybersecurity priorities and strategy and develop a baseline that you can then measure against.
