Brandon Agostinelli – September 12, 2022
Within the healthcare industry, there is a variety of environments that utilize many different types of medical devices to deliver services to patients. As reliance on technology within the healthcare industry continues to grow, an increase in information security risk follows. An overall surge in medical device usage over time combined with the limited amount of resources organizations have available to deploy to manage security risks has yielded an expanding list of challenges and areas of potential exploit.
Medical devices are acquired based on the overall added value that they bring to the organization, including added efficiencies for healthcare workers and added quality of care for patients. These devices are coming from manufacturers and companies from all over the globe, which makes maintaining and servicing them a challenge. In an interview with the Information Security Media Group, industry expert Phil Englert, the Director of Medical Device Security at the Health Information Sharing and Analysis Center (H-ISAC), stated that healthcare organizations (and device manufacturers) are finding it difficult to identify, understand, quantify, and remediate risks associated with medical devices. Security controls and mitigation programs that are applied to one set of devices may need to be applied differently to another set of devices that may even serve similar functions.
Why legacy medical device cybersecurity challenges are especially difficult
Medical devices are built to be long lasting. These devices far out-age the environment they are initially created for. As the operating environment of medical devices evolves around them (including methods utilized by threat actors, development of connected technologies, etc.), devices that are not properly maintained and secured over time become an easier target for attack. This can be seen as a result of potential complacency on the part of healthcare organizations as well as device manufacturers. Medical devices that continue to perform expected functions stick around in clinical settings for long periods of time, and ongoing maintenance and security measures (such as upgrading or replacing unsupported devices) are not emphasized as they should be. Englert states that this may also be a result of device manufacturers not providing healthcare organizations with valuable and innovative options from a security perspective.
Steps healthcare organizations should consider taking to help improve risk management
With the myriad of roadblocks that exist in effectively managing and staying ahead of cybersecurity risks associated with medical devices, there are steps that can be taken by healthcare organizations to improve their security posture. Organizations should focus on developing plans to respond to potential security incidents targeting medical devices. The development of organizational preparedness and knowledge of continuity steps to ensure continued and effective patient care in response to incidents should be every organization’s priority. Larger organizations with potentially thousands of connected medical devices should place enhanced focus on devices and service lines that are identified as most critical. Solutions for those critical areas can then be applied to other areas where compatibility exists.
H-ISAC continues to make strides in assisting both the healthcare service delivery and device manufacturing industries in collaborative efforts to enhance security protocols for medical devices, in addition to streamlining processes for managing and addressing new risks that emerge over time.
For additional information about the Information Security Media Group interview with Phil Englert (including the full audio), please click here!