Exploring the Challenges of Medical Device Security Today

By Troy Ament, Healthcare CISO, Fortinet
Twitter: @Fortinet

The exponential growth of IoT and medical devices across the healthcare sector has increased the attack surface of these organizations. Ransomware attacks continue to grow in volume and scale, with increased impact to connected medical devices, patient care/safety, and exposure to large global integrated health delivery systems. Patients have recognized significant care impacts such as rescheduled surgeries, increased wait times, delayed test results and challenges filling prescription medications.

Threats to medical devices aren’t theoretical; these are happening with astonishing regularity, whether it’s large diagnosis machines, treatment systems or any number of devices used for patient monitoring and management. There’s risk for the computers attached to hospital networks and even devices connected to systems like the HVAC system in a healthcare organization. The attacks we hear about underscore the vulnerability of these critical devices and there’s likely just as many, probably more, that we never hear about publicly.

Today’s healthcare delivery organizations have an urgent mandate to make sure they have visibility into every connected device and safeguards in place to protect operations and patient care from the potential risks they pose. This is a noble but complex goal; how can healthcare IT professionals make it a reality?

The new challenges of medical IoT

The expanding number of medical and IoT devices creates more potential vectors for attack. Organizations are dealing with hundreds of thousands of devices. One integrated healthcare association with multiple locations might have as many as 350,000 devices connected at any given time – of which as many as 40,000 or more might be medical devices. And these numbers continue to increase. They’re also grappling with challenges similar to almost any other type of organization that’s been around for a while: legacy technology and consolidation.

Part of the challenge is that medical devices are different from general IoT devices like cell phones. They are typically more fragile, employ unique protocols and may even be linked to patients, making standard discovery and mitigation techniques potentially ineffectual or disruptive. To set safe, secure access policies and corrective measures, organizations need extensive expertise to be able to recognize these various devices and comprehend the part they play in clinical workflows and patient care.

What healthcare IT leaders need to consider

The job of a CISO is to make sure that the attack surface is minimized so nothing can happen to the medical devices in a way that would impact patient safety. This needs to be done while determining how to make all these different technologies – including disparate products that might be coming online – as usable and efficient as possible for hospitals and healthcare organizations and the people using these products and solutions.

These devices are adding new connection points and increasing the potential attack surface; there’s an exponential effect to managing them. In addition, organizations are struggling with circumstances like the ongoing nursing shortage and resulting employee burnout. So then, there’s a real imperative to use these new products in the best way possible to make operations more efficient and improve patient care.

Making sense of the FDA’s new guidelines

In a promising development, the FDA will now require medical devices to meet specific cybersecurity guidelines. Under this guidance, all those who apply for new medical device approval must submit a plan describing how to “monitor, identify and address” cybersecurity issues. They will also need to create a process that offers “reasonable assurance” that the device is protected.

Device makers must also regularly offer security patches and updates, including in critical situations, and give the FDA a software bill of materials (SBOM), including any open-source or other software the device uses.

This will have a positive impact on vulnerability management. Once you publish your SBOM, you can leverage a concept called VEX, which is short for vulnerability exchange. If a vulnerability comes out at noon today, the information security team that controls the vulnerability management system can evaluate the impact of that vulnerability on the medical device in question. That VEX document can then be published and shared.

So, instead of a thousand customers calling in to check on the impact of a vulnerability, medical device vendors can publish a VEX document that those thousand individuals can read. This means an almost automated update of vulnerabilities and their impact. Obviously, the VEX document would be able to detail the manufacturer’s compensating controls and other important details. The VEX’s ability to prioritize all this information will improve the entire industry and how organizations work with third parties.

Toward greater health care security

Medical device security plays a crucial role in safeguarding the healthcare system. The increasing number of IoT and medical devices exposes healthcare organizations to ransomware and other cyber-attacks, impacting patient care and safety.

Healthcare IT professionals face the challenge of managing a growing number of devices and legacy technology. The FDA’s new cybersecurity guidelines and the concept of vulnerability exchange offer promising solutions for improving vulnerability management and information sharing. Prioritizing medical device security is essential for enhancing patient safety and ensuring efficient healthcare delivery.