Security Checklist: Use Existing Assets to Manage Medical Device Risk

By Jane Anderson

Most health care institutions can improve the security of medical devices by extending existing technology, educating personnel and introducing cybersecurity best practices to the organization, according to a recent white paper.[1]

The white paper from security firm Cynerio noted that hospitals traditionally have adopted new technologies while underinvesting in cybersecurity protections. In addition, Cynerio pointed out that health care is a profitable sector for cybercriminals.

“With these challenges, there is one fortunate situation often overlooked—the foundation for medical device security is already in place at most institutions,” the white paper said. “By automating inventory and visibility, building on existing processes and technologies, prioritizing vulnerability remediation, and ensuring that basic cyber hygiene is in place, organizations can greatly reduce the risks posed by their growing inventory of medical devices.”

The white paper offered a series of steps organizations can take to improve their medical device security:

  • Get on top of inventory and visibility. To secure a device, Cynerio said, an organization must know its existence and see where it interacts with the network. “Unfortunately, many hospitals still have not completed the basic step of delivering an accurate, up-to-date inventory of their medical devices,” the report said.

    A manually populated spreadsheet or a computerized maintenance management system (CMMS) will not work for this task, the report said. “The only way to have a point-in-time view of the entire inventory is to automate the process through continual scanning of the network to discern what is connected, and where. This gives a hospital visibility into not only what is connected, but also where each device is located.”

    Still, while inventory and visibility are “absolutely necessary first steps,” the white paper said, “institutions should not mistakenly believe that the job of securing devices is finished when all devices are visible. Visibility does not secure devices; it simply makes it possible to secure them.”

  • Clarify organizational roles. Ownership of device security at some hospitals falls under the chief information security officer, while other organizations house the function in other teams, Cynerio said. While there’s no one correct approach, it’s key to clarify roles in advance to ensure that the groups are not working in parallel or at cross purposes, the white paper said.

  • Build on existing processes. This approach helps organizations deal with the challenge of having inadequate staff, the white paper said. Rather than disrupting operations to launch a new medical device security program, organizations can attach security components to existing processes, such as new device setup, maintenance of existing devices and updates to networking infrastructure.

    “For example, it is significantly more efficient to patch devices in batch efforts during setup and routine maintenance than to reactively address time sensitive issues,” the authors wrote. “More broadly, it is far more efficient to segment a network and properly onboard devices than to launch inherently insecure devices into a flat network, a combination known to exacerbate most healthcare cyberattacks.”

  • Build on existing CMMS technology. Almost every hospital has a CMMS system, but the white paper authors contend that few hospitals use their systems to their full potential. “Such tools provide a foundation for growth when it comes to medical device security,” they said.

    When an inventory and visibility tool is integrated with an existing CMMS, “the two solutions work together to automate inventory, enhance data, provide workflow functionality, and provide a holistic view of the inventory from a single pane of glass,” Cynerio said. “When risk reduction and incident response solutions are added, organizations can work through the CMMS to prioritize and execute on.”

    In addition, the authors wrote that many institutions will benefit from seeking out expertise on device security from their in-house or outsourced security operations center, a managed security services provider, providers of device security technology solutions and experts from other industries “who can bring a fresh set of eyes to the challenges faced in healthcare.”

  • Mitigate risk with informed prioritization. According to the white paper, hospitals need two kinds of information about each known vulnerability found in a medical device. The Common Vulnerability Scoring System measures the severity of each vulnerability, while the Exploit Prediction Scoring System measures the likelihood of a vulnerability being exploited.

    “Both measures are critical to effective prioritization of remediation, as a vulnerability that has almost no likelihood of being exploited is a low-priority fix, regardless of severity,” the authors wrote. “Risk reduction tools that take both scores into account enable hospitals to systematically and effectively reduce risk.”

  • Integrate cybersecurity best practices to medical device security. “One of the best ways to protect medical devices is to align security practices with the best practices that are likely already being practiced in other parts of the network,” the authors wrote, noting that “There are any number of guides and checklists that can help institutions confirm that their processes are adequate.”

  • Adopt medical device best practices from other industries. Health care does not need to invent best practices for medical devices since other industries already have done so, the white paper said. “Many of the steps needed to secure a hospital (efficient device patching, microsegmentation, incident detection, etc.) have been developed and perfected by the financial, insurance, and commercial industries over the last decade. Adopting these proven approaches will help avoid the time, effort, and investments already invested by more forward thinking industries.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings