April 11, 2022

by Christian Hess, senior cyber support specialist 

Executive Summary 

During the CHIME Spring Forum presented at ViVE 2022, TRIMEDX hosted a focus group regarding the challenges with medical device cybersecurity and best practices when implementing and managing a medical device vulnerability management program. The focus group was attended by CTOs and CISOs from healthcare organizations and hosted by TRIMEDX’s LeAnne Hester (Chief Marketing & Solutions Officer), Scott Trevino (Senior Vice President, Cyber), and Christian Hess (Senior Cyber Support Specialist). 

Focus group attendees outlined a series of challenges that could be categorized as- people, process, and technology. These challenges included inventory visibility, program investment, staffing, silos, and aggregation. Creative solutions must be found for these challenges. In addition, they must be part of a closed-loop system which provides total visibility to the program. Without the effective implementation and integration of people, process, and technology, programs face roadblocks to effectively managing their medical device cybersecurity risk. 

Since WannaCry shook the healthcare industry in 2017, hospitals have endeavored to adapt to a new landscape regarding cybersecurity. With ransomware and cyberattacks making news headlines across the globe, patients have more visibility, knowledge, and concern over their healthcare provider’s cyber risk exposure. At the same time, healthcare organizations have encountered the challenges of implementing programs and integrating with technologies that can help them manage their medical devices.

Challenge 1 – Visibility
One of those challenges faced by focus group attendees was having enough visibility and aggregation in your medical device inventory to begin scoping and defining the needs of a medical device cybersecurity management program.

Medical devices have unique challenges when compared with traditional IT/IoT security. These assets are usually removed from traditional group policies and remote patching tools due to concerns like availability or interoperability. In addition, because IT does not manage these devices, the inventory can become fragmented across multiple databases and departments.

These challenges create a lack of visibility when compared to traditional IT/IoT security.

Many innovative technologies on the market seek to close this gap. Collectively referred to as MDSPs (Medical Device Security Platform), these products aim to provide visibility to medical devices and their associated risks on the hospital network.

These tools, which provide real-time monitoring and anomaly detection, can be combined with accurate medical device inventories or SoC (Security Operations Center) providers to build a solid foundation for vulnerability management/incident response programs by providing more visibility to your clinical asset inventory. 

Challenge 2 – Investment  

However, the tools needed to power medical device cybersecurity programs have a cost. 

Another challenge outlined was the difficulty in securing organizational investment for medical device cybersecurity programs and technologies before an attack occurs. While this is a common problem for IT security, medical device vulnerability management programs face additional challenges – sometimes the funds for medical device cybersecurity programs can bite into patient care budgets for capital equipment or maintenance that are viewed as having a more direct patient impact. This, coupled with the rising cost of cybersecurity insurance premiums and their requirements, can create investment challenges. However, a robust cybersecurity program may be a benefit from an insurance perspective.

The focus group attendees outlined the importance of framing medical device cybersecurity as a patient safety issue to help overcome this perception. In the modern environment, where there are infusion pump vulnerabilities that can be used to over/under infuse patients, change implanted medical device configurations, or even cause universal power supplies to catch fire, these programs must be framed as more than just securing devices against ePHI breaches. 

Organizations may also find success here by framing the conversation as a move from CapEx to OpEx. By increasing technology or process efficiencies in clinical engineering programs, prolonging the effective life cycle of medical equipment, and integrating cybersecurity into capital planning, significant savings can be generated. These savings could then be used to assist in funding for medical device cybersecurity programs within the organization.

Challenge 3 – Staffing
Finding a good MDSP is a strong start, but it is not enough on its own.

Personnel must be trained not just to design and manage a medical device cybersecurity program, but to execute it as part of a Clinical Engineering program. So, activities such as OEM (Original Equipment Manufacturers) patch validations, SoC staffing, compensating controls, and prioritizing the most efficient methods of risk reduction must be done by security professionals who are not only experts in cybersecurity but are also familiar with an organization’s environment of care and Clinical Engineering.

The scope of such a program also provided challenges for focus group attendees, who were concerned that even with relevant technology integrations and mature procedures, they would have difficulties staffing the program in a way that would meaningfully execute its goal of medical device risk reduction.

Solutions such as TRIMEDX’s CYBER Advanced offering bridge this gap by layering a comprehensive medical device vulnerability management program on top of a world-class Clinical Engineering service. With dedicated CYBER SMEs, MDSP integrations, and custom remediation and mitigation instructions executed by clinical engineers, TRIMEDX helps reduce the challenge of staffing an in-house medical device cybersecurity program.

Challenge 4 – Silos
Focus group attendees also expressed concern that as medical devices become more connectable, the traditional roles and structure of clinical engineering will have to change and adapt to meet security needs. One of the ways attendees had seen this occur in their facilities was an ever-increasing need for clinical engineering to report to the CIO/CISO and integrate into existing processes, playbooks, and governance structures.  

Some attendees had implemented similar organizational realignments and noted an improvement in managing medical devices from the time they entered the environment to the time they were dispositioned. This includes pre-purchase risk assessments, ensuring baseline configurations before use during patient care, and having cybersecurity staff engaged in capital purchases. The attendees also expressed a desire to better manage equipment disposition and ePHI tracking, which can be a challenge when visibility to the equipment is low or departmental silos make it difficult to monitor.

The importance of cross-silo partnerships is highlighted in incident response processes, which typically gather many organizational stakeholders together with IT. This becomes even more important when a medical device is involved. Attendees acknowledged that integrating cybersecurity medical device professionals into the organization’s governance and incident response plans is a crucial aspect of a medical device cybersecurity program.

Challenge 5 – Creating a Closed Loop

Even when the above challenges can be addressed, healthcare organizations would still be left with taking all these disparate sources of intelligence and turning the data into meaningful work to reduce medical device cybersecurity risk. 

The transformation of intelligence into action requires a combination of healthcare expertise, cross-departmental process integrations, cybersecurity knowledge… and maybe a few APIs (Application Programming Interfaces).

Joking aside, the importance of a centralized team managing all these intelligence streams cannot be overstated. Knowing what vulnerabilities and risks impact your inventory is only half the battle. Turning that knowledge into organizationally specific mitigations or remediations which are in tune with your organization’s risk appetite and posture is a herculean effort.

A medical device cybersecurity support team should be plugged into all medical device technology integrations and related work processes. In addition, these tools should be integrated with your inventory CMMS. By doing so, and ensuring your most powerful tools are communicating, the program can more efficiently reduce risk by utilizing economies of scale across your healthcare organization.  

A properly enabled team should be able to monitor, detect, and respond to cybersecurity threats more quickly when granted the appropriate level of visibility across organizational processes. 

Alternatively, partnering with an offering like TRIMEDX’s CYBER Advanced program allows you immediate access to a skilled and experienced team of medical device cybersecurity professionals, medical device cybersecurity content libraries, and risk management tools which can help paint a clearer path to your organization’s preferred risk posture. 

Closing Thoughts

The attendees of the CHIME focus group hosted by TRIMEDX shared challenges and best practices that had helped their organizations move along a medical device cybersecurity maturity curve. But the nature of cybersecurity does not allow comfort or stagnation. New vulnerabilities are being released in record numbers. The number of connected devices continues to increase.  

This means the risk for organizations continues to grow. 

By effectively integrating their people, processes, and technology around a closed-loop system for medical device cybersecurity, healthcare organizations can improve their risk posture and provide an additional level of protection for their patients’ privacy and care. Without bringing all the pieces of such a system together, it can be difficult to meet organizational expectations around risk reduction and security posture.

To lead the healthcare industries’ post-WannaCry transformation, TRIMEDX will continue to explore and develop medical device cybersecurity offerings and partnerships with healthcare organizations. This includes fostering conversations like the CHIME focus group.

Just like our customers, we believe that the future of safe and secure patient care must involve a mature medical device cybersecurity program.