By Ty Greenhalgh
The creation and deployment of lifesaving connected medical devices has rapidly expanded in the last few years, giving rise to the term Internet of Medical Things (IoMT).
Each device contains hardware, software, and sensors that gather, store, and transmit healthcare data and confidential patient information over health systems’ clinical network and across the Internet. Unfortunately, these online medical devices are weak links in the network security and have become increasingly attractive to cybercriminals, posing significant risk to patient safety and confidentiality.
While the FDA and HHS are working diligently with medical device manufacturers to increase the cybersecurity and resiliency of new devices, legacy medical devices are plagued with vulnerabilities. Most medical devices cannot support anti-malware to help protect the device and many are using outdated software like Windows 7. Manufacturers are delivering devices with default passwords and configurations to make them easy to access for remote support, but also easy to access by hackers. Traditional network devices like laptops and servers use industry standard protocols for communications, but IoMT devices have myriad unique protocols that traditional security tools cannot understand. Possibly the most compromising limitation is the inability to scan medical devices with traditional security software.
Medical device risk management is evolving slowly, but securing them is incredibly complex. IoMT devices average 14 devices per bed, many of which are mobile, they can’t support anti-virus software, traditional security tools are ineffective, remote accessibility is built in, they run on outdated software, and the HTM, Security and IT departments are not operationally integrated.
Confidentiality, integrity and availability of patient data are paramount, and still breaches occur almost daily in healthcare. While impacting data is devastating to the patient and provider, compromised IoMT device integrity can be catastrophic. Emergency room doctors rely heavily on a CT scanner’s availability and integrity to quickly diagnose stroke patients and determine if a stroke is hemorrhagic or ischemic. A delayed or misdiagnosis due to a compromised CT scanner could easily result in loss of motor functions, brain damage, or even death.
Many IoMT devices interact with the physical world in ways conventional IT devices do not. Infusion pumps regulate the delivery of life sustaining medication. Implanted cardioverter defibrillators deliver electrical shocks and restore the heart to normal rhythms. Hackers have demonstrated vulnerabilities in these types of devices increasing dosages or manipulating shocks that result in sudden death. While these examples are extreme, it is clear that interfering with the stated performance of IoMT devices negatively impacts the quality of patient care and increases the financial risk to the provider.
What is being considered the first cybersecurity death resulting from a hack occurred last September at Dusseldorf University Clinic in Germany. A woman with a life-threatening condition was unable to be admitted to the hospital because hackers had locked down their systems with ransomware. The nearest facility was 32km away and she died in transport.
Most organizations are still managing legacy medical devices as a cost center, a necessary evil, which focuses on maintenance and repair. This is a reactive firefighting approach relying on unintegrated point solutions, spanning multiple departments, that are not designed to positively impact patient experience and safety. The HTM business unit’s transition to customer-focused service and operational efficiency needs to consider the total life cycle and integration of various departments: Clinical Engineering, Finance, Information Technology, Information Security, Compliance, Procurement and Legal.
Risks surrounding medical devices will not magically disappear. The extent to which they are reduced will be a result of deliberate and integrated multi-stakeholder participation. Clinical Engineering, once considered “the team in the basement fixing things”, has recently taken a more active role in this transition. COVID-19 has given HTM and Clinical Engineering a seat at the Emergency Planning table and a platform to establish visibility. Therefore, progressive HDOs are increasing collaboration, implementing a device security plan, exploring leading-edge solutions, and leveraging additional resources in an effort to solve this problem.
Within most hospitals, governance to align cybersecurity between these various departments has not been operationalized. Each department looks at their responsibilities independent of the others. Early adopters on the bell curve are integrating two categories of software solutions to operationalize new organizational workflows in an effort to reduce the risks associated with this problem: Medical Device Security (MDS) and Computerized Materials Management System (CMMS) solutions.
Medical Device Security (MDS):
MDS solutions collect networked device information and apply sophisticated machine learning training models to classify and profile all medical devices on the network. This provides an unprecedented granularity in understanding each device — what it is, how it is configured, and what behaviors it is supposed to exhibit. Once complete, it becomes possible to detect anomalies and create actionable policies, using AI techniques, to regulate and protect your devices and critical data assets, all in real time and at scale.
The very first step in managing and protecting medical devices is identifying and documenting the device to include its purpose and capabilities. Given that there are tens of thousands of networked IoMT devices utilizing different communication protocols, many moving across the wireless network, this is extremely labor-intensive using traditional practices. The new MDS scanning results in finding all IoMT devices on the network immediately. Device data insights include what type of device is detected, its make, capabilities, location, application/port, and behaviors.
Traditional network scanning tools provide limited device information like the MAC and IP address, reducing opportunities for sharing data and integrating department workflow. MDS analyzes network packets which generate rich new data sets benefiting all stakeholders and fostering integrated operations.
Once an organization knows what devices it has, determining the purpose of each device in the enterprise and understanding normal behavior patterns is critical. Mapping normal device communications patterns and baselines will identify anomalous behaviors. Both network and contextual behavior of each device must be understood to determine the exposure of an organization to internal and external threats. Beyond securing the devices, those containing ePHI are required to be identified as a part of a HIPAA Risk Assessment. Security efforts must avoid interfering with critical clinical dataflows. Once organizations have the ability to recognize these clinical workflows, Information Security or HTM can identify anomalies that may negatively impact patient care resulting in direct patient harm.
- Does the device communicate with the manufacturer for updates and patches?
- With what other devices is it communicating?
- Is the device type isolated to communication within the VLAN?
- Are communications normal for this device type?
- Does the device transfer or store ePHI?
- Is the device a Tier I or II type device?
- Which connections are clinical and nonclinical?
The MDS solutions accept inbound vulnerability disclosures, evaluate the HDO’s exposure to these vulnerabilities, and identify response action options to remediate or mitigate each vulnerability according to its level of risk. Below are a few IoMT factors that complicate the analysis of vulnerabilities:
• Unique Protocols
• Dynamic Network Environment
• Risk Assessments
• Risk Scoring
• Traditional Vulnerability Scanning
• Procurement & Supply Chain
• Security Evaluation
• Contract Negotiation
• Software Bill of Materials
Historically, HDO’s have attempted to partition these devices into large network segments that are isolated from general access and/or data center networks. However, simply partitioning all IoMT devices into one network segment fails to achieve the stated goals. Given the required latitude of device requirements and criticality to patient outcomes, these medical device segments often have few network restrictions. Similarly, a walled zoo, without independent cages, lacks control and permits undesirable interaction. It’s important to protect the vulnerable, control the aggressive and contain the infected animals.
MDS allows organizations to leverage their existing security tools to intelligently segment networks. MDS solutions can dynamically generate policies for existing infrastructure such as switches, wireless controllers, firewalls or NAC policy servers to ensure that devices can only interact with other necessary devices enforcing minimum required access.
Computerized Material Management System (CMMS):
CMMS solutions are taking the vast amounts of new device data detail generated by the MDS and making it actionable within new interdepartmental workflows. Leveraging the data from the MDS and CMMS systems can improve asset management, FDA recall response, vulnerability management, utilization management, work orders and contracts.
HTM/Clinical Engineering departments have historically used CMMS to manage their assets (to include IoMT devices) and daily operations. But determining which devices needed software updates or cybersecurity maintenance was nearly impossible. The current operating system version, make, model and known vulnerabilities of the device were not loaded into the CMMS.
HDOs that have discovered how to combine device-level IT Networking data and Information Security data from MDS solutions into the CMMS are experiencing unprecedented return on investments (ROI). Increasing efficiencies in asset management coupled with reductions in risk to patients and data are bringing departments together and revealing that everyone might benefit from these new technologies.
About the author: Ty Greenhalgh has been dedicated to the healthcare information technology and information management industry for over 30 years, He is an ISC2 certified Healthcare Information Security and Privacy Practitioner (HCISPP) and Cybersecurity Officer.