It’s important for clinical engineers and biomedical teams to assess their medical device security program and select a risk management solution for their connected devices. But what’s the best way to go about that?
An integrated delivery network, software solution provider, and service provider discussed this topic during the AAMI Summer Learning Series. Cory Brennan, attorney and security adviser at Hall Render Advisory Services, started things off by describing an ideal risk management program.
A risk management program should provide: An active, up-to-date inventory of all connected devices and a vast amount of attributes for each of those devices, including their specific risk profiles; vulnerability and risk prioritization, which includes identifying all active vulnerabilities affecting a connect device and analyzing how those vulnerabilities could be exploited and what the impact of that is; the means to contain and segment a device on the network to isolate it from other devices if its risk profile requires it; consistent anomaly and event detection, as well as continuous intrusion monitoring; communication to the health system to notify the right team when anomalous behavior has been discovered on the network or from a medical device, analyze the risk factors of that anomalous behavior, and provide risk mitigation options right off the bat; assistance with recovery measures after responding to an event or an incident, as well as identifying areas of opportunity for improvement in response time and communication protocols.
“After a program assessment has been completed and the results have been reviewed including any gaps identified, the health system should begin to remediate those gaps and to incorporate security best practices into their overall medical device management program,” said Brennan.
You can then use that program assessment to assemble a team and develop a set of use case criteria to evaluate and select a risk management solution. This involved assembling a team of diverse experts, reviewing proposals from a variety of vendors, doing demonstrations, performing a final evaluation internally and then awarding a contract.
“One of the things I recommend is to discuss a detailed implementation plan or project plan with the vendor before you sign a contract because that is where you have the most opportunity to leverage what you want out of that partnership,” said Priyanka Upendra, quality and compliance director at Banner Health.
That plan should include where you want to install the solution, the deployment model and the cost. When it’s time for implementation, Upendra recommends a multiphase approach, because it allows for the continuous evaluation of important success factors.
She stated that an effective solution identifies the different medical devices, builds a risk profile around them, consolidates all that data to provide meaningful information, detects anomalies and unauthorized behavior happening on your network, communicates risk recommendations to the stakeholders and enforces policies in your risk mitigation plan.
“From a health system side, one of the suggestions I provide is that you want to plan your processes before you implement a solution, otherwise you’re going to end up with a multimillion dollar, fancy solution that’s giving you huge amounts of data sets, but you don’t know how to use it,” said Upendra.
She also recommends implementing different solutions at pilot sites and assessing the data to determine which solution meets your program and organization’s long-term goals. That will help you determine whether what the vendor is showing in the scripted demonstration is what is truly going to happen.
Shankar Somasundaram, CEO and founder of Asimily, concluded the session by outlining how data from the risk management solution can be used to improve the security posture of the health system.
“What people forget is that medical devices risk management is really about vulnerability management,” he explained. “The challenge with medical devices is that not all devices have the same risk.”
Even across devices with the same legacy operating system, the risks may be different. Whether an unpatched vulnerability affects a device depends on the exploitability of the vulnerability for the device in that environment, the impact of the vulnerability, how the device is connected, the device’s security capabilities and any other mitigating security controls.
Health systems can use the risk management solution to dig deep into the root cause of an anomaly. Once an anomaly is detected, they can set rules to take corrective action as well as preset certain rules to determine the root cause and take preventive action.
These solutions can also be used to understand the priority for different vulnerabilities, patch the device to ensure it has the latest solution version and/or operating system, and implement workarounds such as network-level authentication.