Connected medical devices have revolutionized patient care and experience. However, the use of these devices to handle clinical and operational tasks has made them a target for attackers looking to profit off of valuable patient data and disrupted operations. In fact, when Palo Alto Networks scanned more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations, it found that 75% of them had at least one vulnerability or security alert.
Besides being difficult to protect, these connected devices present challenges when it comes to complying with the security requirements of laws such as the Health Insurance Portability and Accountability Act (HIPAA). Luckily, there are several strategies hospitals can leverage to bolster their defenses. Here are five actionable ways hospitals can help secure medical devices and provide life-saving patient care without disruption.
1. Maintaining Vigilant Visibility
Developing a zero-trust (ZT) security approach is critical to defend against today’s sophisticated attacks, but the first step is establishing complete visibility of all assets across the network. Infosec and biomed teams need a comprehensive picture of all the assets being used on a hospital’s network and how many are connected medical devices to get a clear understanding of their points of vulnerability. Then teams must go beyond the device level by identifying the main applications and key components that are running underneath the operating system to truly enforce a ZT approach. For example, having insights into various applications, such as electronic health records (EHRs), picture archiving, and communications systems (PACS), that process digital imaging and communications in medicine (DICOM) and Fast Healthcare Interoperability Resources (FHIR) data and other business-critical applications can improve the overall visibility posture of assets.
2. Identifying Device Exposures
Many devices are linked to different vulnerabilities that fall under two categories: static and dynamic exposures. For example, static exposures typically consist of Common Vulnerabilities and Exposures (CVEs) that can be independently addressed. In contrast, dynamic exposures can be found in how devices communicate with each other and where they send information (within the hospital or to third parties), making them more challenging to identify and address. Luckily, artificial intelligence (AI) and automation will play an increasingly important role in helping hospitals identify these exposures by providing data-driven insights and proactive recommendations on how to remediate them more efficiently.
3. Implementing a Zero-Trust Approach
Once hospitals have a clear grasp of their assets and exposures, they can embrace a ZT approach by limiting access to vulnerable devices and applications. By separating devices and workloads into microsegments, administrators can better manage security policies based on least privilege access. This can help hospitals reduce their attack surfaces, improve breach containment, and strengthen regulatory compliance by placing devices onto various segments with different requirements and security controls. For example, if a computer is compromised within the hospital, microsegmentation can limit the damage to that specific device without impacting medical devices critical to patient care.
4. Rolling Out Virtual Patching for Legacy Systems
Medical devices have been in use at hospitals for over a decade and, as such, often run on legacy software and systems. Because of their use requirements, hospitals may not be able to upgrade or patch the specialized medical system, which can lead to a variety of unique security issues. Additionally, hospitals may not be able to afford to take devices offline to update or patch due to the risks of loss of care for the patient. As hospitals adopt a ZT approach, they can invest in other forms of protection, such as virtual patching to reduce medical device exposures. For example, tools like next-generation firewalls can apply defenses around the device’s network and application layers without needing to physically touch the device.
5. Instituting Transparency Across the Ecosystem
Communication and transparency are critical to preventing threats from the start. Hospital CSOs and infosec teams must be included in the device procurement process because they offer a critical perspective on how to best protect devices throughout their life cycles. Hospitals, security teams, vendors, and device manufacturers must work together to create solutions and strategies that keep security at the forefront of a medical device’s defense. Historically, when hospitals were under attack, security teams worked together to defend against attackers. However, post-attack, the information stayed between the security teams and hospitals, with very little information (if any) going back to inform the device manufacturer about how they could improve their devices’ security. Hospitals must be more proactive when it comes to sharing direct feedback with device manufacturers on areas for improvement.
Ultimately, as cybersecurity policies continue to evolve for medical devices, there are ways in which we can create solutions to solve security challenges both now and in the future. Regardless of the unknowns, we can make a more proactive effort to ensure we’re enabling a shift-left approach to security and fostering a culture of cyber resiliency for the medical community.