Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
MEDICAL DEVICESECURITY: WHERETO START?
CE CYBER
Reducing patient safety risks and costly violations
2
1. https://www.ecommercetimes.com/story/The-Dismal-State-of-Healthcare-IoT-Security-85413.html
Cyberattacks on health technology are on the rise, raising the risks and costs associated with your connected medical devices and the data they hold, and, of course, raising worrying questions about patient safety. Far from isolated incidents, three in four surveyed hospitals were hit with a cybersecurity incident in recent months, report Frost & Sullivan researchers.1
Why is this alarming? With medical devices from MRI scanners to infusion pumps now “talking” with one another across the hospital network and internet, it only takes one vulnerable device to put all other connected devices at risk. Reasonably, those risks extend to the patient data flowing in and through those devices, and even to patients who depend on those assets for their diagnosis and care.
Nationally, TRIMEDX data from 3,700+ healthcare facilities indicates 15–20% of a typical hospital’s entire clinical engineering inventory is directly connected to the network. Without adequate protections, that inventory is an easy target for hacks, breaches and malware on a routine basis.
WHAT’S AT STAKE? The potential for harm is alarming: Whether intentional or accidental, cyber threats to your medical devices can not only expose or disrupt
electronic protected health information (ePHI), but also harm patients through equipment malfunction and/or unavailability.
“There’s at least some self-reported evidence that some patients are being harmed by compromised medical devices,” said Christian Demeff, an ER physician and researcher with the University of California, at a HIMSS Media Security Forum. The argument that patient harm scenarios might be rare isn’t an acceptable justification not to address it, he cautioned.
Just as worrisome, even a single equipment malfunction forcing a hospital to go on bypass and divert patients can result in lost revenue, costly breaches and irreparable harm to the hospital’s reputation.
The challenge here is two-fold: (1) knowing how to secure connected, FDA-regulated equipment without creating new problems, and (2) overcoming complacency or technician burnout to take the first step toward stronger medical device security.
The cybersecurity of your clinical assets is a tall order, to be sure. It’s also insurance against potentially catastrophic outcomes.
BLURRED LINES To better understand why most providers struggle to get medical device security right, it’s worth recapping the evolution of Clinical Engineering and IT in recent years.
Years ago, lines were clear between the two disciplines: Clinical Engineering managed medical equipment, and IT managed the network and data flowing through it. Then we began connecting medical equipment to the network and sharing their data over the internet, blurring the lines of oversight and responsibility for securing connected devices.
3
We’ve spent the last several years pursuing interoperability, only to learn much of the connectivity we’ve achieved is riddled with vulnerabilities. Adding to our challenge are unique-purpose devices running countless combinations of hardware, operating systems, software and firmware.
ONE OF THESE THINGS IS NOT LIKE THE OTHER Here’s the sticking point where many healthcare technology teams fall short: Security solutions that work for conventional machines like your computer or tablet can backfire when applied to medical devices.
That’s because FDA-regulated devices demand specific procedures like manufacturer-validated security patches and remediation solutions to retain their FDA-approved state. No one wants an adulterated medical device in their environment of care.
WHERE TO BEGIN? ESSENTIAL FIRST STEPS First, let’s clarify the chief goals of medical device security: Secure ePHI and protect patients from harm stemming from equipment that’s failing, unavailable, or not functioning per OEM specifications.
To make that possible, you could chase after the many frameworks and standards from NIST, HIPAA, HITRUST and others, but quickly find yourself overwhelmed. To cut through the confusion, we’ll zoom into the building blocks of an effective medical device security program, helping you clarify first steps and build a strong foundation.
To that end, we’ve chosen to employ the NIST Cybersecurity Framework, but approach it from a “bottom-up” perspective that focuses on your medical devices, as opposed to a “top-down” approach that would look at the entirety of your network infrastructure.
ENTER THROUGH THE INVENTORY: THE BEDROCK OF YOUR STACK The NIST Cybersecurity Framework lists “Identify” as its first core function. An accurate, up-to-date inventory of all medical devices, systems and software in your facilities is an essential first step for the health, performance and security of those clinical assets.
No matter who is accountable for securing those devices, before you can build a defense strategy, you need visibility into each and every medical device you have, where it is, how it’s deployed.
Note this isn’t a one-time inventory: Constant oversight is mandatory. Equipment inventories are highly dynamic by nature and network connectivity compounds that. Regular updates are crucial
With that in mind, what does a comprehensive (digital) inventory look like?
Until recently, a thorough inventory for medical devices typically included physical attributes such as make, model, equipment description, modality, serial number, department, room, and scheduled maintenance cycles — data that’s historically maintained by Clinical Engineering in their computerized maintenance management system or CMMS.
In today’s world, a thorough inventory must also include your equipment’s digital persona and a Model Control Profile (MCP) which consists of other connectivity or networking attributes, plus critical data security fields (e.g., ePHI creation/storage/transmission, Bluetooth connectivity, storage/USB interfaces, etc.).
This level of insight enables you to accurately and consistently identify networked devices that could be vulnerable to cyber risks and exploits.
4
Your Clinical Engineering program should collect inventory data at several distinct points:
1. During incoming inspections of new devices
2. During scheduled maintenance
3. During repair or service request activities
4. During new facility acquisitions and onboardings
5. During planned special projects for networking, device integrations and/or data collection initiatives
Easier said than done, yes. Often, medical devices are built to perform a specific set of functions (e.g., X-ray image or CT scan), unlike conventional devices like laptops, desktops and servers that don’t require FDA clearance. Based on our experience and FDA parameters, standard security solutions (e.g. patching programs, endpoint security software and invasive scanning tools) designed to work well on standard computers and servers can disrupt the intended operation of a medical device. This not only puts patients at greater risk but could compromise the integrity of the device’s FDA approval, as alluded earlier.
CRITICAL ELEMENTS OF A MEDICAL DEVICE DIGITAL PROFILE
Networking
■ Connectability (by Model) ■ Connected (by Device) ■ Network Type (Private/Public) ■ Wired/Wireless ■ MAC Address ■ IP Address
Software
■ Standardized Operating System (Family/Name/Version)
• By Model• By Device
■ Software/Firmware/Patch Inventory
Security
1. Stores, transmits, and/or displays ePHI2. Encryption3. Antivirus Endpoint Protection Installed
(see also, software inventory)4. External Data Storage Capabilities
Manufacturer Disclosure Statement for Medical Device Security (MDS2) Forms
Before you can build a defense strategy, you need to ensure all medical devices are thoroughly inventoried.
5
NISTCYBERSECURITY
FRAMEWORK
Dete
ctProtectRecover
Identify
Respond
Asset Management Organizational knowledge to manage systems, assets, people, data, capabilities
Maintenance Response and resolution of detected cybersecurity events
Anomaly Detection & Continuous Monitoring Activities to identify cybersecurity events
Response Planning & Mitigation Response and resolution of detected cybersecurity events
Recovery Planning & Communication Activities, resilience plans and capabilities to restore services impaired by a cyber threat
NIST CYBERSECURITY FRAMEWORK
This is why subject matter expertise and a skilled on-site team are essential for a multi-dimensional, connectable and connected medical device inventory. It’s also why a CE-IT partnership is so critical.
A THREE-PART PLAN How do you begin tackling the challenges we’ve covered this far? We advise the following steps:
1. BUILD A SOLID FOUNDATION
First, get a clear picture of the finish line and the basic functions that can take you there:
■ Set your goal using the NIST Cybersecurity Framework Core (pictured), defined as a set of activities to achieve specific cybersecurity outcomes. In your case, that goal may be simply to protect patients and their ePHI through secure, functioning and available equipment.
■ Align your IT/Security and Clinical Engineering teams. Both teams reap the benefits or consequences of medical device security, and both must share that responsibility.
■ Employ the five basic functions to organize your medical device cybersecurity efforts at the most basic level: identify, protect, detect, respond, recover. Together, these five functions form a guiding approach to securing systems and responding to threats.
Collaboration makes it possible
While not required by HIPAA, the NIST Cybersecurity Framework was designed to foster cybersecurity risk management communications among internal and external stakeholders, including across different industries.
Its focus is on community: everyone shouldering the load and responsibility together.
1
2
3
4
5
6
Let’s zoom into components that make up these core functions, and cross-reference them with key standards for medical device security:
NIST CSF Adapted by TRIMEDX CE CYBERFunction Category Subcategory Crosswalk Reference
Clinical Asset Management (CAM) Accurate inventory of physical devices, software and systems.
CIS CSC 1 & 2, ISO/IEC 27001:2013 A.8.1.1, A 12.5.1, NIST SP 800-53 Rev. 4 CM-8 & PM-5
Governance Cyber security policies and procedures are aligned with CE roles & responsibilities.
CIS CSC 19, ISO/IEC 27001:2013 A.5.1.1, NIST SP 800-53 Rev. Controls from all Families
Risk management of CE and supply chain
Cyber supply chain risk management processes established and managed for clinical assets.
CIS CSC 1 & 2, ISO/IEC 27001:2013 A.8.1.1, A 12.5.1, NIST SP 800-53 Rev. SA-9, SA-12
Access control Physical & remote access to clinical assets are managed and protected.
ISO/IEC 27001:2013 A.6.1.1, A 7.2.2, NIST SP 800-53 Rev. PS-7, SA-9, SA-16
Access permissions & authorizations are reviewed and managed.
CE CYBER security awareness and training
All users are Informed and properly trained. ISO/IEC 27001:2013 A.11.2.1, A 11.1.2, A.12.2.1, NIST SP 800-53 Rev. AT-3, IR-2, PM-13Privileged users understand their roles
and responsibilities.
ePHI data security Clinical assets are formally managed throughout installation, maintenance, transfers, and disposition.
ISO/IEC 27001:2013 A.11.1.1, A 11.1.2, NIST SP 800-53 Rev. PE 2-6
Data-at-rest and data-in-transit is adequately protected.
CIS CSC 13 & 14, ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP 800-53 Rev. 4 MP-8, SC-11, SC-1
Anomalous activity is detected and the potential Impact of events is understood
Personnel activity is monitored to detect potential cybersecurity events.
CIS CSC 1, 4, 6, 12, 13, 15, 16, ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
Clinical assets are monitored to identify cybersecurity events
Detection activities comply with all applicable requirements.
ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3, NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14
Detection processes and procedures are maintained and tested
Detection processes are continuously improved. ISO/IEC 27001:2013 A.16.1.6, NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14
Response plans are created, communicated, executed and maintained
Response plan is executed during or after an incident. CIS CSC 19, ISO/IEC 27001:2013 A.16.1.5, NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
Incidents are reported consistent with established criteria.
CIS CSC 19, ISO/IEC 27001:2013 A.6.1.3, A.16.1.2, NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
Newly identified vulnerabilities are mitigated, remediated or documented as accepted risks.
CIS CSC 4, ISO/IEC 27001:2013 A.12.6.1, NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
Recovery planning, training and testing for CE & IT teams
Recovery plan is executed during or after a cybersecurity incident.
ISO/IEC 27001:2013 A.16.1.5, NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
Restoration activities coordinated with CE & IT teams
Reputation is repaired after an incident. ISO/IEC 27001:2013 Clause 7.4, NIST SP 800-53 Rev. 4 CP-2, IR-4
PRO
TECT
DET
ECT
IDEN
TIFY
RES
PON
DRE
COV
ER
7
2. DEVELOP A GAME PLAN
Ensure your core Clinical Engineering program is robust and prepared to enter the CE cyber realm with adequate staffing and a reliable inventory of your medical devices. (At the risk of sounding like a broken record, we can’t over-stress the importance of the inventory piece.)
Once you have a good handle on the medical device inventory, you can begin managing your clinical assets more holistically, identifying risks and cross-referencing known vulnerabilities.
From there, you can work toward other essential attributes of a strong CE cybersecurity program:
■ Essential clinical asset data collection
■ Vulnerability tracking and research
■ Clinical asset patch management
■ OEM management and relationships
■ Cyber operating foundations
At a more advanced level, your cybersecurity program should also include dedicated, on-site experts bridging the gap between CE and IT to manage:
■ Cyber event response
■ Accelerated, expanded device data collection
■ Clinical asset integration support
■ Clinical asset IT project support
As cyber threats evolve, each of these pieces work together to enable you to reduce, detect and counter threats faster, before they have a chance to harm your organization or the patients you serve.
3. ENSURE EXCELLENT EXECUTION
Let’s assume you now have a solid framework and medical device inventory. Now what?
■ Don’t treat medical devices like normal IT endpoints or Internet of Things (IoT) devices. Ensure all patches, updates and/or endpoint security solutions have been validated by the OEM before they are installed. Request written instructions, documentation and updated manuals, as needed.
■ Start small. Look for vulnerable devices you can obtain OEM-validated patches for, and safely install them. As OEMs provide validated solutions (e.g. antivirus, whitelisting), deploy them strategically, recording these activities in your inventory records.
■ Look to integrate a network-based medical device monitoring solution with your CMMS and inventory. This serves three purposes:
1. It begins to automate and expand the capabilities of your connected device inventory.
2. It enables better collaboration between your Clinical Engineering and IT/Security teams.
3. It improves data accuracy with digital bulk updates compared to data entered manually by technicians during preventive maintenance.
2. FDA Fact Sheet - https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf
The FDA’s position on patching: an important consideration
The FDA exempts an OEM from going back through the approval process for security patches/upgrades that do not change the form or function of the device.
OEMs are still accountable for the safety and effectiveness of a device within its useful life and remain the only ones who can validate and approve a patch, update and/or endpoint security solution for their devices.
With lives and ePHI on the line, we do not feel it is safe or prudent to install any patches or software on medical devices that have not been validated by the OEM.2
8
PARTING THOUGHTS We’ve covered much so far, and it’s reasonable to feel overwhelmed when considering the full ramifications of medical device security. It’s fine to start small, but do start somewhere, without delay.
At a minimum, cultivate a strong partnership between your Clinical Engineering and IT/Security teams, and equip them with the right tools to ensure the health, safety, security and longevity of your medical devices.
As you digest the advice presented here and map out next steps, it’s helpful to remember what’s at risk: This isn’t simply a compliance or data protection issue, say researchers. It’s about the safety of patients entrusted to you and, by extension, the financial health of your organization.
With so much on the line, your greatest risk today is that of inaction.
The Benefits Are Striking
■ Completely inventory medical devices
■ Holistically maintain medical devices
■ Begin understanding and reducing organizational risk
■ Improve regulatory compliance
■ Bolster your defense in depth strategy
■ Protect brand and community reputation
There’s a storm on the horizon, and it may already be here. Healthcare security is no longer [ just] a compliance issue. It’s not only about protecting ePHI. It’s a patient safety issue.”
Jeffrey Tully, Security Researcher, UC DavisHIMSS Security Forum
7608
UNLOCK THE FULL POTENTIAL OF YOURCLINICAL ASSETS.
SEE KNOW WHAT YOU HAVE AND
MANAGE IT BETTER.
SAVE EXPERIENCE IMMEDIATE AND
SIGNIFICANT SAVINGS.
[email protected] 5451 Lakeview Pkwy S Drive Indianapolis, IN 46268
CREATED BY PROVIDERS, FOR PROVIDERSAs the largest independent technology-enabled clinical asset management company in the U.S., TRIMEDX provides strategic planning for – and management of – clinical assets to drive reductions in operational expenses, free up capital for new strategic initiatives, and deliver improved safety and cyber protection. Headquartered in Indianapolis, Indiana, TRIMEDX was built by providers, for providers, and leverages a history of expert clinical engineering to manage over $30 billion in clinical assets across thousands of locations.
GET STARTED TODAY!
877-TRIMEDX or trimedx.com
SERVE IMPROVE PROFITS WHILE
SERVING PATIENTS MORE FULLY.
7608