Medical device cybersecurity: A three-part plan for getting started

Doug Folsom, president of cybersecurity and chief technology officer, TRIMEDX, offers his advice in a new era of medical device connectivity. 

The situation is a cybercriminal’s favourite. Medical devices such as MRI scanners and infusion pumps are increasingly being connected to hospital networks, yet whose responsibility it is to maintain those devices’ security can be murky.

Is cybersecurity the responsibility of clinical engineering? Or is it the responsibility of information technology? Years ago, the lines were clear: Clinical engineering (CE) managed medical equipment, and information technology (IT) managed the network and the data flowing through it. 

But once we began connecting medical equipment to the network and sharing data over the internet, the lines of oversight and responsibility blurred. Widening the grey area further are other types of connected devices. Is a refrigerator used to store COVID-19 vaccines considered a medical device?  

Hospitals now may lack consistency and clarity on how they assign responsibility, and connected devices can easily number in the thousands. Amid that gap in who takes ownership lies vulnerability and, for the cybercriminal, opportunity. 

A three-part plan can help your health system overcome that challenge.

The need for a cybersecurity plan

Before outlining the plan, let’s be clear. The growing cybersecurity threat is not hyperbole. A recent Deloitte report projects that nearly 70% of medical devices will be connected to networks by 2025.

The explosion of connected medical devices now has its own internet of things (IoT) subcategory: IoMT, the internet of medical things. And while medical devices aren't the most likely entry point for a cyberattack, they are prime targets. The devices get “kidnapped,” and like any kidnapping, the criminal demands a ransom.

The 2017 WannaCry ransomware attack infected more than 1,200 diagnostic devices and forced the prompt shutdown of other equipment to stem the attack, according to an investigative report by the UK National Audit Office.

Such ransomware attacks are on the rise. Last year, at least 91 US health care organisations suffered some type of ransomware attack, up from 50 the previous year, according to research by Comparitech, which estimated the cost to be nearly $21 billion.

Idled equipment, cancelled appointments, lost records, ransomware removal and lawsuits can prove costly and damaging to a hospital’s reputation. Medical device security is imperative. 

Step 1: A framework to get started

As with any process, the first step is to get a clear picture of the finish line and what it will take to get there. The NIST Cybersecurity Framework Core outlines five basic functions to organise your medical device cybersecurity efforts: 

Identify. Do you have an accurate inventory of all software, devices and systems? Are cybersecurity policies and procedures aligned across CE and IT roles and responsibilities?

Protect. Is physical and remote access to clinical assets protected? Are all users properly trained? Are access authorisations reviewed and managed?

Detect. Are clinical assets monitored to identify cybersecurity events? Is personnel activity monitored to detect potential cybersecurity events?

Respond. Are response plans created, communicated, executed and maintained? Are newly identified vulnerabilities mitigated or remediated?

Recover. Do CE and IT teams undergo recovery planning, training and testing? Is there a plan to repair the reputation of the hospital, as well?

Critical throughout the first step is to align your CE and IT teams to bridge that gap in ownership with a roadmap for shared responsibility.

Step 2: A plan of action

Once you understand your path, develop a game plan. Ensure your core CE team is adequately staffed and equipped with a reliable inventory of your assets before it joins the cybersecurity effort. That comprehensive assessment of inventory allows your team to better identify risks, cross-reference vulnerabilities and manage your assets more holistically. 

From there, move toward additional essential functions, such as vulnerability tracking and research, patch management, and OEM management and relationships. Further advances in your efforts would include incident response, expanded device data collection and clinical asset integration support.

Each of these elements works together to reduce, detect and counter threats before they can harm your organisation’s bottom line or reputation or your patients’ welfare. As threats evolve, your game plan should evolve, too.

Step 3: It’s all in the execution

With a solid game plan in place, success now lies in the execution. Don’t overlook the details.

Medical devices are not like typical IT endpoints such as laptops. All patches or other remediations should be validated by the OEM prior to implementation. Ask for written instructions or manuals as needed.

Start by looking for clinical devices with critical vulnerabilities that have existing OEM-validated patches that can be safely installed. Deploy your solutions strategically and record those efforts in your computerised maintenance management system (CMMS) inventory.

Also, integrate a network-based medical device monitoring solution with the CMMS and inventory. This automates and expands the capabilities of your asset inventory, further enables collaboration between your CE and IT teams and improves data accuracy with digital bulk updates compared with data entered by hand by technicians during preventive maintenance.

As the number of connected medical devices keeps growing, so too does the potential risk from cyberattacks. CE and IT teams once had distinct roles, but now they need to work together to mutually share the responsibility of securing your equipment. A framework to get started, a plan of action and attention to the details can organise your team’s efforts and help safeguard against the costs and damage to a hospital’s brand and its patients’ welfare.