Medical Device Security Risk Management: One size does not fit all

Guest post by William Scandrett

It’s no secret that healthcare organizations have been plagued with the explosion of medical device security and have been left wondering how to best protect their organizations and patients while at the same time shedding off the accusations of potentially acting as a barrier to providing top-quality care. Worse yet, the responsibility of healthcare security teams is to protect the organization from 100% of threats that can affect medical devices without causing any type of disruption in care (or to the devices themselves) and to scan or patch these devices in a 24/7, always-on medical facility. So what are healthcare security teams to do? How can we balance security risks against risks of patient care disruption or even worse…patient harm? How can we build repeatable and reliable programs that can remediate security vulnerabilities in an effective and safe way? The approach we’ve taken at Allina Health is that one size may not fit all.

The primary issue as we see it is that certain medical devices have been in use for quite some time. Although we have great medical device manufacturers out there that are security minded and are building devices that can be updated and easily maintained, the simple fact of the matter is that a number of devices regularly in use in a care facility have been in use for years and are expensive and disruptive to replace with more easily updatable models. Furthermore, medical devices have a much longer “go to market” timeline that most consumer devices in that there are clinical requirements and approval processes that must be satisfied before devices are qualified to be used as medical products. This poses an additional problem in that the technology that may have been used in initial development is often deemed out of date by the time a device hits the sales cycle. So healthcare security teams are left holding the bag of a hodgepodge of different devices with different security profiles, tasked with the job of keeping everyone safe.

So if we can’t develop a one-sized fits all program to manage this issue, why not borrow from our friends in risk management?

The construction and nature of any particular device gives it an inherent security profile. It may perform a critical lifesaving function or it may only provide a non-invasive diagnostic. It may process and contain loads of PHI or it may only provide real-time monitoring data that is never recorded. Perhaps it is hosted with a cloud-based repository or perhaps is only holds one record at a time in a “single-use” mechanism. Whatever the case may be, we can apply logic to these risk profiles to determine the method of triage we leverage. In high risk scenarios, perhaps we fully quarantine devices that are extremely risky and cannot be updated or patched due to archaic construction on contractual warranty issues. For devices that perform critical functions and cannot be scanned for fear of device malfunction or failure, we apply a medium risk approach and only scan during off-hours or when devices can be pulled out of clinical rotation for general maintenance. Devices that are low-risk could be scanned at any time as patient harm implications are virtually non-existent. And it doesn’t stop there. We can also leverage network layer controls (whitelisting, strict firewalls, east/west IPS) combined with logging (SIEM, etc.) and behavior analysis to provide a more complete risk picture especially when patching and vulnerability scanning aren’t possible.

At the end of the day, we are stuck in a situation where the medical device industry needs to catch up to secure coding and build practices and healthcare organization need to cycle through aging product until we can get to a more manageable baseline. Until that time, consider a multi-sized approach to managing medical device security risk with minimal disruption. One size may not fit all….but that’s why we can order stuff in Small, Medium, and Large!

ABOUT THE AUTHOR

William Scandrett is an accomplished information security leader with a proven track record of establishing successful security programs across retail, finance, and healthcare industries. As CISO for Allina Health, William is responsible for the Security Governance, Identity/Access, and Cybersecurity programs as well as Technology Compliance and Risk Management and IT Asset Management.

Prior to Allina Health, William served as CISO for HealthEast, and held the Information Security Director role at Ameriprise Financial where he led the Identity Management and Governance, Risk, & Compliance (GRC) programs. William also led the IT Compliance program at GMAC ResCap and consulted at Best Buy through Accenture to help establish their global technology compliance program and software development methodologies.

William is recognized in the information security community for his knowledge, vision and leadership in the areas of Identity, Compliance, and Risk Management. He is most recently a CSO50 award winner and has been recognized as one of the “Healthcare CISO’s to Watch” in 2019 and 2020.

ABOUT OCTELLIENT

Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

Previous
Previous

The Future of Connected Devices

Next
Next

Securing Devices at Home and Work