The social distancing equivalent for medical devices
Organizations in the world’s most targeted industry, healthcare organizations – including hospitals, clinics, pharmacies and distributors of medical equipment — are more at risk than ever. Since the beginning of 2020, reports of cyberattacks have quadrupled, according to the FBI.
Even if an attack isn’t directly targeting connected medical devices, malicious code can spread through a hospital’s internal network and infect equipment used to diagnose and treat patients such as IV pumps, patient monitors, ventilators and X-ray machines.
As John Riggi, the American Hospital Association’s senior adviser for cybersecurity and risk said in a recent article, “Worst-case scenario, life-saving medical devices may be rendered inoperable.”
The best way for hospitals to prevent cyberattacks and safeguard internet of medical things (IoMT)devices from infection is by separating, or virtually distancing, the most vulnerable and critical devices from each other, called network segmentation.
Here are some practical steps hospitals can take to segment their clinical networks, decrease the attack surface and safeguard patients from cyberattacks.
Define who is responsible
Traditionally, medical device security has been the responsibility of biomedical engineering equipment specialists. However, with the increasing prevalence of IoMT devices and the rise in healthcare-targeted cyberattacks, hospital IT teams have had to take a more active role in medical device security. As a result, healthcare organizations need close alignment between the IT and biomedical teams to devise and enforce safe and effective security policies for clinical networks.
Securing medical devices and aligning IT and biomedical teams have given rise to the need for a single, final decision maker on IoMT cybersecurity policy. Some larger institutions have gone as far as to create the role of Medical Device Security Officer to take direct responsibility for medical device security across a hospital’s entire clinical network.
Create a reliable equipment inventory
It’s impossible to set a network segmentation policy without an up-to-date inventory of a hospital’s connected medical devices, profiles on each device and a deep understanding of communications and utilization patterns.
Automated inventory tools must also be able to conduct ongoing inventory and profiling of devices with an understanding of IoMT device behavior, device criticality and medical device vulnerabilities.
Assess the relative risk for each device
Risk scores should be calculated according to device criticality and medical impact. Risk assessment should be ongoing and continuously monitor the network for anomalous behavior. In order to assess the risk, the following factors must be taken into account:
- Communications with external servers required for normal device functionality, such as vendor communications.
- If the device stores and sends electronic protected health information (ePHI): Does the device need to store and send ePHI, and for what purpose?
- Device utilization patterns.
- Does the device run an unsupported OS or have any known vulnerabilities? If so, are patches available or is segmentation the only way to secure the device?
Check industry guidelines and regulations
Hospitals could face millions in fines if they fail to comply with federal and state regulation standards. Fiscal damage aside, failing to follow cybersecurity guidelines places medical devices at risk and could compromise patient safety, business integrity and a hospital’s reputation.
Guidelines and regulations involving healthcare and medical devices are routinely updated. In order to remain compliant, hospitals must keep a close eye on regulatory standards and updates released by state and federal institutions, including:
- The Food and Drug Administration
- The Medical Device Information Sharing and Analysis Initiative
- The Health Insurance Portability and Accountability Act
Devise, validate and enforce segmentation policies
Segmentation policies should be put in place to reduce the attack surface and stop potential threats. Network segmentation can also help networks run more smoothly by limiting traffic to designated areas and reducing the network load.
However, before any segmentation policy is enforced on the clinical network, it should be tested for safety and efficacy. Hospital security teams should always validate segmentation policies before enforcing them on the live network to ensure the continuity of medical services and clinical operations. Clinical network segmentation is a mainstay of healthcare business integrity. Network segmentation can secure critical medical devices, improve clinical network capacity, avoid network overload and ensure patient safety as long as hospitals maintain a disciplined and consistent approach to device discovery, risk assessment and preventive action. Beginning a network segmentation project as soon as possible will help to fortify the healthcare industry against present and future cyber threats, safeguard patients and business integrity and help prepare for unforeseen crisis to come.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.