Chapter 9 – The fundamentals of medical device cybersecurity

Building a medical device strategy requires a growing focus on cybersecurity. It’s not only computers with unpatched systems that can expose hospitals to cyber threats. A growing threat landscape also targets connected medical devices, which have unique security requirements.

This blog post – part of our Internet of Medical Things (IoMT) series — covers the key fundamentals of medical device cybersecurity to help you better choose your hospital security software. 

Why you need a medical device strategy focused on cybersecurity

Cybersecurity goes hand in hand with patient care. In naming cyberattacks the top health technology hazard for 2022, the patient safety group ECRI drove attention to the amount of alerts involving medical devices. The organization recorded 173 alerts related to medical devices, including:

• MRI systems
• Physiologic monitors
• Infusion pumps
• Lab analyzers

A vulnerable medical device can expose your network to healthcare cyberattacks. Such are the risks that the FBI has issued a warning about the consequences of unpatched and outdated healthcare technology. 

One of the top concerns is ransomware, which can cause operational and clinical disruption. According to the U.S. Department of Health and Human Services (HHS), 82% of healthcare systems reported a cybersecurity incident from mid-2020 through 2021 — one third was ransomware.

An effective medical device strategy with both asset management and cybersecurity in mind can help hospitals to:

• Ensure quality of care. A compromised medical device might stop working abruptly, which can bring risks to patients. A ransomware attack can shut down entire emergency operations. 

• Reduce technical debt. This term refers to the implied cost of not updating aging devices. Legacy technology — a reality in hospitals due to high medical device life expectancy — can’t keep up with the evolving threat landscape. Aging technology also hinders productivity and is often a maintenance burden to organizations. 
• Improve operational efficiency and reduce costs. With comprehensive asset management, healthcare delivery organizations (HDOs) can look at device utilization insights to make data-driven decisions about procurement and staff allocation, making their operations more efficient and cost-effective.
• Increase cyber resilience. Healthcare is the number one target of data breaches, per the Identity Theft Resource Center. Preventing and recovering from healthcare cyberattacks is more important than ever. 

The pillars of a healthcare device cybersecurity program

Here’s the foundation for building a device cybersecurity program in healthcare:

1. Medical device inventory management

As Gartner reports, most healthcare organizations’ security and IT teams don’t have a comprehensive, accurate, and updated inventory of their medical devices. However, in order to better manage clinical and cybersecurity risks, you need to know all devices you have on your network, including where they are located and how they are supposed to behave.

2. Medical device security risk management 

Hospitals need to understand the risks associated with all their devices, so they can prioritize measures to minimize the impact of vulnerabilities and breaches. With a medical device cybersecurity assessment program, the goal is to identify and evaluate risks and the security controls in place. Taking proactive steps can help reduce the likelihood or the impact of a damaging cyber intrusion. 

3. Continuous monitoring and threat detection

Hospitals should monitor their network in real time in order to detect abnormal behavior, device misuses, and breach attempts. Equally important is to keep on top of the U.S. Food and Drug Administration (FDA) recalls and security updates. Have an incident response plan in case an intrusion occurs.

4. Best practices and standards

Following medical device security best practices and industry standards can help HDOs strengthen their cyber defenses. With Armis, you can map your existing controls to frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), Zero Trust Security Model, and the Center for Internet Security (CIS) Controls. 

5. Cyber hygiene 

Taking cyber hygiene measures helps organizations maintain the health of their digital assets. Here’s how to start:

• Update applications and firmware in a timely manner.
• Have a system to patch vulnerable assets.
• Replace legacy devices and end-of-life software that is no longer supported by the vendor.
• Enforce multi-factor authentication (MFA) and the security principle of least privilege.

6. Regulatory compliance alignment

The connected medical device industry requires working closely with regulatory authorities and meeting compliance requirements. It’s also worth noting that medical device regulations differ from country to country. For example:

• In the United States, the FDA regulates the medical device market, and patient data is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is a federal law.

• In the United Kingdom, healthcare organizations are required to use the Data Security and Protection Toolkit (DSPT) to demonstrate adherence to the National Data Guardian’s 10 data security standards.

Ready to build a modern healthcare IT environment? Our ebook covers 5 critical considerations for your medical device cybersecurity strategy.

Checklist: 7 questions to ask about your hospital security software

Our survey with security managers in healthcare delivery organizations reveals that 95% are planning to increase spending on security for Internet of Things (IoT) and unmanaged devices. If you are shopping for cybersecurity for connected medical devices, here’s what you should take into account:

1. Is it an agentless solution?

Many medical, operational technology (OT), and IoT devices can’t have a security agent installed, leaving them outside of the scope of traditional IT security tools. For this reason, your hospital cybersecurity platform needs to leverage a scalable, agentless deployment to detect every device on the network. 

2. Does it use passive monitoring?

Your security solution needs to use passive technology to identify devices and traffic flows. Active methods such as scanning, for example, can cause devices to crash, posing operational and clinical risks. 

3. Does it identify every device? 

Hospital cybersecurity requires a comprehensive approach that breaks down silos between IT and clinical engineering teams. Your healthcare security tool needs to track all managed and unmanaged devices, including IoMT, IoT, OT, and IT, so it can provide a single source of truth about your digital environment.

4. Does it understand context? 

Increased cybersecurity requires the understanding of how a device typically behaves, so you can identify anomalies and signs of compromise. Armis Collective Asset Intelligence Engine, which contains anonymized knowledge of over 3 billion devices, compares configuration and traffic pattern information to produce alerts about any abnormal activity. 

5. Does it prioritize vulnerabilities? 

Context is also critical to enable prioritized remediation of cybersecurity vulnerabilities with the potential to affect the quality of care. For example, a Windows device connected to an MRI machine poses more risks than a back-office Windows machine, because you don’t want a compromised MRI machine touching a patient.

6. Is it integrated with your other security tools?

Managing a wide range of cybersecurity tools is often a burden for security professionals. Integrations enable you to make the most of your technology investments, giving additional context and triggering automated workflow orchestration. For example, Armis can integrate with your firewall and NAC to help enforce security policies in case of a threat. 

7. Does it prioritize remediation?

Six out of 10 respondents of Ponemon Institute’s The State of Vulnerability Response in Healthcare say they spend more time dealing with manual processes than actually responding to vulnerabilities. 

It’s important to have a solution that doesn’t just tell you that there’s a security issue, but it’s also able to take proactive steps to remediate the incident. Let’s say there’s an FDA recall notice. Armis automatically groups every device to which the alert or recall applies, enabling faster prioritization. Our platform integrates directly with your IT ticketing system to help automate response through existing processes. 

Download the 2022 SPARK Matrix™ report to discover why Armis has been named the leader in connected medical device security.

Improve cybersecurity for medical devices and hospital networks with Armis

Enhancing cybersecurity for connected medical devices is only part of the equation. Hospitals need to secure all assets, including IT and OT devices in their network and airspace. To learn how Armis can help with your medical device cybersecurity strategy, request a custom demo now.

Frequently Asked Questions

Read all IoMT Playbook Chapters:

1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
2. Chapter 2 – The Hurdles of Internet of Medical Things Security
3. Chapter 3 – A history of medical device hacking
4. Chapter 4 – How to mitigate ransomware in healthcare
5. Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
6. Chapter 6 – How to improve patient data security
7. Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
8. Chapter 8 – How to spot the top indicators of compromise in healthcare
9. Chapter 9 – The fundamentals of medical device cybersecurity  👈 you are here
10. Chapter 10: Which role can you play in strengthening cybersecurity in healthcare moving forward?