Securing medical devices has become a crucial requirement for healthcare organizations and institutions. Connected devices and life-saving machines are now critical to ensuring patient safety and delivering the best possible quality of care.
As a result, the healthcare device ecosystem expands far beyond simply medical devices. It now includes all elements of healthcare organizations’ technology infrastructure and the systems responsible for securing patient journeys through their health systems.
Armis conducted research to explore how the United Kingdom’s National Health Service (NHS) was approaching the issue. The results have helped us to create the following best practices and guidance for health services all over the world to enhance their information security and organizational resilience.
Turn regulatory requirements into security strategy
Regulations and technology standards are a significant focus for all healthcare organizations, who have to ensure they manage issues like certification criteria, compliance schedules, non-compliance penalties, and overlapping requirements.
For example, our research with the NHS covered more than 70 trusts with varying requirements, including the Networks & Information Systems (NIS) Directive, Cyber Essentials, ISO 27001, and the Data Security & Protection Toolkit (DSPT). While healthcare organizations also need to focus on regulations like HIPAA and HITECH in the U.S., data protection rules issued by the French Data Protection Authority, and the EU’s GDPR.
Elements of these requirements enable healthcare providers to shape security strategies covering issues such as:
Risk management: Healthcare organizations’ risk management is dual-focused. On the one hand, they are compliance-based, which governs their information security strategy. On the other, they focus on clinical outcomes and patient safety.
This is reflected in the NHS research data. NHS organizations’ risk is articulated by the maintenance of medical device software, as well as segmentation and security controls deployment. However, nearly all the organizations researched had varying compliance levels with regulations that drive security technology adoption.
The highly-regulated nature of the healthcare industry means risk needs to be standardized before using threat-related data sets for emergency management and business continuity planning. This helps contextualize security risk for various treatment areas, enable IT hygiene and privilege management, and provide workflow context for multiple departments.
Regulation overlapping: Overlapping regulation requirements helps organizations invest in and prioritize various elements of their security strategy, improve their incident response, and spread the cost of the strategy. Prioritizing multiple standards also enables healthcare providers to enhance their technological architecture, enhance vulnerability management, and utilize operational data to satisfy regulatory requirements.
Real-time data: Our research found that, while most NHS organizations had executive-level risk support, most focused on information security data rather than the total impact on medical devices and their adjoining infrastructure.. For example, devices providing direct patient care, ancillary care support devices, critical operating technologies, and control systems are all essential to securing the patient journey.
However, many of the organizations we researched failed to have real-time analysis into vulnerabilities in these devices and systems, their behavior, and operational workflows. This focus will be crucial as healthcare providers increasingly move from legacy approaches and platforms to more continuous monitoring of their systems and networks.
Furthermore, our research found NHS departments often operate decades-old monitoring equipment with new imaging modalities. It’s therefore vital to ensure that vulnerability management isn’t simply part of the security toolkit but a critical component of operations continuity.
Balance device security with patient care
Medical device security has become increasingly led through IT due to its edge computing capabilities. As a result, healthcare organizations have had to understand the operational implications of applying cybersecurity without impacting patient care and safety.
Our research shows a clear need to focus on baselining business continuity metrics for data loss and system downtime and how long people take to complete machine maintenance tasks. This is crucial to estimating response to emergencies and security scenarios like ransomware and supply chain attacks.
Ensuring visibility across the entire healthcare device ecosystem is crucial to medical device security strategy. It provides security teams with a complete view of their attack surface while analyzing the impact of their threat intelligence on medical operations.
Leverage utilization data to improve threat modeling
Utilization context is critical to driving security incident recovery and response. This is crucial to monitoring clinical workflows, analyzing device utilization, enhancing the efficiency of clinical procedures, and assuring the integrity of clinical data.
Healthcare organizations need to minimize alert fatigue and response times while managing the cost of risk governance and efficiency of workflows. They therefore need to focus efforts on real-time reporting and IT operations integrations.
Deliver contextual recovery and response
Common vulnerabilities and exposure (CVE) is a public list of flaws in computer security systems, code, and software. A vulnerability is a flaw or weakness in code and software that can result in a data breach, while an exposure refers to a misconfiguration or one-off security event. All reported CVEs are given an ID number that enables knowledge of the flaw to be shared with and understood by organizations, researchers, and vendors.
Combining CVE knowledge with safety recall data is crucial to helping healthcare teams securely deploy new technology and connected systems. This is seeing devices that haven’t traditionally been seen as “smart” becoming connected to other assets and networks, which leaves them vulnerable to cyber-attacks. The firmware of these devices, especially new assets like IoT machines, is also susceptible to vulnerabilities and typically doesn’t have the capacity to install security software. As a result, these issues affecting devices with firmware, such as implants or pacemakers, could be susceptible to attacks that target connected systems and affect response and recovery workflows.
Reduce the impact of healthcare cyber-attacks
Reducing the impact of cyber-attacks relies on factors like risk frameworks, response tactics, and threat models. Healthcare organizations need to prioritize simulations and testing of workflow disruptions and system outages. Those that do will better understand risk telemetry, how long their systems take to recover, and the user impact of degraded performance. Over time, this will help healthcare organizations defend themselves against any attack on their environment.
Armis helps healthcare organizations manage risk management and operations continuity while making information security a crucial extension of their clinical risk management. Find out more by downloading Security & Operational Efficiency – IT Begins with Visibility white paper.