Managing Cybersecurity Risks of Medical Devices in Hospital Environments

Healthcare is susceptible to cyber threats and therefore there is a need for cyber security to eliminate vulnerabilities. To address these risks, last December, the Department of Health and Human Services released cyber security guidelines for the healthcare sector, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. The report’s procedures are not requirements; instead, it outlines voluntary cyber security practices to reduce security risks.

These cyber security practices need to go beyond the requirements of current regulations and policies because up until recently, regulations and policies mainly addressed data privacy, not data security.

This is a complex task as hospitals must manage a range of devices, from legacy IT to connected medical devices, purchased ad hoc by clinicians, different departments or even given without purchase by medical device manufacturers. Additionally, each department requires different equipment used by highly specialized resources.

Many medical devices are connected over hospital networks so that they can share information across many platforms. However, this also means any device that connects to a hospital network can be exploited in order to obtain records and other sensitive information, including patient information.

Medical device manufacturers, therefore, should expect to have their devices that are connected to hospital networks tested by hospitals and healthcare systems performing cyber security assessments, employing advanced tools to assess their risks.

For example, penetration testing. Also known as “ethical hacking”, pen-testing is used to identify security weaknesses by gathering information about the target before the test, identifying possible entry points, attempting to break in, either virtually or manually, and reporting back the findings. The report will typically contain recommendations for remediation of the identified vulnerabilities to help mitigate the risk of a cyber-attack.

If a vulnerability is discovered through a connected device during a hospital/healthcare assessment, the medical device manufacturer may be requested to mitigate the risk.

Common vulnerabilities related to devices discovered during penetration testing originate from device and service configurations. For example, a default password might provide an attacker the ability to access data stored on the device itself.

Another practice currently being employed is network traffic monitoring. Network traffic monitoring is the process of reviewing, analyzing and managing network traffic for any abnormality or process that can affect network performance, availability and/or security.

Medical device manufacturers should design in cyber security; the FDA document, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, calls out listing cyber security risks considered in the design of a device and a corresponding list of controls.

Medical device manufacturers should assess software vulnerabilities and weaknesses early in the design process using tools such as penetration testing, malware testing, binary/byte code analysis, static code analysis, fuzz testing, and security controls testing.

In June 2017, the Health Care Industry Cybersecurity (HCIC) Taskforce issued its report, Report on Improving Cybersecurity in the Healthcare Industry. Taskforce Imperative No. 2 is to increase the security and resilience of medical devices and health IT. To accomplish this, their Recommendation 2.6 is to establish a Medical Computer Emergency Response Team (MedCERT) to coordinate medical device-specific responses to cyber security incidents and vulnerability disclosures.

Following medical device cyber security guidelines in design and remediating found vulnerabilities will make the healthcare industry robust against cyber threats.