Medical Device Security: A Work In Progress

  /     /     /  
Publicated : 22/11/2024   Category : security


Medical Device Security: A Work In Progress


Healthcare organizations vary widely in how prepared they are to handle breaches of medical devices, says Deloitte report.



Healthcare Robotics: Patently Incredible Inventions (click image for larger view)
Healthcare organizations are in various stages of mitigating the cybersecurity risks of medical devices such as patient monitors, infusion pumps, ventilators, pacemakers and imaging devices,
a new Deloitte report says.
Overall, however, Deloittes interviews with medical device security leaders at nine large hospital systems indicate that their organizations have a long way to go and that theyll need more cooperation from device manufacturers.
Last June, the Food and Drug Administration (FDA)
released a guidance
on the content of premarket submissions for management of cybersecurity in medical devices. This guidance suggested that device makers incorporate security features into their products to limit access to only trusted users, determine trusted content, and use fail-safe and recovery devices. FDA called on the manufacturers to consider
threats such as hacking, malware and other vulnerabilities
of device software and to work with providers on use cases.
The cybersecurity guidance has definitely gotten the attention of some of the manufacturers, said Russell Jones, a report author and a partner in Deloittes life sciences and healthcare division, in an interview. The FDA has made it clear, with the guidance and the additional communications theyve published, that this is an area of importance.
However, he told
InformationWeek Healthcare
, many device makers are still not ready to include these security features in their purchasing agreements with healthcare providers. Although providers and manufacturers have begun collaborating on this issue, he said, they have a long way to go.
[ Are apps the answer to doctors hectic schedules? Read
Healthcare Apps Could Be Doctors Best Friend
. ]
Also, the Deloitte report noted, healthcare organizations have had difficulty in developing risk-mitigation strategies for devices that are more than five years old and run on proprietary operating systems. These legacy devices are difficult to test for vulnerabilities because off-the-shelf security scanning tools do not exist, the paper said. In cases where hospitals lack spare devices of the same kind, these products cant even be taken offline for testing, Jones added.
Other devices that run on well known commercial operating systems have the same vulnerabilities as other types of systems connected to a network, the report said.
For both these and the legacy devices, the most extreme risk mitigation method is to quarantine the medical devices from the rest of the hospital IT system. But, partly because of the complexity of running multiple systems that arent networked, Deloitte suggested that organizations do this only where its appropriate.
We recommend that organizations consider quarantining, and if it doesnt make sense, fall back to other types of controls, such as detection controls and sim systems, Jone said. That may be the best you can do to see whether there has been activity that suggests hacking or unauthorized access to medical devices. Deloitte asked the medical device security leaders where their organizations stood in several areas of cybersecurity. These included:
-- Organizational leadership.
Four of the nine interviewees said their organizations have risk management policies and procedures specific to medical device security. Five said they participated in industry consortia to develop security standards.
-- Risk framework.
Six device security leaders said they had a framework to provide guidance on their organizations risk management goals.
-- Identification and evaluation.
Four respondents said their organizations had a framework to identify emerging risks related to medical devices. But a critical component of that process, inventory management, was a work in progress for some organizations.
-- Data flow.
Six interviewees said their hospital systems identify and document how protected health information (PHI) is stored, processed and transmitted by networked medical devices. This is a key area for providers because the HIPAA regulations require that PHI be kept private and secure.
-- Vulnerability management.
Besides the possibility of quarantining devices, five interviewees said they put physical safeguards in place to reduce the risk of theft or damage to networked medical devices.
-- Vendor agreements.
The healthcare organizations were starting to consider how to integrate security requirements into device purchasing agreements. However, the interviewees agreed that incorporating ongoing security support and maintenance into vendor agreements is not widely done or is in an area where [they] have experienced roadblocks.
-- Manufacturer engagement.
Five respondents said their organization effectively engages with manufacturers on medical device cybersecurity. Seven interviewees said the device makers need to improve cybersecurity and privacy support and maintenance for networked medical devices.
To date, there have been no documented instances of intentional threats to medical devices, the report noted. However, healthcare providers are not required to report security incidents to the FDAs MedWatch or MedSun programs or the device manufacturers, unless a death or serious injury has occurred. Jones noted that these kinds of adverse incidents might be under-reported.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Medical Device Security: A Work In Progress