Patching connected medical devices
… not your Father’s IT problem
If you are involved in technology, you know the drill: Microsoft Patch Tuesday, or Cybersecurity and Infrastructure Security Agency (CISA) releases an urgent advisory, or an Information Sharing and Analysis Center (ISAC) issues a bulletin of an urgent cybersecurity advisory to its membership.
Yet, with many, especially complex vulnerabilities like Urgent/11 or SweynTooth, you don’t get enough information on the risk and which devices are affected and how – your staff is being sent on a wild goose chase, again.
In most high-performing health delivery organizations (HDOs), these alerts trigger change management processes and organization-wide actions to identify and patch various networked endpoints and servers to minimize network exposure and data risks from this latest vulnerability.
As vulnerabilities and threats are rapidly accelerating, so are the organization’s exposure and risks. With little influence to change these dynamics, the challenges are what tools and processes are in place to identify and prioritize where to focus limited resources to mitigate vulnerabilities, with patching when possible, or other mitigating control measures.
For those that operate in the Health Technology Management (HTM), Clinical Engineering (CE), or healthcare information technology fields, the realities of responding to newly discovered vulnerabilities and deploying patches are a different reality on connected medical devices and clinical support systems. These instances most often need to be managed on a completely different timeline.
Not to mention that added risks of patient safety and clinical operations if care cannot be delivered because of equipment downtime!
The complexities of connected devices, regulatory constraints, and alignment with clinical priorities does not always permit the rapid deployment of cyber-related patches; despite the FDA postmarket guidance conveying some flexibility to meeting the threats. While some suggest this guidance from the FDA permits patching, the medical device manufacturer (MDM) ultimately remains responsible “…about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity”. The manufacturer is still required to conduct a risk assessment for any changes to their product and installed software to ensure the intended use of the device, and that any software changes do not alter the intended use and operation of the device. This is where the response and delay are often the reality facing HTMs and CEs.
Where does that leave the HDO when it comes to patching their medical devices?
The HDO faces a risk tradeoff, this tradeoff is recognized by the FDA.
HDOs may consider the risk of not-patching is higher than the risk of patching; in this scenario the HDO then accepts not just the risk of patching, but also the risk of unintended consequences relating to the software patch and the device(s) in use. This is not a stance most HDOs are comfortable taking, if they even have the capability or program maturity to lead to such a decision. Beyond the device as an end point, the FDA postmarket guidance makes it clear that HDOs “should evaluate their network security and protect their hospital systems.” … the individual HDO has clear responsibility to maintain the secure baseline of the connected devices they purchase and put on their network.
This is the reality, and an area where emerging technology, such as security and life-cycle management platforms can provide the greatest opportunity and support for an organization’s risk management and/or information technology programs.
Together, the HDO and MDM are “responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance”.
Clearly, it takes a partnership due to the number of devices and the number of MDMs that may be represented in each HDO. This partnership must span many stakeholders and often many organization. A report from TrendMicro in 2016 suggested that connected devices in a hospital could be around 80,000 devices, “As hospitals and other health care facilities adopt new technology, add new devices, and embrace new partnerships, patients get better and more efficient services – but the digital attack surface expands as well”. Four years later, it is certain this attack surface has expanded.
A partnership to ensure an effective, robust, risk-based approach to connected medical device risk management program should include a vendor-partner that can provide an agent-less deep-packet inspection platform which can differentiate medical devices endpoints and their associated risks.
It takes a partnership...
Understanding the Differentiation of Risks
In summary, Asimily INSIGHT can provide our clients with the differentiation of innovative exploit vector analysis combined with a comprehensive risk scoring mechanism, factoring in critical measures of risk and leading to a prioritized risk depiction.
This best-in-class risk scoring capability provides a prioritization path for the healthcare system to develop a risk-based approach with clear direction to remediate or mitigate the organization’s medical and connected device risks.
Understanding the differentiation of risks across an HDO based on the ANSI/AAMI/IEC 80001, Application of risk management for IT Networks incorporating medical devices, requires an awareness of the unique space and an understanding of the individual endpoints in the environment. Not all risks are created equal and a partner that can differentiate where the main risks and priorities are can provide a great opportunity to start, and align, a connected medical device security program with the IT program. In summary, for HDOs to be successful with the complexities of connected devices, a risk management program requires prioritization and mitigation options specific to medical and connected devices and collaboration and partnership.
Asimily and the Asimily INSIGHT platform provides both.
Utilizing risk methodologies developed specifically for medical and connected devices, Asimily research and machine learning algorithms combined with deep-packet inspection, enables the Asimily INSIGHT platform to differentiate risk across the ANSI/AAMI/IEC 80001 risk management framework:
Often, the identified vulnerabilities can include a mitigation recommendation so identified risks can be mitigated with other technical or administrative controls when patching is not possible. This permits a tactical approach to the organization’s connected medical device risk management program. With this capability and approach the organization can focus their limited resources (time, money, people) on risks with direct impact on patient safety. Not all vulnerabilities are equal…focus on serious risks first.
In the dynamic space of exponentially escalating cyber-threats it is essential for an organization to determine the real risks to focus their resources and efforts, and to understand how to mitigate risks when no manufacturer certified patch exists, or network segmentation and device quarantining techniques, are not easily applied.
These capabilities are essential for the healthcare system to reduce risk, prioritize resources, and ensure patient safety and quality patient care.