Securing legacy medical devices is daunting – but not optional

Skipping out on comprehensive device documentation and risk assessment will cripple an organization's cybersecurity program, experts say.
By Dave Muoio
Share
Doctor using a medical imaging device.

Between high-profile hacks and hospitals’ growing dependency on connected medical devices, cybersecurity is as relevant to healthcare as it’s ever been. And while providers and device manufacturers are rightfully making protection a priority for newly developed or purchased medical devices, older legacy devices pose the greatest security risk to healthcare organizations.

"There are any number of reasons why these devices have become connected and over the years and, for the most, part the risks associated with using the devices have been transferred to the organization using them,” Heather Roszkowski, network chief information security officer at The University Of Vermont Health Network, said during last year’s HIMSS Media Healthcare Security Forum.

“There are a lot of ways we’re being forced to mitigate the risks associated with these devices, until some better security tools can be put in place on them, if that’s even possible,” she continued. “I appreciate the fact that the new devices have more security, but I still think there’s a cultural change that needs to happen."

"Effective cyber risk management starts with awareness and a concise risk assessment of each medical device identified that enables IT security professionals to prioritize threats,"

Amir Magner, CEO at CyberMDX

A year later, Roszkowski’s cultural change may already be in motion.

In April, a House committee looking to avoid a repeat of the now-infamous WannaCry attack called on industry leaders to share their insights regarding outdated medical devices and their vulnerabilities. The FDA has also made device cybersecurity a priority, and earlier this month co-released a playbook for how health delivery organizations can develop and enact a response to major security breaches.

But despite the calls to action, implementing a cohesive strategy to secure legacy medical devices remains a daunting task for health organizations large and small.

Start at the beginning
When creating a medical device cybersecurity program, organizations should start by identifying connected medical devices and critical assets, Amir Magner, CEO at CyberMDX, told MobiHealthNews.

“It’s best to approach [legacy device protection] with gradual progression of medical device cybersecurity posture, from building the assets inventory up to preventing cyberattacks,” Magner said.

“Each hospital and clinical network needs visibility and must have the capabilities to create an inventory map of devices, built on continuous discovery and in-depth visibility of all of the medical devices across the entire hospital network,” he added.

Documenting each relevant device may sound like an obvious first step, but it’s one that can take medium-to-large organizations a substantial amount of time to do properly, explained Vince Campitelli, the former VP of IT Risk Management for McKesson’s pharmaceuticals division who now serves on Cloud Security Alliance’s Health Information Working Group.

In his experience, however, this first step is all too often skipped over by groups looking to quickly close the gaps.

“I could replace the word ‘medical device’ with a thousand things — it could be computer routers, it could be computer firewalls, it could be computer networks, it could be companies and how they protect their technology,” Campitelli said. “At the end of the day … these large organizations try to solve a problem and they don’t even know what the problem is.”

“I could ask organizations, ‘Well you say you want to protect your computers. How many computers do you have?’ And they don’t know. ‘Well, what kind of computers are you using?’ They don’t know,” he continued. “Without a good inventory, and without a good descriptive system and definition of what you really have, how can you say you’re going to fix the problem?”

Prioritize threats, consider consequences

Importantly, documenting your medical devices allows your security team to begin assessing the risk of attack for each and the consequences should those attacks succeed.

“It’s important to establish an operational and technical framework for risk assessment,” Magner said. “Effective cyber risk management starts with awareness and a concise risk assessment of each medical device identified that enables IT security professionals to prioritize threats.”

"Without a good inventory, and without a good descriptive system and definition of what you really have, how can you say you’re going to fix the problem?"

Vince Campitelli former VP of IT Risk Management for McKesson’s pharmaceuticals division who now serves on Cloud Security Alliance’s Health Information Working Group.

:Now that all medical devices and critical assets have been identified, classified and risk analyzed, security professionals need to build a base-line to first understand what ‘normal’ traffic looks like versus malicious traffic,” he added. “This allows for the detection of anomalies and malicious activities over authorized traffic.”

For Campitelli, this process also involves a hard look at the devices from a number of different perspectives: micro, macro, software, hardware, cost, patient outcomes and so on.

“To start simple, maybe I lose a device, and if I lose it, what’s my backup plan?,” Campitelli said. “How do I make it easy for the patient if I have to replace the device … And can the patient live without the device for a day, a week, a month?”

“Then you get into the contracts and the terms and conditions of when you got the device, and that’s what the manufacturer says about vulnerabilities and defects. Did you buy it where there’s no guarantees, explicit or implied, that it’s defect-free and vulnerability-free, so that the owner is on their own with replacing it?” he added. “The devil’s always in the details when you’re starting to do this.”

Plugging holes

Medical device cybersecurity should always be proactive and preventive, because “if you’re only reacting to attacks, it’s already too late,” Magner said.

But at the end of the day, broad preparations and internal crisis planning will likely never be comprehensive due to issues of cost, time and the sheer number of potential vulnerabilities, Campitelli said.

At that point, he said it’s best to be realistic.

“If you want to start looking at legacy stuff, I’ve seen a lot of companies spend a lot of money at it’s like a never ending problem, because once they start turning rocks over there’s ten more rocks,” Campitelli said. “They never had an inventory system, they never wrote down the nature of the device.”

“So don’t try to solve a problem that’s going to be too big to solve, especially if the more simplistic thing is the more approachable, pragmatic and acceptable thing,” he added. “For instance, making people aware of the fact that you should be concerned about your medical devices you are potentially depending on and could go awry.”

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.