Compliance and security professionals are regularly challenged with unique security situations. However, the harder the challenge, the more rewarding it is for those who successfully solve the problem—part of what makes the profession so fulfilling. The difference between success and failure depends on individual skills and experience to deconstruct a complex security environment into individual elements that can be mitigated with a standard set of security controls.
Perhaps one of the more complex security issues for security and compliance professionals is protecting biomedical devices. There are several factors that make securing biomedical devices so difficult, including their close interaction with patients, lack of individual accountability, fragmented regulatory oversight and very long operational life-cycles.
Healthcare organizations keep biomedical devices in service longer than any other endpoints, sometimes for 15 years or longer. Using devices this old means that CISOs need to secure legacy operating systems, including Windows 95, 98, or XP. To complicate the issue, device manufacturers are reluctant to disclose the software bill of materials, so the security team might not even know what operating system it needs to protect, or the inherent vulnerabilities in each device. To further complicate matters, patch management and the application of third-party security controls, such as anti-virus, may not possible for the majority of biomedical devices. Security teams are also hampered because biomedical devices cannot be scanned like traditional IT systems. Devices may potentially not be able to be turned on (booted) except when they are connected to patients; active vulnerability scans present a real risk of causing a device to malfunction and cause patient harm.
Configuration management also presents challenges, as the biomedical department may not be integrated with the IT management. There are few tools that can detect patch levels and no tools that will automatically deploy updates because of patient safety issues.
From a physical security perspective, biomedical devices are generally issued to departments or facilities, rather than individuals. They also are highly mobile and treated like commodities. Unlike traditional IT assets, which will generate a lost or missing report within hours, lost biomedical equipment may not be reported for months or even a year.
Quickly Assess the Health of a Biomedical Security and Compliance Program
Healthcare executives need a quick way to evaluate the effectiveness of their biomedical device security and compliance program. Fortunately, some of the highest risk areas can be identified with four simple questions:
- What are the last 25 biomedical devices that have been added to the “Could Not Locate (CNL)” list?
- Which of those devices on the CNL list store Protected Health Information, or PHI?
- Of the missing devices with PHI, how many of those instances have either been reported to the Office for Civil Rights (OCR) as a breach of PHI?
- For all remaining devices, what percentage have technical vulnerabilities that cannot be remediated?
These four questions will provide insight into biomedical devices’ four common high-risk areas. The first question will determine the effectiveness of the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) asset management control ID-AM-1. If an organization is not actively tracking missing devices, it has failed in asset management.
The second question addresses risk assessment control ID.RA-4. If an organization can’t identify which devices have the highest business impact to the organization, then it has not performed a complete risk assessment.
The third question will determine if the governance control ID.GV-3 is effective. Organizations that do not report breaches of ePHI are at risk of fines and loss of patient confidence.
Finally, question four will determine if the information protection processes and procedures PR.IP-1 are effective. Due to the nature of biomedical devices, there always will be devices that have legacy operating systems, cannot be patched, don’t have anti-virus software, or otherwise cannot have all the technical vulnerabilities remediated. The CISO should track these devices and grant waivers that are periodically reviewed. Strong configuration control procedures facilitate timely preventative maintenance and compliance with product recalls.
Medical device security challenges can be overcome
Managing the security and compliance of biomedical devices can appear to be very challenging. This challenge is not difficult when the appropriate control points are measured and the resulting metrics are routinely reviewed. In the example above, it only takes four simple questions to quickly identify a well-tuned biomedical device security and compliance program, or if not answered, provide healthcare executives with another incentive to pay closer attention to the issues.