Though device manufacturers have worked to improve the cybersecurity of their medical devices, there is still a long way to go. Improvements aside, there are distinct steps the IT information security department can take to reduce risk and improve cybersecurity for medical devices.
Some notable improvements in cybersecurity for medical devices in recent years include:
1. US Food & Drug Administration (FDA) guidance to manufacturers that operating system updates, especially to patch vulnerabilities, do not require the manufacturer to go back through the entire FDA approval process.
In the past, medical device manufacturers often claimed that they could not update or patch the operating system due to FDA requirements. Some vendors legitimately believed this, while others may have used it as a convenient excuse to avoid the hard work of updating and testing medical device operating systems.
2. Medical device manufacturers have become better able to allow anti-virus (AV) software to run on medical devices or systems.
Many medical device systems previously could not run anti-virus software for a variety of reasons. Often, the AV software misinterpreted the actions of the medical device software and would sometimes interrupt the operation of the device. In some cases, this could cause serious patient harm. Device manufacturers have been working to ensure their systems could run with anti-virus software without impacting the functionality of the device.
3. Newer medical devices use modern operating systems and some support virtualization of certain functions.
Using modern operating systems (i.e., still supported by manufacturers such as Microsoft) ensures these systems can be updated and patched, especially for updates that address new and emerging operating system vulnerabilities. In addition, being able to transition to virtual the server functions for many medical devices allows the systems to be managed using modern tools and techniques. These reduce cybersecurity risks.
While these developments are excellent, they do not address the millions of existing devices in healthcare environments today that were deployed prior to these changes being made. In every hospital and clinic today, there are thousands of devices running older operating systems that cannot be patched and that cannot be run with an anti-virus or anti-malware solution. Information security professionals need to address these devices using tried-and-true methods.
1. Segment medical devices on VLANs.
By putting all medical devices on restricted VLANs, you can ensure that only devices you specifically provide access are able to communicate across the network. While this does not protect the network from malicious control of those medical devices, it restricts the exposure of those devices.
2. Implement firewalls to secure systems that cannot be protected with other methods.
Firewalling off those devices is another important aspect of securing medical devices. When operating systems cannot be updated or patched, putting them behind firewalls with very restricted and defined access can reduce risk significantly.
3. Educate your IT staff about the importance of managing these devices (network and server) securely.
Often IT staff are responsible for managing and maintaining all servers, including those for medical devices and systems such as patient monitoring, OR systems, or Cath Lab systems. Modern systems often support virtualization so updating and maintaining these systems often falls to the IT staff. It’s critical that these staff understand the unique cybersecurity risks of these systems and are able to identify potential malicious activity quickly. Additionally, these staff need to clearly understand the operational impact of server maintenance on clinical operations to prevent potential patient harm (i.e., don’t take the OR server down while cases are underway).
4. Educate your biomedical and diagnostic imaging staff about cybersecurity, especially as it pertains to medical devices.
Your biomedical equipment technician (BMET) and diagnostic imaging staff need to be educated both on basic cybersecurity and the specific vulnerabilities of the systems they support. They don’t need to become cybersecurity experts, but they need to understand the work they do and how it impacts (and is impacted by) cybersecurity. For example, they need to understand how to securely connect devices to the network or update anti-virus software (if permissible), or to restrict access to administrator accounts on these systems. Working with your IT cybersecurity staff is a great way to cross-train both teams on this critical knowledge.
5. Educate your end users on the basics of cybersecurity and teach them potential warning signs to look for on their medical devices.
Your end users of medical devices are typically nurses and patient care techs and specialty techs (such as radiology technicians). These are the people who work with these medical devices daily, and they should be aware of basic cybersecurity risks of the equipment as well as best practices in handling these devices. Perhaps most importantly, they should understand what potential malicious behavior would look like on those devices and have a fast, easy method for reporting potential issues so that cybersecurity experts can examine and contain any potential malicious activity.
Malware on medical devices can create patient harm, including death. It can also infect the wider network and potentially take down critical systems like the Electronic Medical Record (EMR) software or business systems such as payroll or HR. Working to expand your cybersecurity team to include BMET, DI and end user staff will help reduce medical device cyber risk.