The healthcare industry is a prime target for hackers and connected devices are the weakest link in the healthcare cybersecurity chain. With the Coronavirus pandemic raging full-force, hospitals everywhere need to procure more essential equipment, like ventilators and respirators. This means more vulnerable devices are being added to the clinical network every day, making managing device security even tougher.
To help shed some light on the process and help adapt to unforeseeable changes, Cynerio partnered with the Biomed/CE publication, TechNation, and led a webinar on the essential ins and outs of managing the medical device security lifecycle. Here’s a quick peek at the highlights.
With an eye on device security, syncing your IT and biomed teams is key. Together, take a close look at your current and future needs, then ask the following questions:
When you’re deciding which device to purchase, which model, and from which vendor, take a look at the device’s MDS2 form to learn about the device’s vulnerabilities and default security configurations.
Measure this information against your own organization’s security policies to understand if the device’s default configurations comply with your organization’s security policies. If they don’t or can’t be configured to comply, what kinds of compensating controls will you need to implement and what would the costs of that be?
Good maintenance starts with device discovery. In today’s Coronavirus crisis, hospitals are overwhelmed with patients at the same time they’re suffering from staff and equipment shortages. Devices are bound to get lost while some older and unaccounted for devices might be used to treat patients. Some devices might not have received security patches or software updates for years, and every unpatched device equals a security risk.
This brings us to maintenance scheduling and patch management. Patching and updating devices needs to be scheduled so that a device that’s critical to patient care isn’t taken offline unexpectedly, potentially harming patients and disrupting clinical workflow.
Next up in maintenance is policy validation. Is the device complying with your hospital’s security policy? Who can log into the device, connect, and send information? Does that information include PHI?
Keeping track of all these factors is a pretty gargantuan task, but segmentation can help keep things organized while helping to manage risk and decrease the clinical network’s attack surface. Segmenting devices from other parts of the network adds a crucial layer of security to the clinical network. It also helps expedite other maintenance procedures, including patching and scheduling, and can go a long way in easing the stress of emergency redistribution projects.
Disconnecting devices from the clinical network can be just as risky as connecting them.
In health care, patients come before everything else. Many devices are critical to clinical workflow and patient care, even though they may be outdated, unpatchable, and leaking sensitive PHI. Before disconnecting a device, it’s critical to understand its connectivity: what other devices it is connected to and how? Will severing its connection disrupt the operations of other devices that may rely on it, potentially harming patients?
Once you’ve answered each of these questions, you’ll be ready to disconnect and dispose of the device safely and restart the whole process again.
Dive deeper into medical device security lifecycle management with our handy Switchlist, a checklist designed to help healthcare professionals like you through the process.
Cynerio is the world's premier medical-first IoT cybersecurity solution. We view cybersecurity as a standard part of patient care and provide healthcare delivery organizations with the insight and tools they need to secure clinical ecosystems and achieve long-term, scalable threat remediation without disrupting operations or the delivery of care.