NIH experts care for a patient in Interventional Radiology. "Interventional Radiology" by NIHClinicalCenter is licensed under CC BY 2.0

The Cloud Security Alliance (CSA) IoT Working Group today released a new medical device incident response playbook designed to support healthcare delivery organizations mitigate a range of risks posed by malware and other cybersecurity threats.

The working group is tasked with assessing use cases for IoT deployments and providing guidance to secure the enterprise IoT infrastructure, including best practice implementations and identifying security gaps.

The new guidance is targeted toward those healthcare leaders tasked with medical device security, including IT directors, administrators, biomedical engineering, and other relevant cybersecurity leaders. The guide may also prove useful for manufacturers and service providers.

The playbook was motivated by the global 2017 WannaCry attack, which “demonstrated the susceptibility of medical devices to malware” when hospital radiology equipment drives were encrypted during the attack. The cyberattack demonstrated “one of the most significant issues when dealing with medical device cybersecurity; availability.”

While these incidents can lead to data breaches, the primary concern should always be the availability of medical devices in the clinical care setting amid security incidents to avoid care delays and other patient safety risks.

Several healthcare security leaders previously noted that the complexity of the device ecosystem and the reliance on legacy software make medical device security one of the biggest challenges providers face.

“The device is part of an ecosystem that, when it’s weak, breaks the entire ecosystem,” Erik Decker, Intermountain Healthcare assistant vice president and chief information security officer, previously explained.

“Suddenly we're not able to care for our patients. Because that one device that’s over here in a corner was deemed as a controlled risk, but was used as a beachhead and blew through everything,” he added. “We’re not having the risk conversation at the ecosystem level.”

The new playbook is designed to tackle these difficulties and sheds light on a host of device security and visibility challenges, based on a NIST perspective and centered around clinical considerations like the overwhelming patient safety risks.

The guide centers around use cases with clinical context for responding to incidents on various devices, including imaging platforms, implanted devices, and networked infusion pumps.

Security leaders will find needed preparation steps, keeping in mind that “specific minimum capabilities are needed in order to be able to effectively conduct incident response. … This preparation phase includes a focus on clinical impacts associated with device compromise or lack of availability.”

The guide includes needed visibility measures and inventory requirements, which is the most important information source for incident response measures. The inventory insights include searching for similar devices together, data fields to inform searches, and classification considerations.

CSA also included taxonomy for classifying devices according to the potential risk to patients, descriptions, and example device types, as well as insights on data classification, building a data repository, and recommended tools.

All in all, the guidance should “be viewed as a starting point for medical device incident response and not a prescriptive end goal.”

“Having access to data flow diagrams also provides the IR team with a powerful tool for tracing potential lateral movement in the case that a medical device or associated system has been compromised,” according to the guidance. “Increased connectivity opens new attack vectors that can be exploited through weaknesses in medical devices themselves.” 

“Delivery organizations need an incident response strategy tailored to medical devices, should a medical device become compromised and impact their mission,” it added. “This playbook should be reviewed and adapted by clinical leadership to ensure it is acceptable from a patient care standpoint.”

The robust playbook is one of the first healthcare cybersecurity guides solely focused on incident response for medical devices. The Healthcare and Public Health Sector Coordinating Council previously released two medical device guides, centering on lifecycle security and joint health IT security plans.