Cybersecurity Asset Management, Zero trust

Medical device security can’t be solved in healthcare: What’s ‘acceptable risk?’

Medical staff prepare to receive a patient for a CT scan at The Royal Blackburn Teaching Hospital in East Lancashire, during the COVID-19 epidemic on May 14, 2020, in Blackburn, England. (Photo by Hannah McKay/Getty Images via Pool)

Healthcare provider organizations face a highly unique challenge: operating patient-connected devices with known vulnerabilities and outdated technology. In any other sector, that kind of risk posture would seem unacceptable. But it’s the reality in healthcare — and a patient safety risk.

During the SCHealth eConference, ChristianaCare Chief Information Security Officer Anahi Santiago and Jason Elrod, MultiCare Health System CISO, explained it takes a multi-pronged approach to reduce the risks posed by the complexity of the medical device security ecosystem — and even then, it’s impossible to completely solve the issue.

“Acceptable risk is always a common conversation with the entire organization. We talk about patient risk, as well as the patient safety involved,” said Elrod.”There's a need for these systems out there, but how do you approach that?” 

Securing the medical device ecosystem is extremely important, in a lot of ways the healthcare security team has their hands tied, as the toolset used today for digitally native devices weren’t invented or available at the time these outdated devices were architected and designed, Elrod explained.

“Healthcare technology systems were never built with the intention of having a security component in mind as a primary driving mechanism for the deployment,” said Elrod. Medical IoT was just IT before, without the need to contemplate how it will be secured, whether it should be segmented, or how to implement identity assurance for the individuals accessing the systems.

For example, CT machines or MRIs have very specific clinical use cases. The devices are large and very expensive, but the technology used in the systems may still have Windows XP embedded, or other software beyond its technical lifecycle support.

But the $50 million to $60 million systems still have another 10 years to 15 years of operational life in the clinical environment. Elrod noted that “in a lot of ways that personifies what we're dealing with in healthcare.”

The risks have dramatically amplified in recent years, and security considerations left off the table must be now be prioritized. Medical devices are “connected to people, individuals, and if it doesn't operate correctly, or it's compromised or it's unavailable, or goes wonky, you can have a very real world kinetic impact to a patient and overall safety,” he added.

Addressing risk with your "hands tied"

As a CISO, it’s not necessarily Elrod’s job as an individual contributor to define the acceptable risk, but to make that decision for the organization. There are systems in place to discover many of these challenges, including finding devices on the network, how they communicate, vulnerabilities, and the other risks posed by the devices.

In the past, the health system struggled with how to discover these elements and what devices were operating under the network. Not to mention, security was an added feature. At MultiCare, they’ve added a discovery mechanism that enables identification and classification of a device, which enables the appropriate security controls to be implemented.

Most importantly, device security is an organizational priority.

“You hear a lot about zero trust networking architecture, but it’s really about shrinking the perimeter down as close as possible around the system so that it still functions 100%, but no one else can access it,” said Elrod. “It’s now segregated, segmented on our network appropriately so it can perform functionally, and we can wrap a more modern security perimeter around it.”

“Because we can't necessarily go into that system,” he added. “If a device is FDA certified, which it has to be in order for it to interact with the patient, oftentimes, it's certified for a very specific configuration, [a certain] operating system and these parameters.” 

Any adjustment, patch or solid security control will now shift the device outside of its accepted and approved federal condition for use when connected to patients, he further explained. Securing these devices becomes quite a conundrum, putting CISOs in a bind.

There has been change in the federal regulations to address that, such as allowing patching to close security holes. Elrod added that it allows for more options in the security tool chest to deal with device security, but challenges remain with identification and classification, then getting controls as close to the vulnerable systems themselves.

To Santiago, an added challenge is the vendor element: “where vendors don’t need the link time to test before applying those patches to make sure they’re not going to break anything.” And if you apply the patch outside of the agreed upon third-party testing cycle, the vendor won’t support it anymore. Again, further contributing to the patient safety risk.

“There's this balancing act that we have to constantly take with these medical devices to ensure that we're applying as sound of a security posture to them as possible, while still acknowledging that we're going to accept some risk in certain areas, because there's just no way to get around it,” said Santiago. “It's a continuous evolution.”

Getting stakeholders on board

In the end, medical device security is about risk prioritization that begins with engaged dialogue with both business and clinical leaders. Santiago engages with clinical and business stakeholders around risk management and “the value of cybersecurity versus the value of clinical care delivery.”

The goal is to help fellow leadership to understand these burdens and their role in helping security teams and the entire organization manage the challenges through a “risk-reward conversation.”

“Obviously, there needs to be a balance between being able to deliver high quality care and being able to protect those devices and manage what truly is a patient safety issue,” she explained.

In the context of cybersecurity, everyone in the organization works for the security team, said Elrod. The CISO should “internally crowdsource security” to enable the workforce through adequate training and by trusting them to make the right decisions.

Calling it the “internal threat intelligence team,” Elrod explained that by using a service or help desk to mediate calls around problems seen in the organization, such as tech acting wonky, the security team can be better informed of possible incidents while empowering the workforce to make better decisions.

“You end up having this parallel processing capability in the organization, and it doesn't matter how big you are: Everybody's got to serve,” Elrod said. “Then you can have, internally, a very focused threat intelligence team that never considered themselves a threat intelligence team until you point it out. 

“And that's available to everybody,” he added.

Successful medical device security processes are accomplished “through risk management, contract management, and working with our vendors to hold them accountable for ensuring that they're baking in security into the products that they're delivering, and then, where necessary and appropriate, implementing compensating controls,” explained Santiago.

The formula “can help us to manage the risk of devices with outdated operating systems that perhaps don't need to be talking to the internet.” Currently, there are no solutions that provide “better visibility into what the software components are for the devices, what they’re talking to, versus what they should be talking to, and protocols, etc, which was really hard in the past.”

The final piece is working with federal regulators and information sharing organizations, while working to push the industry to improve and pushing vendors and manufacturers to provide greater transparency and “to be more security focused, as opposed to just thinking about the safety components of device design.”

Resources will always be a challenge in healthcare, particularly for the small- to medium-sized provider organizations that likely see device security as much more burdensome as they don’t have large security teams, explained Santiago. 

“But cybersecurity is everyone’s responsibility, not just the security team, so leverage your workforce and your caregivers as an extension of your team,” she continued. ”We can all do collective risk management.”

Small organizations should leverage the resources out there, provided by the Department of Health and Human Services, H-ISAC, and the Healthcare Coordinating Council, “as opposed to having to figure it out on their own,” explained Santiago.

prestitial ad