5 steps to cybersecurity for Internet of Things medical devices
The healthcare industry is plagued with data breaches and other cybersecurity nightmares. At the same time, connected medical devices – components of the so-called Internet of Things – are multiplying, opening more holes in security and creating terrible potential for patient casualties.
Without doubt, unsecured medical devices currently are putting hospitals and patients at risk, according to “Healthcare’s IoT Dilemma: Connected Medical Devices,” a new report from Forrester Research analyst Chris Sherman.
“You have less control over connected medical devices than any other aspect of your technology environment,” the report said. “Many times, vendors control patch and update cycles, and vulnerabilities persist that require segmentation from your network. Considering that many of these devices are in direct contact with patients, this is a major cause for concern.”
Additionally, medical devices are vulnerable to four attack scenarios, the report said. “Threats against medical devices include denial-of-service (DoS), patient data theft, therapy manipulation and asset destruction,” the report said. “Each represents risk to your organization, with DoS currently being the most severe.”
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
To combat the threats posed by Internet of Things connected medical devices, Forrester Research suggested that healthcare organizations apply a risk-based security framework in five steps.
1. Categorize existing devices based on risk.
Once an organization places a device on a network, it becomes part of a connected system. Websites like Shodan (“The search engine for the Internet of Things”) expose thousands of searchable end-points around the world that lack security and/or use default passwords.
“There are five key factors that contribute to the risk rating of any medical device: Potential impact to patient safety; Network connectivity; Data sensitivity; Likelihood of attack; and Vendor security SLA,” the report said. “For starters, use industry risk assessment guidelines, standards and expertise. The Medical Device Innovation, Safety and Security Consortium (MDISS) provides a space for industry leaders to collaborate and exchange ideas; the National Cybersecurity Center of Excellence (NCCoE), established by the National Institute for Standards and Technology (NIST), released its first cybersecurity practice guide last year called ‘Securing Electronic Health Records on Mobile Devices’; and Forrester Research’s Medical Device-Risk Heat Map can help categorize devices based on risk.”
2. Implement a clinical risk management framework.
The International Electrotechnical Commission (IEC), for example, publishes voluntary standards across various technology industries.
“You can use the IEC 80001-1 ‘Application of risk management for IT networks incorporating medical devices — Part 1: Roles, responsibilities and activities’ framework as guidance,” the report suggested. “In a frequently changing technology environment, this framework focuses on how to manage and balance risks associated with safety, effectiveness and data/system security. It will help you determine the risk levels of your medical devices, mitigate and control that risk, and ultimately bring the risk exposure of your hospital network to acceptable levels.”
3. Ensure that your organization follows basic security hygiene.
Forrester Research reported that the vast majority of healthcare breaches in the past few years were due to social engineering and spear-phishing attacks. These problems have known solutions, but these solutions often demand a major cultural change by an organization.
“Your first step toward reducing threats calls for a campaign to raise security awareness and change employee behavior,” the report suggested. “Use frequent, relevant and engaging communication to ensure your workforce doesn’t miss security messages. Another fundamental security control to review and update is your password policy. According to our data, only 57% of healthcare workers who use a computer once a week or more for work reported that their company enforces regular password changes.”
4. Include security requirements in new device requests for proposals and contract language.
Medical device manufacturers generally are not required to include security controls on their devices nor provide guidance to their customers on how to protect devices. But healthcare organizations, as potential customers, have the power to get manufacturers to do so.
“Start asking device manufacturers for better security controls and don’t settle for excuses,” Forrester Research said in the report. “Require that they: 1) Conduct pen testing and/or threat modeling; 2) Have a roadmap to build security logging into software; 3) Bring existing vulnerabilities to your attention; 4) Follow and provide guidance on best practices for protecting the device as outlined by the FDA, MDISS and other relevant authorities; and 5) Present a completed Manufacturer Disclosure Statement for Medical Device Security (MDS2) form.”
5. Apply a zero trust networking architecture.
“Knowing that you can’t maintain an effectively secure perimeter, adopt a zero trust approach for your hospital network, making security ubiquitous throughout, not just at the perimeter,” the report concluded. “Forrester’s ‘Security Architecture and Operations’ playbook explains how to implement zero trust security controls, including segmenting devices based on risk, inspecting network data as it flows between segments, and requiring authentication into the network.”
Forrester added that because healthcare is such a sensitive industry, healthcare organizations dealing with Internet of Things medical devices should not wait for an attack in which someone suffers real physical harm or until government regulations force change.
What’s more, with Internet of Things innovation in the healthcare industry essentially leaving security behind, these best practices are more important now than ever.
“Technological innovation in healthcare promises to improve the quality and speed with which patient care is delivered, and investments in new medical technologies is at an all-time high,” the Forrester report suggested. “However, the unfortunate reality is that security is all too often an afterthought in the design and development of these innovative new technologies. This is especially true for IP-enabled medical devices.”
Cybersecurity Special Report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities